marco-pm
commented
2 years ago There isn't much for the storefront indeed.
However preg_quote and bindVars should be enough I think. Unless there are some particular tricky cases you can think of...
Closed torvista closed 2 years ago
marco-pm
commented
2 years ago There isn't much for the storefront indeed.
However preg_quote and bindVars should be enough I think. Unless there are some particular tricky cases you can think of...
torvista
commented
2 years ago It just makes me uneasy to see an incoming/tainted variable that does not get any treatment where it first appears I just used zen_db_input.
marco-pm
commented
2 years ago I thought a lot about this, also looked at other pages/plugins where $_POST text variables are used and I still think that the current sanitization is enough.
Also zen_db_input is meant for values to be saved in the db, and this is not the case.
I believe this should have some sanitation applied at the point of entry. https://github.com/marco-pm/zencart_instantsearch/blob/1936bce4aaf54cdbfd38811961641811da12d26a/includes/classes/ajax/zcAjaxInstantSearch.php#L21
There is info on Admin, https://docs.zen-cart.com/dev/code/admin_sanitization/#for-developers-how-to-use-the-sanitization-in-plugins
but I can't find much for the storefront.