On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Dear all,

    I'm building a website in MODX EVO 1.0.8 that needs to create/update some custom db tables, based on user input and I wish to be extra cautious to avoid any security issues. I'm not an expert in security measures and after some research I got a bit concerned about how I should proceed.

    - Example code follows:

    1. Retrieving user input
    $parameters = $_GET['p'];
    $parametersArray = explode("!",$parameters);

    2. Inserting new rows I use something like the following:

    $documentArray['name']=$parametersArray[0];
    $documentArray['status']=$parametersArray[1];
    $queryCreateRecord = $modx->db->insert( $documentArray,'modx_record' );


    3. Updating an existing row I use something like the following:

    $documentArray['id']= $modx->getLoginUserID();
    $documentArray['status']= $parametersArray[1];

    $table = $modx->getFullTableName( 'record' );
    $queryUpdateRecord= $modx->db->update( 'status= "' .$documentArray['status']. '"', $table, 'id = "' .$documentArray['id']. '"' );

    4. Selecting the rows from the db I use something like the following:

    $table = $modx->getFullTableName("record");
    $db_query = $modx->db->select("*", $table, "status='".$documentArray['status']."'");
    if ($modx->db->getRecordCount($db_query) > 0) {
    while ($rowC = $modx->db->getRow($db_queryC)) {
    $id=$row['id'];
    }
    }

    - Questions follow:

    Is all the above safe or

    1. should I use some user input sanitization function?
    2. should I use prepared statements to avoid sql injection?
    3. is there anything that I'm missing and poses a security threat in the way I handle the input and the db?
    4. is there a chance that modx does the above security tasks in the background so I shouldn't worry?

    Thank you all in advance, any contribution is deeply appreciated.
    • Here is how I deal with GET/POST:
      $var = mysql_real_escape_string(strip_tags($_GET['var']));

      The API:
      $var = $modx->db->escape(strip_tags($_GET['var']));

      http://rtfm.modx.com/evolution/1.0/developers-guide/api-reference/dbapi/escape

      If you are running a global script (e.g. PDF) and want it to respect web user permissions
      see this: http://forums.modx.com/thread/24611/pdf-export?page=3#dis-post-125964
      http://sottwell.pogwatch.com/modx-security.html

      In REVO the code is more protected behind an xPDO layer and there is great API Documentation.
      In EVO The old wiki is still a gold mine:
      http://wiki.modxcms.com/index.php/DB_query_and_Placeholders
      http://wiki.modxcms.com/index.php/API:DBAPI
      http://wiki.modxcms.com/index.php/Creating_Snippets

      BUT even if you make use of API calls that doesn't guarantee security!
      Running eForm on your website? Consider using this:
      <?php
      if ( ! function_exists( 'eformPreventXSS' ) )
      {
      
          function eformPreventXSS( &$fields )
          {
            global $modx;
            $success = TRUE;
            foreach( $fields as $name => $value )
            {
              $stripped = strip_tags( $value );
              // If there was embedded PHP/HTML/XML etc. then not successful
              // However, proceed to clean all the fields anyway.
              if ( $stripped != $value )
              {
                $success = FALSE;
              }
              switch ( $name )
              {
              case 'email':
              case 'vericode':
                // Just strip tags. No need to escape.
                $fields[ $name ] = $stripped;
                break;
              default:          
                $fields[ $name ] = htmlspecialchars( $stripped, ENT_QUOTES, $modx->config['modx_charset'] );
              }
            }
            return $success;
          }
          
      }
      ?>
      

      Name snippet eformPreventXSS
      And call your eForm:
                 [!eformPreventXSS!]
                 [!eForm? &eFormOnBeforeMailSent=`eformPreventXSS` ...
      


      I also highly recommend adding this to the .htaccess file in the assets folder:
      <FilesMatch "\.(php|tpl)$">
         Order allow,deny
         Deny from all
      </FilesMatch>


      This will protect you when uploading extras.
        @hawproductions | http://mrhaw.com/

        Infograph: MODX Advanced Install in 7 steps:
        http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

        Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
        http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower
      • mrhaw thanks for the reply,
        very useful information and a place to start from,
        any advise on how to prevent session hijacking?
        • » Force your client to login using SSL - HTTPS
          /manager/index.php:
          <?php
          if($_SERVER["HTTPS"] != "on") {
             header('Location: https://website.com/manager/');
             exit();
          }
          


          » Restrict the manager to IP
          http://forums.modx.com/thread/45029/restrict-manager-by-ip-addresses-without-breaking-captcha#dis-post-463882

          » In manager settings make sure Validate HTTP_REFERER headers? is YES

          » UPGRADE YOUR MODX!

          Since 1.0.8
          Security:
          --------------------------------------------
          * [#9933] insideManager - security fix
          * [#10180] ForgotManagerPassword - Improvement reset url
          * [#9704] LFI in mutate_settings.ajax.php
          * [#9802] Security feature - Check falsification of system files
          * [#3796] MODx security issues
          * [#8338] LFI in browser.php
          * [#8339] LFI in install
          * [#9621] SQL-injection in logEvent
          * [#471] Show custom error page if mysql is down
          * [#9624] Add .htaccess into assets/cache/
          

          https://raw.github.com/modxcms/evolution/v1.0.12/install/changelog.txt

          » + KEEP BACKUP OF FILES AND DATABASE! smiley

          //This Ditto Tagging XSS fix never made it's way (if you are using tagging)
          http://forums.modx.com/thread/42791/removing-tags-variable-from-reflect-url#dis-post-247387 [ed. note: mrhaw last edited this post 7 years, 10 months ago.]
            @hawproductions | http://mrhaw.com/

            Infograph: MODX Advanced Install in 7 steps:
            http://forums.modx.com/thread/96954/infograph-modx-advanced-install-in-7-steps

            Recap: Portland, OR (PDX) MODX CMS Meetup, Oct 6, 2015. US Bancorp Tower
            http://mrhaw.com/modx_portland_oregon_pdx_modx_cms_meetup_oct_2015_us_bancorp_tower