Magento - Tips and Tricks: Magento : SQL Injection in Magento

Tuesday, May 6, 2014

Magento : SQL Injection in Magento

SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.

Binding is the way to go for direct queries in Magento.

As

$write = Mage::getSingleton("core/resource")->getConnection("core_write");

$query = "insert into table_name(name, email, company, description) values (:name, :email, :company, :desc)";

$binds = array(

'name' => "name' or 1=1",

'email' => "email",

'company' => "company",

'desc' => "desc",

);

$write->query($query, $binds);

Posted by Bhoopendra Dwivedi at 9:21 AM

Email This BlogThis! Share to X Share to Facebook Share to Pinterest

Labels: Magento, SQl Injection

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About Me

Bhoopendra Dwivedi: Delhi, NCR, India; Hi, i am a post graduate of UPTU from which i hold a MCA.I am also a passionate web developer and have keen interest in open source technologies, programming & blogging. This is my personal blog and in it i am trying to solve the problems generally faced in Magento.

View my complete profile

Search This Blog

Followers

Categories

Popular Posts

Magento : How to use ajax in admin grid

Searching/paging and other operations to all work in admin grid using ajax, is built in functionality, only follow following step In const...
Add Pin It Button to your site
How to change core configuration data in magento programmatically

$coreConfig = Mage::getModel('core/config'); $coreConfig ->saveConfig($path, $value, $scope = ‘default’, $scopeId = 0); For i...
Magento : How to encode product path image

Override following file /app/Local/Mage/Catalog/Helper/Image.php and add following code public function base64_encode_image ($filename=s...
Magento : Define Global, Website, Store, Store View

Global: This refers to the entire installation. Website: Websites are ‘parents’ of stores. A website consists of one or more store...
Magento : How do I add a frontend date picker

First create your own module, then follow following step as 1. Add following css & js on that page as <reference name = "hea...
Magento: Import Product Bulk Images

<?php require_once('../app/Mage.php'); umask(0); Mage::app('admin'); echo 'Bulk Import Imgaes script runing at ...
Magento : Import Gmail Contact

1. Define a link in any phtml file as <?php $client_id= ''; $redirect_uri='test/test/gooledata...
Share this is not working after ajax load

Use following code on ajax request complete. stButtons.locateElements();
Adding a Google Map to your website

Use following code <!DOCTYPE html> <html> <head> <style> # map_canvas { width : 500px ; ...

Blog Archive

2015 (2)
- October (2)

2014 (18)
- August (1)
- July (1)
- June (1)
- May (2)
  - Accordion using jQuery
  - Magento : SQL Injection in Magento
- April (2)
- March (3)
- February (2)
- January (6)

2013 (29)
- December (1)
- November (2)
- September (4)
- August (3)
- July (4)
- June (2)
- April (2)
- March (2)
- February (6)
- January (3)

2012 (86)
- December (1)
- November (3)
- October (6)
- September (14)
- August (6)
- July (3)
- June (6)
- May (6)
- April (12)
- March (10)
- February (8)
- January (11)

2011 (24)
- December (7)
- November (17)

LIVE CHAT

Total Pageviews

Feedjit

Feedjit Live Blog Stats