[TYPO3-shop] Is there any input validation?
Reinhard Führicht
fuehricht at gmx.at
Thu Jan 4 20:16:39 CET 2007
Franz Holzinger wrote:
> Hello Reinhard,
>
>> I scanned through the code, but did not
>> find any proper input validation.
>> I'm working with version 2.5.1., if that's important
>
> All the input goes through the function t3lib_div::_GP('param');
>
> Some checks are done in the file class.tx_ttproducts_control.php:
>
> case 'products_payment':
> $this->pibase->load_noLinkExtCobj(); // TODO
> $pidagb = intval($this->conf['PIDagb']);
>
> $checkRequired = $address->checkRequired();
> $checkAllowed = $address->checkAllowed();
> if ($this->paymentshipping->useCreditcard ()) {
> $cardRequired = $card->checkRequired();
> }
> if ($this->paymentshipping->useAccount ()) {
> $accountRequired = $account->checkRequired();
> }
> if ($checkRequired == '' && $checkAllowed == '' && $cardRequired ==
> '' && $accountRequired == '' &&
>
>
> - Franz
>
Hello Franz,
thanks for your answer. as far as i can see, t3lib_div::_GP($value)
checks if $value is empty and otherwise executes stripslashes.
the checks you mentioned in class.tx_ttproducts_control.php focus on
issues such as validating if "agbs" have been read or checking shipping
country and credit card number.
what i tried to find where checks to prevent sql injection or xss.
moreover i did not even see validation providing that fields such as
name or address are filled or that the values are in correct form.
is it true that tt_products lacks such checks?
greets,
Reinhard
More information about the TYPO3-project-tt-products
mailing list