<![CDATA[ custom db tables access and sql injection / prepared statements - MODX Community Forums]]> https://forums.modx.com/thread/?thread=87521 <![CDATA[Re: custom db tables access and sql injection / prepared statements]]> https://forums.modx.com/thread/87521/custom-db-tables-access-and-sql-injection-prepared-statements#dis-post-482152 /manager/index.php:
if($_SERVER["HTTPS"] != "on") {
   header('Location: https://website.com/manager/');

» Restrict the manager to IP

» In manager settings make sure Validate HTTP_REFERER headers? is YES


Since 1.0.8
* [#9933] insideManager - security fix
* [#10180] ForgotManagerPassword - Improvement reset url
* [#9704] LFI in mutate_settings.ajax.php
* [#9802] Security feature - Check falsification of system files
* [#3796] MODx security issues
* [#8338] LFI in browser.php
* [#8339] LFI in install
* [#9621] SQL-injection in logEvent
* [#471] Show custom error page if mysql is down
* [#9624] Add .htaccess into assets/cache/



//This Ditto Tagging XSS fix never made it's way (if you are using tagging)
mrhaw Nov 07, 2013, 09:02 PM https://forums.modx.com/thread/87521/custom-db-tables-access-and-sql-injection-prepared-statements#dis-post-482152
<![CDATA[Re: custom db tables access and sql injection / prepared statements]]> https://forums.modx.com/thread/87521/custom-db-tables-access-and-sql-injection-prepared-statements#dis-post-482134 mrhaw thanks for the reply,
very useful information and a place to start from,
any advise on how to prevent session hijacking?]]>
beloved.gr Nov 07, 2013, 05:13 PM https://forums.modx.com/thread/87521/custom-db-tables-access-and-sql-injection-prepared-statements#dis-post-482134
<![CDATA[Re: custom db tables access and sql injection / prepared statements]]> https://forums.modx.com/thread/87521/custom-db-tables-access-and-sql-injection-prepared-statements#dis-post-482132
$var = mysql_real_escape_string(strip_tags($_GET['var']));

The API:
$var = $modx->db->escape(strip_tags($_GET['var']));


If you are running a global script (e.g. PDF) and want it to respect web user permissions
see this: http://forums.modx.com/thread/24611/pdf-export?page=3#dis-post-125964

In REVO the code is more protected behind an xPDO layer and there is great API Documentation.
In EVO The old wiki is still a gold mine:

BUT even if you make use of API calls that doesn't guarantee security!
Running eForm on your website? Consider using this:
if ( ! function_exists( 'eformPreventXSS' ) )

    function eformPreventXSS( &$fields )
      global $modx;
      $success = TRUE;
      foreach( $fields as $name => $value )
        $stripped = strip_tags( $value );
        // If there was embedded PHP/HTML/XML etc. then not successful
        // However, proceed to clean all the fields anyway.
        if ( $stripped != $value )
          $success = FALSE;
        switch ( $name )
        case 'email':
        case 'vericode':
          // Just strip tags. No need to escape.
          $fields[ $name ] = $stripped;
          $fields[ $name ] = htmlspecialchars( $stripped, ENT_QUOTES, $modx->config['modx_charset'] );
      return $success;

Name snippet eformPreventXSS
And call your eForm:
           [!eForm? &eFormOnBeforeMailSent=`eformPreventXSS` ...

I also highly recommend adding this to the .htaccess file in the assets folder:
<FilesMatch "\.(php|tpl)$">
   Order allow,deny
   Deny from all

This will protect you when uploading extras.]]>
mrhaw Nov 07, 2013, 04:47 PM https://forums.modx.com/thread/87521/custom-db-tables-access-and-sql-injection-prepared-statements#dis-post-482132
<![CDATA[custom db tables access and sql injection / prepared statements]]> https://forums.modx.com/thread/87521/custom-db-tables-access-and-sql-injection-prepared-statements#dis-post-482096
I'm building a website in MODX EVO 1.0.8 that needs to create/update some custom db tables, based on user input and I wish to be extra cautious to avoid any security issues. I'm not an expert in security measures and after some research I got a bit concerned about how I should proceed.

- Example code follows:

1. Retrieving user input
$parameters = $_GET['p'];
$parametersArray = explode("!",$parameters);

2. Inserting new rows I use something like the following:

$queryCreateRecord = $modx->db->insert( $documentArray,'modx_record' );

3. Updating an existing row I use something like the following:

$documentArray['id']= $modx->getLoginUserID();
$documentArray['status']= $parametersArray[1];

$table = $modx->getFullTableName( 'record' );
$queryUpdateRecord= $modx->db->update( 'status= "' .$documentArray['status']. '"', $table, 'id = "' .$documentArray['id']. '"' );

4. Selecting the rows from the db I use something like the following:

$table = $modx->getFullTableName("record");
$db_query = $modx->db->select("*", $table, "status='".$documentArray['status']."'");
if ($modx->db->getRecordCount($db_query) > 0) {
while ($rowC = $modx->db->getRow($db_queryC)) {

- Questions follow:

Is all the above safe or

1. should I use some user input sanitization function?
2. should I use prepared statements to avoid sql injection?
3. is there anything that I'm missing and poses a security threat in the way I handle the input and the db?
4. is there a chance that modx does the above security tasks in the background so I shouldn't worry?

Thank you all in advance, any contribution is deeply appreciated.]]>
beloved.gr Nov 07, 2013, 10:58 AM https://forums.modx.com/thread/87521/custom-db-tables-access-and-sql-injection-prepared-statements#dis-post-482096