Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13
  1. #11
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,103
    Plugin Contributions
    11

    Default Re: Question about replacing [Get]s in addon code for 1.5

    THANX
    Still trying to wrap my head around this.
    Know that it works with 1.5 without the "monitors" shutting it down a la IH3.
    Nest stop.... The 37 $_GET calls in ih_manager.php

  2. #12
    Join Date
    May 2006
    Location
    Gardiner, Maine
    Posts
    2,289
    Plugin Contributions
    22

    Default Re: Question about replacing [Get]s in addon code for 1.5

    I just have to have some more specifics about this! Just not feeling confident of my understanding.

    For example, this line: $action = (isset($_GET['action']) ? $_GET['action'] : ''); has nothing to do with the actual database changes - it's just picking up what the action is. Same for this: switch($_GET['action'])

    This one sets the form action as get and not post: <?php echo zen_draw_form('clean_cross', FILENAME_CROSS_SELL_PRODUCTS, 'action=select_cross_sell', 'get'); ?> But it looks like it's just trying to choose which table to work on and works no changes on the database

    This one uses post so is not a problem <?php echo zen_draw_form('clean_cross', FILENAME_CROSS_SELL_PRODUCTS, 'action=cleancross_sell', 'post'); ?> Looks like all of the actions that make database changes are done that way.

    This one changes the database but is not part of a form per se though must be the result of that choice of table mentioned before:

    if(defined('CROSS_SELL_ENABLED') ) {

    if (isset($_GET['select_cross_sell'])) {
    $cross_sell_edit = ($_GET['select_cross_sell']);
    $db->Execute("UPDATE " . TABLE_CONFIGURATION .
    " set configuration_value = $cross_sell_edit
    WHERE configuration_key = 'CROSS_SELL_SELECTED_TABLE'" );
    zen_redirect(zen_href_link(FILENAME_CROSS_SELL_PRODUCTS));
    }

    So my conclusion is that no changes are necessary. Does that sound right?
    The full-time Zen Cart Guru. WizTech4ZC.com

  3. #13
    Join Date
    Jun 2012
    Location
    Florida
    Posts
    123
    Plugin Contributions
    5

    Default Re: Question about replacing [Get]s in addon code for 1.5

    Hello,
    I must ask for a little help.

    I am trying to update a sales tax mod to protect against the $_get vulnerability, but am not quite able to find the correct change for the section of code listed below. Any guidance / help would be appreciated. I have this mod working (locally on a test machine) with Zen Cart 1.5, but wanted to update this section before posting the changes.

    The sample below is but one of four pieces that do insert, save, update, and delete. All have the same format, so once one of them are updated the others should be easy.
    In-case your interested in the mod I am looking at updating, this is the link.
    http://www.zen-cart.com/downloads.php?do=file&id=422 (Local Sales Tax Mod)

    First is a question, does this code even need to be updated, I believe it does based on what I have read in the forum...
    Second, if it does, what changes will make this work (I understand I will have update the post back from get to post etc. when this is updated).

    PHP Code:

          $heading
    [] = array('text' => '<b>' TEXT_INFO_HEADING_NEW_LOCAL_SALES_TAX '</b>');

          
    $contents = array('form' => zen_draw_form('local_sales_tax'FILENAME_LOCAL_SALES_TAXES'page=' $_GET['page'] . '&action=insert'));
          
    $contents[] = array('text' => TEXT_INFO_INSERT_INTRO);
          
    $contents[] = array('text' => '<br>' TEXT_INFO_COUNTRY '<br>' zen_draw_pull_down_menu('zone_country_id'zen_get_countries(TEXT_ALL_COUNTRIES), '''onChange="update_zone(this.form);"'));
          
    $contents[] = array('text' => '<br>' TEXT_INFO_COUNTRY_ZONE '<br>' zen_draw_pull_down_menu('zone_id'zen_prepare_country_zones_pull_down()));
          
    $contents[] = array('text' => '<br>' TEXT_INFO_TAX_RATE '<br>' zen_draw_input_field('tax_rate'));
          
    $contents[] = array('text' => '<br>' TEXT_INFO_FIELDMATCH '<br>' zen_draw_pull_down_menu('tax_fieldmatch'$za_lookup));
                
          
    $contents[] = array('text' => '<br>' TEXT_INFO_DATAMATCH '<br>' zen_draw_textarea_field('tax_datamatch'false354));
          
    $contents[] = array('text' => '<br>' TEXT_INFO_RATE_DESCRIPTION '<br>' zen_draw_input_field('tax_description'));
                
          
    $contents[] = array('text' => '<br />' TEXT_INFO_TAX_SHIPPING '<br />' zen_draw_radio_field('tax_shipping''false'true) . ' ' TEXT_TAX_SHIPPING_FALSE '<br />' zen_draw_radio_field('tax_shipping''true') . ' ' TEXT_TAX_SHIPPING_TRUE);
          
    $contents[] = array('text' => '<br>' TEXT_INFO_TAX_CLASS_TITLE '<br>' zen_tax_classes_pull_down('name="tax_class_id" style="font-size:10px"'));
          
    $contents[] = array('align' => 'center''text' => '<br>' zen_image_submit('button_insert.gif'IMAGE_INSERT) . '&nbsp;<a href="' zen_href_link(FILENAME_LOCAL_SALES_TAXES'page=' $_GET['page']) . '">' zen_image_button('button_cancel.gif'IMAGE_CANCEL) . '</a>');


    //As I see it the following line needs to be updated.
    $contents = array('form' => zen_draw_form('local_sales_tax'FILENAME_LOCAL_SALES_TAXES'page=' $_GET['page'] . '&action=insert'));

    //And, this one might need to be updated.
     
    $contents[] = array('align' => 'center''text' => '<br>' zen_image_submit('button_insert.gif'IMAGE_INSERT) . '&nbsp;<a href="' zen_href_link(FILENAME_LOCAL_SALES_TAXES'page=' $_GET['page']) . '">' zen_image_button('button_cancel.gif'IMAGE_CANCEL) . '</a>'); 
    Thanks in advance for any suggestions / help.

    Brent

 

 
Page 2 of 2 FirstFirst 12

Similar Threads

  1. v151 question about installing Admin Keepalive Timer Addon
    By SilverHD in forum All Other Contributions/Addons
    Replies: 11
    Last Post: 30 Nov 2014, 11:08 PM
  2. configure.php question about addon-domains
    By Webskipper in forum Upgrading to 1.5.x
    Replies: 16
    Last Post: 4 Jun 2013, 08:24 PM
  3. quick question about overrides vs Image Handler2 addon
    By buckit in forum Basic Configuration
    Replies: 2
    Last Post: 25 Aug 2010, 09:11 PM
  4. Question about debug error (broken by google checkout addon)
    By Kenichi in forum General Questions
    Replies: 3
    Last Post: 12 Aug 2010, 07:53 PM
  5. Question about JAM/Jrox code
    By linnx in forum All Other Contributions/Addons
    Replies: 1
    Last Post: 19 May 2010, 03:42 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR