Jump to content

Security - SQL injection - Cross-site-scripting

maverick5x

By maverick5x
in PHP Coding Help

 Share

Recommended Posts

maverick5x Newbie

maverick5x

Posted
Posted

Hello All,

 

I am currently the developer of an ecommerce system. i have developed the application to be as secure as possible by removing sql injections from any GET and POST data i read.

 

The application is a mediator between a client and an online shopping site like ebay and amazon. The client makes an order with specified set of items and this mediator buys and ships the items to the client.

 

Anyway, I have tested everything but got a problem with order deletion. In every single command that a client wants to do on his orders a verficiation must be done to match the order's member_id with the client's memberID. In the deletion we have a log table to trace all deleted orders and a backup table for orders so that when a client deletes an order its moved to backup table and deleted from the main orders table just in case.

 

The problem is that i am still getting email's from the owner of the site that he is getting complaints about some orders getting deleted. Ofcourse at the moment i take the deleted order's ID and search for it in log, backup and main orders table with no trace. Searched for code that maybe deletes the order accidently from a non-delete action... no luck.

 

Now getting to the code:

 

here is the class that does processing on POST and GET:

<?
/** 
* A Web class
* @author: Rakan Alhneiti
* @version: 1.0
*/

class Web
{

	/**
	* @return mixed $_GET[$id] value
	* @param string The index or key for the GET value that should be returned.
	*/
	function GET($id="")
	{
		if (@isset($_GET[$id]) && ! @empty($_GET[$id]))
		{
 			return $this->clearSqlInjections($_GET[$id]);
		}
		else
		{
			return "";
		}
	}

	/**
	* @return mixed $_GET[$id] value
	* @param string The index or key for the POST value that should be returned.
	*/
	function POST($id="")
	{
		if(@isset($_POST[$id]) && ! @empty($_POST[$id]))
			return trim($this->clearSqlInjections($_POST[$id]));
		else 
			return "";
	}

	/**
	* @return string Same text with sql injection characters removed.
	* @param string Text to remove sql injections from.
	*/
	function clearSqlInjections($Item="")
  	{
   		//character 39 = ' (Single quote)
   		if(strpos($Item,chr(39))!=false)
   		{
    		$Item = str_replace(chr(39),"''",$Item); //<-- two 's
   		}
   		return $Item;
  	}
}
?>

 

Order belongs to user verification function:

function OrderBelongsToUser($OrderID)
{
	global $DB;
	$SQL = "SELECT Member_ID FROM orders WHERE OrderID='".$OrderID."' AND Member_ID='".$_SESSION["UserID"]."'";
	$DB->Query($SQL);

	if($DB->countRows()!=0)
	{
		return true;
	}
	else 
	{
		return false;
	}
}

 

and the cancel_order action

$SQL = "SELECT Member_ID FROM orders WHERE OrderID='".$Web->GET("id")."' and Member_ID='".$_SESSION["UserID"]."'";
		$DB->Query($SQL);
		$MemberID = $DB->getResult("Member_ID");

		if($_SESSION["UserID"]==$MemberID)
		{


			$SQL = "INSERT INTO backup_orders SELECT * FROM orders WHERE OrderID='".$Web->GET("id")."'";
			$DB->Execute($SQL);

			$SQL = "INSERT INTO backup_items SELECT * FROM items WHERE Order_ID='".$Web->GET("id")."'";
			$DB->Execute($SQL);

			$SQL = "INSERT INTO backup_last_message SELECT * FROM last_message WHERE Order_ID='".$Web->GET("id")."'";
			$DB->Execute($SQL);

			$SQL = "INSERT INTO backup_order_messages SELECT * FROM order_messages WHERE Order_ID='".$Web->GET("id")."'";
			$DB->Execute($SQL);

			$SQL = "INSERT INTO backup_order_tracking SELECT * FROM order_tracking WHERE Order_ID='".$Web->GET("id")."'";
			$DB->Execute($SQL);

			$SQL = "DELETE FROM orders WHERE orderid='".$Web->GET("id")."'";
			$DB->Execute($SQL);
			$SQL = "DELETE FROM items WHERE order_id='".$Web->GET("id")."'";
			$DB->Execute($SQL);
			$SQL = "DELETE FROM last_message WHERE Order_ID='".$Web->GET("id")."'";
			$DB->Execute($SQL);
			$SQL = "DELETE FROM order_messages WHERE Order_ID='".$Web->GET("id")."'";
			$DB->Execute($SQL);
			$SQL = "DELETE FROM order_tracking WHERE Order_ID='".$Web->GET("id")."'";
			$DB->Execute($SQL);

			$Temp->clearParams();
			$Temp->setFilename("transfer.tpl");
			$Temp->addParam("Page","orders.php?action=cancel_order");
			$Temp->addParam("Msg",$Lang["Orders_Page_Order_Deleted"]);
			$Content = $Temp->Compile();
		}
		else 
		{
			$Log .= "A try to delete an order was detected!";
			$SQL = "INSERT INTO log_table(Body,DateAdded,Member_ID,Order_ID) VALUES('".$Log."','".time()."','".$_SESSION["UserID"]."','".$Web->GET("id")."')";
			$DB->Execute($SQL);
			$Temp->clearParams();
			$Temp->setFilename("orders_errors.tpl");
			$Temp->addParam("Errors","<LI>".$Lang["Orders_Page_Not_Your_Order"]);
			$Temp->addParam("BackPage","orders.php?action=cancel_order");
			$Content = $Temp->Compile();

		}

 

$Temp is the template class

$DB is a database engine. getResult() gets the result of the select statement just like mysql_result().

What can be the problem?

 

I am really suspecting that somebody might be inserting some code that gets executed on server or something i really dont know. This got me really confused.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.