FormBrowser and Security

Have a question or a suggestion about a 3rd party addon module or plugin?
Let us know here.
Post Reply
CMSmonkey
Power Poster
Power Poster
Posts: 290
Joined: Thu Nov 27, 2008 4:58 pm

Re: FormBrowser and Security

Post by CMSmonkey »

I'm using this UDT below on another site that is using CMSMS 1.10.2, FormBuilder 0.7.1 and FormBrowser 0.4. I cannot get this UDT to work as the cc number still shows. I have also tried to use the "replacement" variable and that did not work either.

Is anyone aware of any changes that might have taken place in the newer CMSMS and module versions that would make this not work?
Peciura wrote: Lets cal this UDT "update_fb_response"

Code: Select all

/*It updates existing  data only*/
/*$params['field_ids']*/   /*mandatory*/ /*comma separated field_id list, spaces will be trimmed*/
/*$params['resp_ids']*/    /*comma separated list of responce IDs, spaces will be trimmed. If no response id is supplied - all values will be overvritten*/
/*$params['replacement']='' */   /*replace values in DB with*/
/*$params['assign']*/   /*assign sql result to. If ($assign === false), sql query failed*/

if (!empty($params['field_ids'])){

	if (!isset($params['replacement'])){
		$params['replacement'] = '';
	}
	$fields = array();
	$query = 'UPDATE  '.cms_db_prefix().'module_fb_resp_val set value=?  WHERE (';

	array_push($fields, $params['replacement']);

	$field_ids = explode(',',$params['field_ids']);
	foreach($field_ids as $field){
		array_push($fields, trim($field));
		$query .= ' field_id = ? or ';
	}
	$query = rtrim( $query, 'o r');

	$query .= ' ) and ';
	if (isset($params['resp_ids'])) {
		$resp_ids = explode(',', $params['resp_ids']);
		foreach($resp_ids as $resp_id){
			array_push($fields, trim($resp_id));
			$query .= ' resp_id = ? or ';
		}
		$query = rtrim( $query, 'o r');
	}
	else{
		$query = rtrim( $query, 'na d');
	}

	/*
	var_dump($query);
	var_dump($fields);
	exit;
	*/
	global $gCms;
	$db = $gCms->GetDb();
	$assign = $db->Execute($query, $fields);

	if (!empty($params['assign'])){
		$gCms->smarty->assign($params['assign'], $assign);
	}
}
return;
Usage

Code: Select all

{update_fb_response  field_ids='123, 9999'}
Use at your own risk :-X
Top
CMSmonkey
Power Poster
Power Poster
Posts: 290
Joined: Thu Nov 27, 2008 4:58 pm

Re: [SOLVED] FormBrowser and Security

Post by CMSmonkey »

Update: Peciura tried to update the UDT but I still can't get it to work. According to Peciura, it looks like some internal code FormBuilder has changed since then.

Does anyone have any other suggestions as to how to handle this issue?

Basically, we have a FormBuilder form that accepts payment. We do not want to store the cc number and would prefer to just drop the credit card field's value from the database once the form is submitted.

Thank you in advance.
Top
CMSmonkey
Power Poster
Power Poster
Posts: 290
Joined: Thu Nov 27, 2008 4:58 pm

Re: [SOLVED] FormBrowser and Security

Post by CMSmonkey »

BUMP - anyone?

This is a bit of a security issue and high priority. Any suggestions are appreciated.

Thanks.
Top
Post Reply

Return to “Modules/Add-Ons”