Forums / Developer / SQL injection possible?

SQL injection possible?

Previous topic

Developer

Next topic

Author	Message
Claudia Kosny	Friday 03 November 2006 1:18:12 am Hi there My users can update some data on some objects using a webform. Due to technical reasons I cannot use the regular content/edit functionality so I have written an extension that takes the posted data, checks which attributes are posted for which object and then uses something like this: $contentObjectAttribute->setAttribute('data_int', $postedAttributeContent); for each of attribute. This is working fine but I am wondering how much I should worry about quotation marks or sql injection in the posted data. So are there any cleanup functions in the ez sql interface that I can use or does ez automatically check for and remove and possible problems? Thanks for any tips or hints Claudia
Sascha Frinken	Friday 03 November 2006 3:25:34 am Hi Claudia, afaik your attributes will be stored with eZPersistentObject::storeObject. As you can see in http://pubsvn.ez.no/doxygen/ezpersistentobject_8php-source.html (line 00501 i.e) it makes use of $db->escapeString( $value ) which prevents SQL injection. HTH Sascha

Author

Message

Claudia Kosny

Friday 03 November 2006 1:18:12 am

Hi there

My users can update some data on some objects using a webform. Due to technical reasons I cannot use the regular content/edit functionality so I have written an extension that takes the posted data, checks which attributes are posted for which object and then uses something like this:
$contentObjectAttribute->setAttribute('data_int', $postedAttributeContent);
for each of attribute.

This is working fine but I am wondering how much I should worry about quotation marks or sql injection in the posted data.

So are there any cleanup functions in the ez sql interface that I can use or does ez automatically check for and remove and possible problems?

Thanks for any tips or hints

Claudia

Sascha Frinken

Friday 03 November 2006 3:25:34 am

Hi Claudia,

afaik your attributes will be stored with eZPersistentObject::storeObject.
As you can see in http://pubsvn.ez.no/doxygen/ezpersistentobject_8php-source.html (line 00501 i.e) it makes use of $db->escapeString( $value ) which prevents SQL injection.

HTH

Sascha

eZ debug

Timing:

Jan 18 2025 11:08:39

Script start

Timing:

Jan 18 2025 11:08:39

Module start 'content'

Timing:

Jan 18 2025 11:08:40

Module end 'content'

Timing:

Jan 18 2025 11:08:40

Script end

Main resources:

Total runtime

0.7978 sec

Peak memory usage

4,096.0000 KB

Database Queries

191

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0083	588.8047	180.8438
Module start 'content'	0.0083	0.6548	769.6484	464.3203
Module end 'content'	0.6631	0.1346	1,233.9688	333.5000
Script end	0.7978		1,567.4688

Checkpoint

Start (sec)

Duration (sec)

Memory at start (KB)

Memory used (KB)

Script start

0.0000

0.0083

588.8047

180.8438

Module start 'content'

0.0083

0.6548

769.6484

464.3203

Module end 'content'

0.6631

0.1346

1,233.9688

333.5000

Script end

0.7978

1,567.4688

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0043	0.5393	21	0.0002
Check MTime	0.0016	0.1992	21	0.0001
Mysql Total
Database connection	0.0009	0.1163	1	0.0009
Mysqli_queries	0.7289	91.3557	191	0.0038
Looping result	0.0021	0.2661	189	0.0000
Template Total	0.7630	95.6	2	0.3815
Template load	0.0018	0.2227	2	0.0009
Template processing	0.7612	95.4130	2	0.3806
Template load and register function	0.0002	0.0243	1	0.0002
states
state_id_array	0.0011	0.1318	1	0.0011
state_identifier_array	0.0008	0.0984	2	0.0004
Override
Cache load	0.0015	0.1820	17	0.0001
Sytem overhead
Fetch class attribute can translate value	0.0014	0.1728	3	0.0005
Fetch class attribute name	0.0012	0.1508	2	0.0006
XML
Image XML parsing	0.0006	0.0691	3	0.0002
class_abstraction
Instantiating content class attribute	0.0000	0.0008	2	0.0000
General
dbfile	0.0067	0.8446	21	0.0003
String conversion	0.0000	0.0006	3	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Accumulator

Duration (sec)

Duration (%)

Count

Average (sec)

Ini load

Load cache

0.0043

0.5393

0.0002

Check MTime

0.0016

0.1992

0.0001

Mysql Total

Database connection

0.0009

0.1163

0.0009

Mysqli_queries

0.7289

91.3557

191

0.0038

Looping result

0.0021

0.2661

189

0.0000

Template Total

0.7630

95.6

0.3815

Template load

0.0018

0.2227

0.0009

Template processing

0.7612

95.4130

0.3806

Template load and register function

0.0002

0.0243

0.0002

states

state_id_array

0.0011

0.1318

0.0011

state_identifier_array

0.0008

0.0984

0.0004

Override

Cache load

0.0015

0.1820

0.0001

Sytem overhead

Fetch class attribute can translate value

0.0014

0.1728

0.0005

Fetch class attribute name

0.0012

0.1508

0.0006

XML

Image XML parsing

0.0006

0.0691

0.0002

class_abstraction

Instantiating content class attribute

0.0000

0.0008

0.0000

General

dbfile

0.0067

0.8446

0.0003

String conversion

0.0000

0.0006

0.0000

Note: percentages do not add up to 100% because some accumulators overlap

CSS/JS files loaded with "ezjscPacker" during request:

Cache	Type	Packlevel	SourceFiles
	CSS	0	extension/community/design/community/stylesheets/ext/jquery.autocomplete.css extension/community_design/design/suncana/stylesheets/scrollbars.css extension/community_design/design/suncana/stylesheets/tabs.css extension/community_design/design/suncana/stylesheets/roadmap.css extension/community_design/design/suncana/stylesheets/content.css extension/community_design/design/suncana/stylesheets/star-rating.css extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css extension/community_design/design/suncana/stylesheets/buttons.css extension/community_design/design/suncana/stylesheets/tweetbox.css extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css extension/sevenx/design/simple/stylesheets/star_rating.css extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css extension/sevenx/design/simple/stylesheets/main.v02.css extension/sevenx/design/simple/stylesheets/main.v02.res.css
	JS	0	extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js extension/community_design/design/suncana/javascript/jquery.ui.core.min.js extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js extension/community_design/design/suncana/javascript/jquery.easing.1.3.js extension/community_design/design/suncana/javascript/jquery.ui.tabs.js extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js extension/community_design/design/suncana/javascript/jquery.popmenu.js extension/community_design/design/suncana/javascript/jScrollPane.js extension/community_design/design/suncana/javascript/jquery.mousewheel.js extension/community_design/design/suncana/javascript/jquery.cycle.all.js extension/sevenx/design/simple/javascript/jquery.scrollTo.js extension/community_design/design/suncana/javascript/jquery.cookie.js extension/community_design/design/suncana/javascript/ezstarrating_jquery.js extension/community_design/design/suncana/javascript/jquery.initboxes.js extension/community_design/design/suncana/javascript/app.js extension/community_design/design/suncana/javascript/twitterwidget.js extension/community_design/design/suncana/javascript/community.js extension/community_design/design/suncana/javascript/roadmap.js extension/community_design/design/suncana/javascript/ez.js extension/community_design/design/suncana/javascript/ezshareevents.js extension/sevenx/design/simple/javascript/main.js

Cache

Type

Packlevel

SourceFiles

CSS

extension/community/design/community/stylesheets/ext/jquery.autocomplete.css
extension/community_design/design/suncana/stylesheets/scrollbars.css
extension/community_design/design/suncana/stylesheets/tabs.css
extension/community_design/design/suncana/stylesheets/roadmap.css
extension/community_design/design/suncana/stylesheets/content.css
extension/community_design/design/suncana/stylesheets/star-rating.css
extension/community_design/design/suncana/stylesheets/syntax_and_custom_tags.css
extension/community_design/design/suncana/stylesheets/buttons.css
extension/community_design/design/suncana/stylesheets/tweetbox.css
extension/community_design/design/suncana/stylesheets/jquery.fancybox-1.3.4.css
extension/bcsmoothgallery/design/standard/stylesheets/magnific-popup.css
extension/sevenx/design/simple/stylesheets/star_rating.css
extension/sevenx/design/simple/stylesheets/libs/fontawesome/css/all.min.css
extension/sevenx/design/simple/stylesheets/main.v02.css
extension/sevenx/design/simple/stylesheets/main.v02.res.css

extension/ezjscore/design/standard/lib/yui/3.17.2/build/yui/yui-min.js
extension/ezjscore/design/standard/javascript/jquery-3.7.0.min.js
extension/community_design/design/suncana/javascript/jquery.ui.core.min.js
extension/community_design/design/suncana/javascript/jquery.ui.widget.min.js
extension/community_design/design/suncana/javascript/jquery.easing.1.3.js
extension/community_design/design/suncana/javascript/jquery.ui.tabs.js
extension/community_design/design/suncana/javascript/jquery.hoverIntent.min.js
extension/community_design/design/suncana/javascript/jquery.popmenu.js
extension/community_design/design/suncana/javascript/jScrollPane.js
extension/community_design/design/suncana/javascript/jquery.mousewheel.js
extension/community_design/design/suncana/javascript/jquery.cycle.all.js
extension/sevenx/design/simple/javascript/jquery.scrollTo.js
extension/community_design/design/suncana/javascript/jquery.cookie.js
extension/community_design/design/suncana/javascript/ezstarrating_jquery.js
extension/community_design/design/suncana/javascript/jquery.initboxes.js
extension/community_design/design/suncana/javascript/app.js
extension/community_design/design/suncana/javascript/twitterwidget.js
extension/community_design/design/suncana/javascript/community.js
extension/community_design/design/suncana/javascript/roadmap.js
extension/community_design/design/suncana/javascript/ez.js
extension/community_design/design/suncana/javascript/ezshareevents.js
extension/sevenx/design/simple/javascript/main.js

Templates used to render the page:

Usage	Requested template	Template	Template loaded
1	node/view/full.tpl	full/forum_topic.tpl	extension/sevenx/design/simple/override/templates/full/forum_topic.tpl
2	content/datatype/view/ezxmltext.tpl	<No override>	extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tpl
4	content/datatype/view/ezxmltags/paragraph.tpl	<No override>	extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tpl
2	content/datatype/view/ezxmltags/line.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/line.tpl
1	pagelayout.tpl	<No override>	extension/sevenx/design/simple/templates/pagelayout.tpl
Number of times templates used: 10 Number of unique templates used: 5

Usage

Requested template

Template

Template loaded

Edit

Override

node/view/full.tpl

full/forum_topic.tpl

extension/sevenx/design/simple/override/templates/full/forum_topic.tpl