[N/A] /includes/modules/new_products.php (and others) errors

[Celtic]

This might be minor, or irrelevant, but I thought I'd report it incase it offers some injection hacks.

Zen Cart 1.3.8a
Patch: 1::
Database Patch Level: 1.3.8
v1.3.8 [2010-02-15 20:00:16] (Fresh Installation)

All security patches, etc. have been applied. I made an error in patching new_products.php which meant I've just inserted an error_reporting(E_ALL); into it to fix it (which I did).

However, while I had error reporting on, I noticed the following warnings:

Notice: Undefined index: music_genre_id in E:\wamp\www\rawrocks\public_html\zenrocks\includes\modules\zr_basic\new_products .php on line 22

Notice: Undefined index: record_company_id in E:\wamp\www\rawrocks\public_html\zenrocks\includes\modules\zr_basic\new_products .php on line 22

along with...

Notice: Undefined index: music_genre_id in E:\wamp\www\rawrocks\public_html\zenrocks\includes\modules\featured_products.php on line 21

Notice: Undefined index: record_company_id in E:\wamp\www\rawrocks\public_html\zenrocks\includes\modules\featured_products.php on line 21

Notice: Undefined index: music_genre_id in E:\wamp\www\rawrocks\public_html\zenrocks\includes\modules\specials_index.php on line 21

Notice: Undefined index: record_company_id in E:\wamp\www\rawrocks\public_html\zenrocks\includes\modules\specials_index.php on line 21

Notice: Undefined index: music_genre_id in E:\wamp\www\rawrocks\public_html\zenrocks\includes\modules\upcoming_products.php on line 24

Notice: Undefined index: record_company_id in E:\wamp\www\rawrocks\public_html\zenrocks\includes\modules\upcoming_products.php on line 24

[DrByte]

incase it offers some injection hacks.

Please explain why you're led to believe that these could be related to injection hacks.

[Celtic]

DrByte,

The $GET values themselves in the reported lines appear to be expected direct from the $GET stream, and as they are not (in the lines noted) being escaped in any way then they might offer injection opportunities.

It could well be that by the time zenCart processes these lines that the $GET's have already been adequately escaped, but I don't know enough about the structure of ZenCart coding yet to know if that is the case, so I thought I'd mention it.

The warnings were due to $GET values not being present, so I guess they need to be checked prior to attempting to read them at the very least.

PS. Oops, I should have removed the local paths from above before posting it to make it clearer which files were being reported.

[DrByte]

1. $_GET is already sanitized.

2. "Notice" messages are just that: notices. They will show up when coding assumes the presence of certain variables, even if they're not defined. When not defined, their value is treated as blank. Slightly more efficient coding would first check that the variable exists before checking its value. And that's something the developers have been doing as a matter of course in the upcoming v2.0. But the existence of "Notice" messages is almost always safe to ignore, unless it's happening in new code you're writing yourself and you're doing personal debugging.

There is no security threat in the content you reported.

[Celtic]

There is no security threat in the content you reported.

Cheers DrB, good to know.