Thanks for that... date coming in as 0000-00-00 00:00:00 but at least its writing to the table. Ill work on it a bit and report the fix if I find.
Thanks
Results 11 to 13 of 13
-
12 Aug 2013, 09:49 AM #11
Zen Follower
- Join Date
- Mar 2006
- Posts
- 283
- Plugin Contributions
- 0
Re: Protection from injection - mysql_real_escape_string
22 stores and counting! Ive been zenned.
-
16 Aug 2013, 09:10 PM #12
Zen Follower
- Join Date
- Mar 2006
- Posts
- 283
- Plugin Contributions
- 0
Re: Protection from injection - mysql_real_escape_string
Should I sanatize SELECT and DELETE statements as well using bindVars and placeholders?
Also the problem that I was having above was that the now() should not have been in the bindVars statements but rather in the placeholders statements.
This is what is working now:
Code:$sql = "INSERT INTO " . TABLE_ACME_PRODS . " (`acme_products_id`,`acme_products_partno`, `acme_products_orderno`, `acme_manus_id`, `acme_model_id`, `acme_products_years`, `acme_products_type`, `acme_products_catid`, `acme_products_catname`, `acme_products_matid`, `acme_products_matname`, `acme_products_dateAdded`) VALUES (:products_id, :products_partno, :products_orderno, :products_manuid, :products_modelid, :products_years, :products_typeid, :products_catid, :products_typename, :products_matid, :products_matname, now())"; $sql = $db->bindVars($sql, ':products_id', $buildacmeProductID, 'string'); $sql = $db->bindVars($sql, ':products_partno',$resultProduct->attributes()->partNo, 'string'); $sql = $db->bindVars($sql, ':products_orderno',$resultProduct->attributes()->orderNo, 'string'); $sql = $db->bindVars($sql, ':products_manuid',$resultProduct->Manufacturer->attributes()->id, 'string'); $sql = $db->bindVars($sql, ':products_modelid',$resultProduct->Model->attributes()->id, 'string'); $sql = $db->bindVars($sql, ':products_years',$resultProduct->Years, 'string'); $sql = $db->bindVars($sql, ':products_typeid',$resultProduct->ProductType->attributes()->id, 'string'); $sql = $db->bindVars($sql, ':products_catid',$resultProduct->ProductType->attributes()->categoryID, 'string'); $sql = $db->bindVars($sql, ':products_typename',$resultProduct->ProductType, 'string'); $sql = $db->bindVars($sql, ':products_matid',$resultProduct->Material->attributes()->id, 'string'); $sql = $db->bindVars($sql, ':products_matname',$resultProduct->Material, 'string'); echo "<BR />DEBUG 10 SQL statement = ".$sql; $db->Execute($sql);
Originally Posted by DrByte
22 stores and counting! Ive been zenned.
-
16 Aug 2013, 09:22 PM #13
Sensei
- Join Date
- Jan 2004
- Posts
- 66,387
- Blog Entries
- 7
- Plugin Contributions
- 81
Re: Protection from injection - mysql_real_escape_string
That shouldn't be necessary. But since there's no sanitizing required, what you've changed it to is fine. Originally Posted by makenoiz
Yes. Always. Originally Posted by makenoiz
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Reply With Quote
Similar Threads
-
Security Alert: SQL Injection Protection 2008-09-19
By DrByte in forum Zen Cart Release AnnouncementsReplies: 2Last Post: 30 Sep 2008, 06:21 AM -
Security Alert: SQL Injection Protection 2008-09-19 Confusion
By tbishop in forum General QuestionsReplies: 1Last Post: 29 Sep 2008, 05:55 PM
Bookmarks