THANX
Still trying to wrap my head around this.:frusty:
Know that it works with 1.5 without the "monitors" shutting it down a la IH3.
Nest stop.... The 37 $_GET calls in ih_manager.php:lookaroun
Printable View
THANX
Still trying to wrap my head around this.:frusty:
Know that it works with 1.5 without the "monitors" shutting it down a la IH3.
Nest stop.... The 37 $_GET calls in ih_manager.php:lookaroun
I just have to have some more specifics about this! Just not feeling confident of my understanding.
For example, this line: $action = (isset($_GET['action']) ? $_GET['action'] : ''); has nothing to do with the actual database changes - it's just picking up what the action is. Same for this: switch($_GET['action'])
This one sets the form action as get and not post: <?php echo zen_draw_form('clean_cross', FILENAME_CROSS_SELL_PRODUCTS, 'action=select_cross_sell', 'get'); ?> But it looks like it's just trying to choose which table to work on and works no changes on the database
This one uses post so is not a problem <?php echo zen_draw_form('clean_cross', FILENAME_CROSS_SELL_PRODUCTS, 'action=cleancross_sell', 'post'); ?> Looks like all of the actions that make database changes are done that way.
This one changes the database but is not part of a form per se though must be the result of that choice of table mentioned before:
if(defined('CROSS_SELL_ENABLED') ) {
if (isset($_GET['select_cross_sell'])) {
$cross_sell_edit = ($_GET['select_cross_sell']);
$db->Execute("UPDATE " . TABLE_CONFIGURATION .
" set configuration_value = $cross_sell_edit
WHERE configuration_key = 'CROSS_SELL_SELECTED_TABLE'" );
zen_redirect(zen_href_link(FILENAME_CROSS_SELL_PRODUCTS));
}
So my conclusion is that no changes are necessary. Does that sound right?
Hello,
I must ask for a little help.
I am trying to update a sales tax mod to protect against the $_get vulnerability, but am not quite able to find the correct change for the section of code listed below. Any guidance / help would be appreciated. I have this mod working (locally on a test machine) with Zen Cart 1.5, but wanted to update this section before posting the changes.
The sample below is but one of four pieces that do insert, save, update, and delete. All have the same format, so once one of them are updated the others should be easy.
In-case your interested in the mod I am looking at updating, this is the link.
http://www.zen-cart.com/downloads.php?do=file&id=422 (Local Sales Tax Mod)
First is a question, does this code even need to be updated, I believe it does based on what I have read in the forum...
Second, if it does, what changes will make this work (I understand I will have update the post back from get to post etc. when this is updated).
Thanks in advance for any suggestions / help.PHP Code:
$heading[] = array('text' => '<b>' . TEXT_INFO_HEADING_NEW_LOCAL_SALES_TAX . '</b>');
$contents = array('form' => zen_draw_form('local_sales_tax', FILENAME_LOCAL_SALES_TAXES, 'page=' . $_GET['page'] . '&action=insert'));
$contents[] = array('text' => TEXT_INFO_INSERT_INTRO);
$contents[] = array('text' => '<br>' . TEXT_INFO_COUNTRY . '<br>' . zen_draw_pull_down_menu('zone_country_id', zen_get_countries(TEXT_ALL_COUNTRIES), '', 'onChange="update_zone(this.form);"'));
$contents[] = array('text' => '<br>' . TEXT_INFO_COUNTRY_ZONE . '<br>' . zen_draw_pull_down_menu('zone_id', zen_prepare_country_zones_pull_down()));
$contents[] = array('text' => '<br>' . TEXT_INFO_TAX_RATE . '<br>' . zen_draw_input_field('tax_rate'));
$contents[] = array('text' => '<br>' . TEXT_INFO_FIELDMATCH . '<br>' . zen_draw_pull_down_menu('tax_fieldmatch', $za_lookup));
$contents[] = array('text' => '<br>' . TEXT_INFO_DATAMATCH . '<br>' . zen_draw_textarea_field('tax_datamatch', false, 35, 4));
$contents[] = array('text' => '<br>' . TEXT_INFO_RATE_DESCRIPTION . '<br>' . zen_draw_input_field('tax_description'));
$contents[] = array('text' => '<br />' . TEXT_INFO_TAX_SHIPPING . '<br />' . zen_draw_radio_field('tax_shipping', 'false', true) . ' ' . TEXT_TAX_SHIPPING_FALSE . '<br />' . zen_draw_radio_field('tax_shipping', 'true') . ' ' . TEXT_TAX_SHIPPING_TRUE);
$contents[] = array('text' => '<br>' . TEXT_INFO_TAX_CLASS_TITLE . '<br>' . zen_tax_classes_pull_down('name="tax_class_id" style="font-size:10px"'));
$contents[] = array('align' => 'center', 'text' => '<br>' . zen_image_submit('button_insert.gif', IMAGE_INSERT) . ' <a href="' . zen_href_link(FILENAME_LOCAL_SALES_TAXES, 'page=' . $_GET['page']) . '">' . zen_image_button('button_cancel.gif', IMAGE_CANCEL) . '</a>');
//As I see it the following line needs to be updated.
$contents = array('form' => zen_draw_form('local_sales_tax', FILENAME_LOCAL_SALES_TAXES, 'page=' . $_GET['page'] . '&action=insert'));
//And, this one might need to be updated.
$contents[] = array('align' => 'center', 'text' => '<br>' . zen_image_submit('button_insert.gif', IMAGE_INSERT) . ' <a href="' . zen_href_link(FILENAME_LOCAL_SALES_TAXES, 'page=' . $_GET['page']) . '">' . zen_image_button('button_cancel.gif', IMAGE_CANCEL) . '</a>');
Brent