VirtueMart Forum

VirtueMart 2 + 3 + 4 => Virtuemart Development and bug reports => Topic started by: myplace2100 on May 20, 2014, 23:41:59 PM

Title: How secure virtuemart latest version in terms of sql injection
Post by: myplace2100 on May 20, 2014, 23:41:59 PM
I was examining vm version 2.6.0a codes about how it handles security risks like sql injection as previous version like 2.0.22 was not secured. In administrator side model "orders.php" file this function gets order by id and pass -
public function getOrderIdByOrderPass($orderNumber,$orderPass){
      $db = JFactory::getDBO();
      $q = 'SELECT `virtuemart_order_id` FROM `#__virtuemart_orders` WHERE `order_pass`="'.$db->getEscaped($orderPass).'" AND `order_number`="'.$db->getEscaped($orderNumber).'"';
.......................
   }

Although $db->getEscaped() was used to check variable in url instead $db->quote(), but they did not verify the max length of the variable string like order_pass. Could a hacker still put another sql statement to harm database or do such kinds of attacks?? and does vm latest versions checked all these things about sql injection attacks?
Title: Re: How secure virtuemart latest version in terms of sql injection
Post by: balai on May 21, 2014, 09:59:44 AM
I agree that $db->quote is better than $db->escape ($db->getEscaped() is deprecated) because it calls the escape internally and also quotes the output.
But i don't think that there is any risk.

$db->escape is calling the php's mysql_real_escape_string
http://php.net/mysql_real_escape_string

Which escapes any dangerous character.
Actually $db->escape is doing the dirty job in both cases