how is this beta addon idea?

[bumba000]

I've just completed the main functional part of a nicely working filter. A simple nicely working filter and I've taken care of the securities of the url parameters. I'll be putting together some js to go with it and submitting it as an addon soon. Is there a way to get a copy of the files up here for beta testing??

Thanks, John

[DrByte]

I'm a bit concerned about the security of the price and manufacturer filters in this code in the index_filters area, since that code runs on page load, and not after being filtered thru the product_filter_sidebox module:

Code:

        if(isset($_GET['jpricelohi']) && zen_not_null($_GET['jpricelohi'])){
            $loHiParts = explode('_',$_GET['jpricelohi']);
            if(isset($loHiParts[0]) && zen_not_null($loHiParts[0])){
                $and .= " and p.products_price >= ".$loHiParts[0];
            }
            if(isset($loHiParts[1]) && zen_not_null($loHiParts[1])){
                $and .= " and p.products_price <= ".$loHiParts[1];
            }
        }
        if(isset($cleanJpManus) && zen_not_null($cleanJpManus)){
            $manu_id_string = '';
            foreach($cleanJpManus as $manu_arr_flt){
            
            $manu_id_string .= $manu_arr_flt.',';
            }
            $manu_id_string = rtrim($manu_id_string, ',');
            $and .= " and m.manufacturers_id IN (".$manu_id_string . ")";
        }

[DrByte]

Also, the /includes/index_filters folder does support overrides.

So you can move your custom one into /includes/index_filters/YOURTEMPLATE/default_filter.php

But you should document in the readme that the music_filter and record_company_filter aren't supported by your plugin. (And that's probably not a problem unless someone filtering those products is actually doing a different kind of filtering than those are already triggering.)

[DrByte]

You'll also want to document in your readme that your plugin expects the database to contain 'products_short_desc' and 'products_special_data' fields in the products_description table. Or remove those from the queries you've altered in the plugin.

[bumba000]

didn't realize I could override the default_filter.php. Awesome!

As for the security of the price sorter, I'm tapping into the built-in ZC 'sort' so it's cleansed by application_top.php. Isn't this correct?

I'll be removing the product_short_desc. Didn't realize that was in there.

Thanks for the feed back!

[bumba000]

Ahhh, I see. You're talking about the price filter and not the price sorter.... any recommendations on this?

[bumba000]

So I've moved the security testing into the default filter. It seems as though I've not completely nailed the security though. Please come back with a better method of cleansing .

Thank You.

[DrByte]

for price, maybe this:

Code:

$loHiParts = explode('_', preg_replace('/[^0-9_]/', '', $_GET['jpricelohi']));

That removes anything that's not numeric or underscore.


Is 'jparam_manu' supposed to be an array? If so then you'll have to loop thru all the array values and sanitize them before adding them to the query.


Is it necessary for all of these to be $_GET? It's best to limit the use of $_GET because it clutters the URL, and then it makes things complicated for setting canonical stuff for Google to understand what are "duplicate content" pages vs unique pages.
I know the advanced-search uses $_GET, but if this filter can be done via POST it'd be better.
Using $_GET will cause the URL to have a bunch of ugly content like:

Code:

&jparam_manu[]=foo&jparam_manu[]=bar&jparam_manu=1&jparam_manu=2&jparam_manu=3&jpricelohi=5_56789

[DrByte]

And maybe something this for manufacturers?

Code:

        $manu_arr_flt = array();
        foreach($_GET as $key => $value){
            if(preg_match('/^jparam_manu/', $key)){
                $manu = preg_replace('/[^0-9]/', '', $value);
                if ($manu != '')
                {
                    $manu_arr_flt[] = $manu;
                }
            }
        }
        if (sizeof($manu_arr_flt)) {
            $and .= " and m.manufacturers_id IN (". implode(',', $manu_arr_flt) . ")";
        }

(These are all for the default_filters.php file)

[DrByte]

When you're ready to package, I recommend removing any trailing ?> from the end of all PHP files. This prevents stray "blank lines" from getting treated as HTML when certain FTP programs mangle the line-endings in the files during transfer.
Ref: http://www.zen-cart.com/content.php?...nd-of-the-file