Skip to Content Skip to Menu

🎃 Happy Halloween! Treat yourself with an awesome discount on memberships! Get 20% off now with code SPOOKY-2024!

Update field in CB using RSFormsPro with value with apostrophe

  • comyoo
  • comyoo
  • OFFLINE
  • Posts: 87
  • Thanks: 1
  • Karma: 0
10 years 11 months ago #237146 by comyoo
Update field in CB using RSFormsPro with value with apostrophe was created by comyoo
HI,

We use RSFormsPro on a website from a customer and there we use the following code to update the CB profile with data provided in the RSFormsPro form.
Code:
// update woonplaats $db =& JFactory::getDBO(); $user =& JFactory::getUser(); $uid = $user->id; $db->setQuery("UPDATE #__comprofiler SET cb_woonplaats = '".$_POST['form']['woonplaats']."' WHERE user_id = '".$uid."'"); $db->query();

Now we have in The Netherlands some city's starting with ' in example: 't Harde is a cityname or 's Hertogenbosch.

The script now gives an error on submit, because of the '

How can I modify the script so that this script can also update such citynames?

Please Log in or Create an account to join the conversation.

  • krileon
  • krileon
  • ONLINE
  • Posts: 48473
  • Thanks: 8281
  • Karma: 1443
10 years 11 months ago #237183 by krileon
Replied by krileon on topic Update field in CB using RSFormsPro with value with apostrophe
That script is a security violation. Anyone could use SQL injection to alter your database. You have zero escaping. Use the below CB API to accomplish this safely.

Code:
$postData = cbGetParam( $_POST, 'form' ); $user = CBuser::getMyUserDataInstance(); $user->storeDatabaseValue( 'cb_woonplaats', stripslashes( cbGetParam( $postData, 'woonplaats' ) ) );

For the above to work you need to ensure CB API has be included. See the below tutorial on how to do this.

www.joomlapolis.com/support/tutorials/120-api-usage/18357-including-cb-api-for-usage-outside-of-cb

Please note for future reference we do not provide coding assistance. The above is provided purely due to you using a vulnerability.

Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.
The following user(s) said Thank You: nant

Please Log in or Create an account to join the conversation.

  • comyoo
  • comyoo
  • OFFLINE
  • Posts: 87
  • Thanks: 1
  • Karma: 0
10 years 11 months ago #237387 by comyoo
Replied by comyoo on topic Update field in CB using RSFormsPro with value with apostrophe
Hi,

The code I submitted is given by RSJoomla in their documentation of RSFormsPro.
This script is processed on form submission.

Is your code also for the 'Script called on form process' ?

Maybe it is good that you inform RSJoomla if this is a treath for other websites.

Please Log in or Create an account to join the conversation.

  • krileon
  • krileon
  • ONLINE
  • Posts: 48473
  • Thanks: 8281
  • Karma: 1443
10 years 11 months ago #237405 by krileon
Replied by krileon on topic Update field in CB using RSFormsPro with value with apostrophe

Is your code also for the 'Script called on form process' ?

I guess so. I assume they just let you run PHP from the looks of it. As long as CB is already loaded before than or you load in CB API using the code provided in the linked tutorial then the PHP will behave as expected.

Maybe it is good that you inform RSJoomla if this is a treath for other websites.

You can point them to this topic if you like, but it's not my responsibility to teach other developers about basic SQL injection vulnerabilities. Securing the current usage is a simple as using Joomla API to pull and filter the POST value. POST values should never be directly pushed to a query as they are unfiltered. If you want an example of how to inject and break your current usage to confirm this I can PM it to you, but I won't be posting any vulnerabilities here.

Kyle (Krileon)
Community Builder Team Member
Before posting on forums: Read FAQ thoroughly + Read our Documentation + Search the forums
CB links: Documentation - Localization - CB Quickstart - CB Paid Subscriptions - Add-Ons - Forge
--
If you are a Professional, Developer, or CB Paid Subscriptions subscriber and have a support issue please always post in your respective support forums for best results!
--
If I've missed your support post with a delay of 3 days or greater and are a Professional, Developer, or CBSubs subscriber please send me a private message with your thread and will reply when possible!
--
Please note I am available Monday - Friday from 8:00 AM CST to 4:00 PM CST. I am away on weekends (Saturday and Sunday) and if I've missed your post on or before a weekend after business hours please wait for the next following business day (Monday) and will get to your issue as soon as possible, thank you.
--
My role here is to provide guidance and assistance. I cannot provide custom code for each custom requirement. Please do not inquire me about custom development.

Please Log in or Create an account to join the conversation.

Moderators: beatnantkrileon
Powered by Kunena Forum