Skip to content

Commit

Permalink
Updated SQL queries ensuring all parameters are escaped.
Browse files Browse the repository at this point in the history
  • Loading branch information
Michael Basford committed Mar 27, 2014
1 parent d717527 commit 2de1a81
Show file tree
Hide file tree
Showing 7 changed files with 54 additions and 53 deletions.
1 change: 1 addition & 0 deletions openbaypro_changes.txt
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
Type: Enhancement, New Feature, Bug

27-03-14 - Bug - Updated SQL queries ensuring all parameters are escaped.
27-03-14 - Bug - Added reserve stock level column on eBay linked item page. Stock status now shows correctly for linked items using a reserve level.
19-03-14 - Enhancement - Added check for supersize version of an image during the product import.
14-03-14 - Enhancement - Added error message if users try to bulk list items without searching the Amazon catalog first.
Expand Down
8 changes: 4 additions & 4 deletions upload/catalog/model/openbay/ebay_openbay.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -452,7 +452,7 @@ private function updateOrderWithConfirmedData($order_id, $order, $user) {
`payment_address_format` = '" . $address_format . "',
`total` = '" . (double)$order->order->total . "',
`date_modified` = NOW()
WHERE `order_id` = '".$order_id."'
WHERE `order_id` = '".$this->db->escape($order_id)."'
");

$totalTax = 0;
Expand Down Expand Up @@ -558,7 +558,7 @@ private function handleUserAccount($order) {

/** get the iso2 code from the data and pull out the correct country for the details. */
if(!empty($order->address->iso2)){
$country_qry = $this->db->query("SELECT * FROM `" . DB_PREFIX . "country` WHERE `iso_code_2` = '".$order->address->iso2."'");
$country_qry = $this->db->query("SELECT * FROM `" . DB_PREFIX . "country` WHERE `iso_code_2` = '".$this->db->escape($order->address->iso2)."'");
}

if(!empty($country_qry->num_rows)){
Expand All @@ -576,7 +576,7 @@ private function handleUserAccount($order) {
$this->db->query("UPDATE `" . DB_PREFIX . "customer` SET
`firstname` = '" . $this->db->escape($name_parts['firstname']) . "',
`lastname` = '" . $this->db->escape($name_parts['surname']) . "',
`telephone` = '" . str_replace(array(' ', '+', '-'), '', $order->address->phone)."',
`telephone` = '" . str_replace(array(' ', '+', '-'), '', $this->db->escape($order->address->phone))."',
`status` = '1'
WHERE `customer_id` = '" . (int)$user['id'] . "'");
}else{
Expand All @@ -585,7 +585,7 @@ private function handleUserAccount($order) {
`firstname` = '" . $this->db->escape($name_parts['firstname']) . "',
`lastname` = '" . $this->db->escape($name_parts['surname']) . "',
`email` = '" . $this->db->escape($user['email']) . "',
`telephone` = '" . str_replace(array(' ', '+', '-'), '', $order->address->phone)."',
`telephone` = '" . str_replace(array(' ', '+', '-'), '', $this->db->escape($order->address->phone))."',
`password` = '" . $this->db->escape(md5($order->user->userid)) . "',
`newsletter` = '0',
`customer_group_id` = '" . (int)$this->config->get('openbay_def_customer_grp') . "',
Expand Down
8 changes: 4 additions & 4 deletions upload/catalog/model/openbay/ebay_order.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,12 +48,12 @@ public function addOrderLine($data, $order_id, $created) {

if($orderLine['smp_id'] != $data['smp_id']) {
$this->openbay->ebay->log('addOrderLine() - SMP ID for orderLine has changed from "'.$orderLine['smp_id'].'" to "'.$data['smp_id'].'"');
$this->db->query("UPDATE `" . DB_PREFIX . "ebay_transaction` SET `smp_id` = '".$data['smp_id']."', `modified` = now() WHERE `txn_id` = '".$this->db->escape((string)$data['txn_id'])."' AND `item_id` = '".$this->db->escape((string)$data['item_id'])."' LIMIT 1");
$this->db->query("UPDATE `" . DB_PREFIX . "ebay_transaction` SET `smp_id` = '".$this->db->escape($data['smp_id'])."', `modified` = now() WHERE `txn_id` = '".$this->db->escape((string)$data['txn_id'])."' AND `item_id` = '".$this->db->escape((string)$data['item_id'])."' LIMIT 1");
}

if($orderLine['containing_order_id'] != $data['containing_order_id']) {
$this->openbay->ebay->log('addOrderLine() - Containing order ID for orderLine has changed from "'.$orderLine['containing_order_id'].'" to "'.$data['containing_order_id'].'"');
$this->db->query("UPDATE `" . DB_PREFIX . "ebay_transaction` SET `containing_order_id` = '".$data['containing_order_id']."', `modified` = now() WHERE `txn_id` = '".$this->db->escape((string)$data['txn_id'])."' AND `item_id` = '".$this->db->escape((string)$data['item_id'])."' LIMIT 1");
$this->db->query("UPDATE `" . DB_PREFIX . "ebay_transaction` SET `containing_order_id` = '".$this->db->escape($data['containing_order_id'])."', `modified` = now() WHERE `txn_id` = '".$this->db->escape((string)$data['txn_id'])."' AND `item_id` = '".$this->db->escape((string)$data['item_id'])."' LIMIT 1");
}
}
$this->openbay->ebay->log('addOrderLine() - Done');
Expand Down Expand Up @@ -152,7 +152,7 @@ public function find($smp_id) {
* This is a depreciated method of getting order Id's and will be removed in the future.
*/
if($order_id == 0) {
$query = $this->db->query("SELECT `order_id` FROM `" . DB_PREFIX . "order_history` WHERE `comment` = '[eBay Import:" . $smp_id . "]' LIMIT 1");
$query = $this->db->query("SELECT `order_id` FROM `" . DB_PREFIX . "order_history` WHERE `comment` = '[eBay Import:" . $this->db->escape($smp_id) . "]' LIMIT 1");

if($query->num_rows > 0) {
$this->openbay->ebay->log('find() (depreciated) - Found: '.$query->row['order_id']);
Expand Down Expand Up @@ -475,7 +475,7 @@ public function confirm($order_id, $order_status_id, $comment = '') {
foreach ($order_product_query->rows as $product) {
$text .= $product['quantity'] . 'x ' . $product['name'] . ' (' . $product['model'] . ') ' . html_entity_decode($this->currency->format($product['total'] + ($this->config->get('config_tax') ? ($product['tax'] * $product['quantity']) : 0), $order_info['currency_code'], $order_info['currency_value']), ENT_NOQUOTES, 'UTF-8') . "\n";

$order_option_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "order_option WHERE order_id = '" . (int)$order_id . "' AND order_product_id = '" . $product['order_product_id'] . "'");
$order_option_query = $this->db->query("SELECT * FROM " . DB_PREFIX . "order_option WHERE order_id = '" . (int)$order_id . "' AND order_product_id = '" . $this->db->escape($product['order_product_id']) . "'");

foreach ($order_option_query->rows as $option) {
$text .= chr(9) . '-' . $option['name'] . ' ' . (utf8_strlen($option['value']) > 20 ? utf8_substr($option['value'], 0, 20) . '..' : $option['value']) . "\n";
Expand Down
56 changes: 28 additions & 28 deletions upload/catalog/model/openbay/ebay_product.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,47 +108,47 @@ public function importItems($data) {
}else{
$this->db->query("INSERT INTO `" . DB_PREFIX . "category` SET `parent_id` = '0', `status` = '1', `top` = '1'");
$id1 = $this->db->getLastId();
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_description` SET `name` = '".$this->db->escape($key2)."', `language_id` = '".(int)$this->config->get('config_language_id')."', `category_id` = '".$id1."'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_to_store` SET `category_id` = '".$id1."', `store_id` = '0'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_description` SET `name` = '".$this->db->escape($key2)."', `language_id` = '".(int)$this->config->get('config_language_id')."', `category_id` = '".$this->db->escape($id1)."'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_to_store` SET `category_id` = '".$this->db->escape($id1)."', `store_id` = '0'");
}

if(!empty($cat2)) {
foreach($cat2 as $key3=>$cat3) {
$qry = $this->db->query("SELECT * FROM `" . DB_PREFIX . "category`, `" . DB_PREFIX . "category_description` WHERE `" . DB_PREFIX . "category`.`parent_id` = '".$id1."' AND `" . DB_PREFIX . "category_description`.`name` = '".$this->db->escape($key3)."' LIMIT 1");
$qry = $this->db->query("SELECT * FROM `" . DB_PREFIX . "category`, `" . DB_PREFIX . "category_description` WHERE `" . DB_PREFIX . "category`.`parent_id` = '".$this->db->escape($id1)."' AND `" . DB_PREFIX . "category_description`.`name` = '".$this->db->escape($key3)."' LIMIT 1");

if($qry->num_rows != 0) {
$id2 = $qry->row['category_id'];
}else{
$this->db->query("INSERT INTO `" . DB_PREFIX . "category` SET `parent_id` = '".$id1."', `status` = '1', `top` = '1'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category` SET `parent_id` = '".$this->db->escape($id1)."', `status` = '1', `top` = '1'");
$id2 = $this->db->getLastId();
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_description` SET `name` = '".$this->db->escape($key3)."', `language_id` = '".(int)$this->config->get('config_language_id')."', `category_id` = '".$id2."'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_to_store` SET `category_id` = '".$id2."', `store_id` = '0'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_description` SET `name` = '".$this->db->escape($key3)."', `language_id` = '".(int)$this->config->get('config_language_id')."', `category_id` = '".$this->db->escape($id2)."'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_to_store` SET `category_id` = '".$this->db->escape($id2)."', `store_id` = '0'");
}

if(!empty($cat3)) {
foreach($cat3 as $key4=>$cat4) {
$qry = $this->db->query("SELECT * FROM `" . DB_PREFIX . "category`, `" . DB_PREFIX . "category_description` WHERE `" . DB_PREFIX . "category`.`parent_id` = '".$id2."' AND `" . DB_PREFIX . "category_description`.`name` = '".$this->db->escape($key4)."' LIMIT 1");
$qry = $this->db->query("SELECT * FROM `" . DB_PREFIX . "category`, `" . DB_PREFIX . "category_description` WHERE `" . DB_PREFIX . "category`.`parent_id` = '".$this->db->escape($id3)."' AND `" . DB_PREFIX . "category_description`.`name` = '".$this->db->escape($key4)."' LIMIT 1");

if($qry->num_rows != 0) {
$id3 = $qry->row['category_id'];
}else{
$this->db->query("INSERT INTO `" . DB_PREFIX . "category` SET `parent_id` = '".$id2."', `status` = '1', `top` = '1'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category` SET `parent_id` = '".$this->db->escape($id2)."', `status` = '1', `top` = '1'");
$id3 = $this->db->getLastId();
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_description` SET `name` = '".$this->db->escape($key4)."', `language_id` = '".(int)$this->config->get('config_language_id')."', `category_id` = '".$id3."'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_to_store` SET `category_id` = '".$id3."', `store_id` = '0'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_description` SET `name` = '".$this->db->escape($key4)."', `language_id` = '".(int)$this->config->get('config_language_id')."', `category_id` = '".$this->db->escape($id3)."'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_to_store` SET `category_id` = '".$this->db->escape($id3)."', `store_id` = '0'");
}

if(!empty($cat4)) {
foreach($cat4 as $key5=>$cat5) {
$qry = $this->db->query("SELECT * FROM `" . DB_PREFIX . "category`, `" . DB_PREFIX . "category_description` WHERE `" . DB_PREFIX . "category`.`parent_id` = '".$id3."' AND `" . DB_PREFIX . "category_description`.`name` = '".$this->db->escape($key5)."' LIMIT 1");
$qry = $this->db->query("SELECT * FROM `" . DB_PREFIX . "category`, `" . DB_PREFIX . "category_description` WHERE `" . DB_PREFIX . "category`.`parent_id` = '".$this->db->escape($id4)."' AND `" . DB_PREFIX . "category_description`.`name` = '".$this->db->escape($key5)."' LIMIT 1");

if($qry->num_rows != 0) {
$id4 = $qry->row['category_id'];
}else{
$this->db->query("INSERT INTO `" . DB_PREFIX . "category` SET `parent_id` = '".$id3."', `status` = '1', `top` = '1'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category` SET `parent_id` = '".$this->db->escape($id3)."', `status` = '1', `top` = '1'");
$id4 = $this->db->getLastId();
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_description` SET `name` = '".$this->db->escape($key5)."', `language_id` = '".(int)$this->config->get('config_language_id')."', `category_id` = '".$id4."'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_to_store` SET `category_id` = '".$id4."', `store_id` = '0'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_description` SET `name` = '".$this->db->escape($key5)."', `language_id` = '".(int)$this->config->get('config_language_id')."', `category_id` = '".$this->db->escape($id4)."'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "category_to_store` SET `category_id` = '".$this->db->escape($id4)."', `store_id` = '0'");
}

$catLink[$key1.':'.$key2.':'.$key3.':'.$key4.':'.$key5] = $id4;
Expand Down Expand Up @@ -237,10 +237,10 @@ public function importItems($data) {

$this->db->query("
INSERT INTO `" . DB_PREFIX . "product` SET
`quantity` = '".$item['Quantity']."',
`manufacturer_id` = '".$manufacturer_id."',
`quantity` = '".$this->db->escape($item['Quantity'])."',
`manufacturer_id` = '".$this->db->escape($manufacturer_id)."',
`stock_status_id` = '6',
`price` = '".$net_price."',
`price` = '".$this->db->escape($net_price)."',
`tax_class_id` = '9',
`location` = '".$this->db->escape(isset($item['note']) ? $item['note'] : '')."',
`mpn` = '".$this->db->escape(isset($item['advanced']['brand']['mpn']) ? $item['advanced']['brand']['mpn'] : '')."',
Expand All @@ -250,11 +250,11 @@ public function importItems($data) {
`ean` = '".$this->db->escape(isset($item['advanced']['ean']) ? $item['advanced']['ean'] : '')."',
`upc` = '".$this->db->escape(isset($item['advanced']['upc']) ? $item['advanced']['upc'] : '')."',
`weight` = '".(double)$weight."',
`weight_class_id` = '".$weight_class_id."',
`weight_class_id` = '".$this->db->escape($weight_class_id)."',
`length` = '".(double)$length."',
`width` = '".(double)$width."',
`height` = '".(double)$height."',
`length_class_id` = '".$length_class_id."',
`length_class_id` = '".$this->db->escape($length_class_id)."',
`subtract` = '1',
`minimum` = '1',
`status` = '1',
Expand Down Expand Up @@ -436,7 +436,7 @@ private function createOption($name) {

$qry_sort = $this->db->query("SELECT * FROM `" . DB_PREFIX . "option` WHERE `option_id` = '".$option_id."' LIMIT 1");

$this->db->query("INSERT INTO `" . DB_PREFIX . "option_description` SET `language_id` = '".(int)$this->config->get('config_language_id')."', `name` = '".$this->db->escape($name)."', `option_id` = '".$option_id."'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "option_description` SET `language_id` = '".(int)$this->config->get('config_language_id')."', `name` = '".$this->db->escape($name)."', `option_id` = '".$this->db->escape($option_id)."'");

$this->openbay->ebay->log('No option found, creating: "'.$name.' / '.$option_id.'" with sort order of "'.$qry_sort->row['sort_order'].'"');
return array('id' => (int)$option_id, 'sort' => (int)$qry_sort->row['sort_order']);
Expand Down Expand Up @@ -464,9 +464,9 @@ private function getOptionValue($name, $option_id) {
}

private function createOptionValue($name, $option_id) {
$this->db->query("INSERT INTO `" . DB_PREFIX . "option_value` SET `option_id` = '".$option_id."', `sort_order` = IFNULL((select `sort` FROM (SELECT (MAX(`sort_order`)+1) AS `sort` FROM `" . DB_PREFIX . "option_value`) AS `i`),0)");
$this->db->query("INSERT INTO `" . DB_PREFIX . "option_value` SET `option_id` = '".$this->db->escape($option_id)."', `sort_order` = IFNULL((select `sort` FROM (SELECT (MAX(`sort_order`)+1) AS `sort` FROM `" . DB_PREFIX . "option_value`) AS `i`),0)");
$id = $this->db->getLastId();
$this->db->query("INSERT INTO `" . DB_PREFIX . "option_value_description` SET `language_id` = '".(int)$this->config->get('config_language_id')."', `name` = '".$this->db->escape($name)."', `option_id` = '".$option_id."', `option_value_id` = '".$id."'");
$this->db->query("INSERT INTO `" . DB_PREFIX . "option_value_description` SET `language_id` = '".(int)$this->config->get('config_language_id')."', `name` = '".$this->db->escape($name)."', `option_id` = '".$this->db->escape($option_id)."', `option_value_id` = '".$id."'");
return array('id' => (int)$id);
}

Expand Down Expand Up @@ -512,13 +512,13 @@ private function createProductVariant($data) {
$this->db->query("
INSERT INTO `" . DB_PREFIX . "product_option_relation`
SET
`product_id` = '".$data['product_id']."',
`var` = '".$data['var']."',
`stock` = '".$data['stock']."',
`sku` = '".$data['sku']."',
`product_id` = '".$this->db->escape($data['product_id'])."',
`var` = '".$this->db->escape($data['var'])."',
`stock` = '".$this->db->escape($data['stock'])."',
`sku` = '".$this->db->escape($data['sku'])."',
`active` = '1',
`subtract` = '1',
`price` = '".$data['price']."'
`price` = '".$this->db->escape($data['price'])."'
");

return array('id' => $this->db->getLastId());
Expand Down Expand Up @@ -607,7 +607,7 @@ private function attributeExists($groupId, $name) {
WHERE `ad`.`name` = '".$this->db->escape(htmlspecialchars($name, ENT_COMPAT))."'
AND `ad`.`language_id` = '".(int)$this->config->get('config_language_id')."'
AND `a`.`attribute_id` = `ad`.`attribute_id`
AND `a`.`attribute_group_id` = '".$groupId."'
AND `a`.`attribute_group_id` = '".$this->db->escape($groupId)."'
LIMIT 1
");

Expand Down
2 changes: 1 addition & 1 deletion upload/system/library/amazon.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -384,7 +384,7 @@ public function putStockUpdateBulk($productIdArray, $endInactive = false){
}

public function getLinkedSkus($productId, $var='') {
return $this->db->query("SELECT `amazon_sku` FROM `" . DB_PREFIX . "amazon_product_link` WHERE `product_id` = '" . (int)$productId . "' AND `var` = '" . $var . "'")->rows;
return $this->db->query("SELECT `amazon_sku` FROM `" . DB_PREFIX . "amazon_product_link` WHERE `product_id` = '" . (int)$productId . "' AND `var` = '" . $this->db->escape($var) . "'")->rows;
}

public function getOrderdProducts($orderId) {
Expand Down
2 changes: 1 addition & 1 deletion upload/system/library/amazonus.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -386,7 +386,7 @@ public function putStockUpdateBulk($productIdArray, $endInactive = false){
public function getLinkedSkus($productId, $var='') {
return $this->db->query("SELECT `amazonus_sku`
FROM `" . DB_PREFIX . "amazonus_product_link`
WHERE `product_id` = '" . (int)$productId . "' AND `var` = '" . $var . "'
WHERE `product_id` = '" . (int)$productId . "' AND `var` = '" . $this->db->escape($var) . "'
")->rows;
}

Expand Down
Loading

0 comments on commit 2de1a81

Please sign in to comment.