[N/A] /includes/modules/new_products.php (and others) errors

[Celtic]

DrByte,

The $GET values themselves in the reported lines appear to be expected direct from the $GET stream, and as they are not (in the lines noted) being escaped in any way then they might offer injection opportunities.

It could well be that by the time zenCart processes these lines that the $GET's have already been adequately escaped, but I don't know enough about the structure of ZenCart coding yet to know if that is the case, so I thought I'd mention it.

The warnings were due to $GET values not being present, so I guess they need to be checked prior to attempting to read them at the very least.

PS. Oops, I should have removed the local paths from above before posting it to make it clearer which files were being reported.

[DrByte]

1. $_GET is already sanitized.

2. "Notice" messages are just that: notices. They will show up when coding assumes the presence of certain variables, even if they're not defined. When not defined, their value is treated as blank. Slightly more efficient coding would first check that the variable exists before checking its value. And that's something the developers have been doing as a matter of course in the upcoming v2.0. But the existence of "Notice" messages is almost always safe to ignore, unless it's happening in new code you're writing yourself and you're doing personal debugging.

There is no security threat in the content you reported.

[Celtic]

There is no security threat in the content you reported.

Cheers DrB, good to know.