Modsecurity and quotation marks

General Discussion about the commercial Enuuk Auction Platform
Post Reply
bamse
Posts: 220
Joined: Mon Feb 06, 2012 12:05 pm
Contact:

Modsecurity and quotation marks

Post by bamse » Fri Mar 01, 2013 9:00 am

In order to prevent SQL injection my modsecurity throws a message "Forbidden you don't have access to ..." if somebody enters quotation marks in the user registration form. I would like to present a more informative error message and tried to add

Code: Select all

if($par['action']=='register' && strpos($par['custom1'],'"') !== false){
            $ret .= _("Don't use quotation marks in input fields.");
}
in class/Action/User.php->verifyUserParameters()

but it did not work. Is there something wrong with this code, or would I have to add the check somewhere else (in the javascript)?

Above code works if for instance I replace " with x and the user enters a string containing x

RWAP
Site Admin
Posts: 748
Joined: Fri Jan 08, 2010 2:23 am
Location: Stoke-on-Trent
Contact:

Re: Modsecurity and quotation marks

Post by RWAP » Fri Mar 01, 2013 9:42 am

Modsecurity would kick in before the PHP code so preventing the quote marks reaching the PHP.

You need to add the check in javascript unfortunately.

bamse
Posts: 220
Joined: Mon Feb 06, 2012 12:05 pm
Contact:

Re: Modsecurity and quotation marks

Post by bamse » Fri Mar 01, 2013 9:48 am

Thanks: javascript..., indeed unfortunately...

bamse
Posts: 220
Joined: Mon Feb 06, 2012 12:05 pm
Contact:

Re: Modsecurity and quotation marks

Post by bamse » Fri Mar 01, 2013 4:40 pm

Fixed it in the following way...

In global.js->validateUserForm() , below
//evaluate if everything is correct
I replaced

Code: Select all

return true;
with

Code: Select all

if(companyname.val().indexOf('"') != -1) {
                    window.scrollTo(0,0);
                    displayError("<div class=\"fullBox\">"+quoteAlert+"</div>",'#content');
                    return false;
} else{
                    return true;
}
and in themes/.../header.php added

Code: Select all

var quoteAlert = "<?=_('Please do not use quotation marks in input fields.') ?>";
below a similar line for "redAlert".

In our case

Code: Select all

var companyname = $("#custom1");

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest