Hi, I’m having trouble with the plaincartshopping cart script, I’ve used this for a site and keep getting hacked, unfortunately…
I’ve googled to find a fix but haven’t been successful, however a quick google search i found a hack for it, but don’t know how that could be fixed.
the back is this:
How do i patch this so the above hack won’t work anymore?
Thanks in advance
Look in your index.php for $_GET[‘p’]. This variable is being used in an SQL query and is not being first escaped by mysql_real_escape string or a type declaration like (int). So find the line with the $_GET[‘p’] and where it is used… The query may not be in the index.php, so you might have to track it down.
Then post both the declaration and the query here, and we’ll make a fix for you.
Think about using something else. The code in the tutorial is of poor quality, and I spotted a few vulnerabilities in just a few minutes of peeking at it.
It’s fine to learn the overall logic/structure of a shopping cart from a tutorial, but tutorial code isn’t always a good thing to use as production code. Tutorials often skip many critical details in an effort of brevity. They also tend to be written by amateurs.
@tmapm: i’ll check that out now
@crmaliby: can’t change, i’ve already got the site working now, so i need help in finding a fix, if you can post what vulnerabilities you found or even better fixes for them, that would be helpful.
crmaliby is right that there are a lot of vulnerabilities. It may be best if we teach you what to look for, and you go through all the files and fix it if your set on not changing scripts.
http://www.learnphponline.com/security/sql-injection-prevention-mysql-php
http://www.metatitan.com/php/16/protecting-your-phpmysql-queries-from-sql-injection.html