Features
Features v3.1
Features v3.2

Faq-O-Matic

Developers' Blog

Examples

Licensing

Download

Documentation

Support

Mailing Lists

List Archives
and Search

Prompt
Translation

User
Contributed
Code

FishCart 3.2 RC2 xss_meta() function
If you have a version 3 FishCart that has the xss_meta() function installed, update the functions.php script in your installed FishCarts with the following function. The central change is in the ereg_replace() line to remove many special characters used in cross site scripting and SQL injection.

function xss_meta( $param, $strip_crlf = TRUE ){
  if( strstr($_SERVER['SCRIPT_NAME'], '/maint/') ){
    return($param);
  }
  $strip_crlf = (boolean)$strip_crlf;
  $param = str_replace('&#', '', $param);
  //$param = str_replace('&', '&', $param);
  $param = ereg_replace('[][\\\|\<\>\=\(\)\%\{\}\`\~\+\*\^"]', ' ', $param);
  if( $strip_crlf == TRUE ){
    $param = ereg_replace("[\r\n]", ' ', $param);
  }
  return($param);
}

—

Pre 3.2 RC2 xss_meta() function

If you have an installed FishCart v.3 that does not have the xss_meta() function installed, update the functions.php script in your installed FishCarts by replacing the following functions. The getserver(), getcookie() and getparam() functions call the new xss_meta() function to filter critical characters to disarm cross site scripting and SQL injection.

function getserver( $name, $strip_crlf = TRUE ){
  $param = '';
  $curver = (int)str_replace('.', '', phpversion());
  if( $curver >= 410 ){      // superglobals available from ver. 4.1.0
    $param = $_SERVER["$name"];
  }else{                     // superglobals aren't available
    global $HTTP_COOKIE_VARS;
    $param = $HTTP_COOKIE_VARS["$name"];
  }
  return(addslashes(xss_meta($param,$strip_crlf)));
}

function getcookie( $name, $strip_crlf = TRUE ){
  $param = '';
  $curver = (int)str_replace('.', '', phpversion());
  if( $curver >= 410 ){      // superglobals available from ver. 4.1.0
    $param = $_COOKIE["$name"];
  }else{                     // superglobals aren't available
    global $HTTP_COOKIE_VARS;
    $param = $HTTP_COOKIE_VARS["$name"];
  }
  return(addslashes(xss_meta($param,$strip_crlf)));
}

function getparam( $name, $strip_crlf = TRUE ){
  $param = '';
  $curver = (int)str_replace('.', '', phpversion());
  if( $curver >= 410 ){      // superglobals available from ver. 4.1.0
    if( @$_POST["$name"] ){  // POST before GET
      $param = $_POST["$name"];
    }elseif( @$_GET["$name"] ){
      $param = $_GET["$name"];
    }
  }else{                     // superglobals aren't available
    global $HTTP_POST_VARS, $HTTP_GET_VARS;
    if( @$HTTP_POST_VARS["$name"] ){
      $param = $HTTP_POST_VARS["$name"];
    }elseif( @$HTTP_GET_VARS["$name"] ){
      $param = $HTTP_GET_VARS["$name"];
    }
  }
  if (is_array($param)) {
    foreach($param as $element) {$element = addslashes(xss_meta($element,$strip_crlf));}
  } else {
    $param = addslashes(xss_meta($param,$strip_crlf));
  }
  return($param);
}

function xss_meta( $param, $strip_crlf = TRUE ){
  if( strstr($_SERVER['SCRIPT_NAME'], '/maint/') ){
    return($param);
  }
  $strip_crlf = (boolean)$strip_crlf;
  $param = str_replace('&#', '', $param);
  //$param = str_replace('&', '&', $param);
  $param = ereg_replace('[][\\\|\<\>\=\(\)\%\{\}\`\~\+\*\^"]', ' ', $param);
  if( $strip_crlf == TRUE ){
    $param = ereg_replace("[\r\n]", ' ', $param);
  }
  return($param);
}

—

Return to the home page