CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

FormBrowser and Security

https://forum.cmsmadesimple.org/viewtopic.php?t=39059

Page 2 of 2

Re: FormBrowser and Security

Posted: Thu Aug 30, 2012 5:55 pm
by CMSmonkey
I'm using this UDT below on another site that is using CMSMS 1.10.2, FormBuilder 0.7.1 and FormBrowser 0.4. I cannot get this UDT to work as the cc number still shows. I have also tried to use the "replacement" variable and that did not work either.

Is anyone aware of any changes that might have taken place in the newer CMSMS and module versions that would make this not work?
Peciura wrote: Lets cal this UDT "update_fb_response"

Code: Select all

/*It updates existing  data only*/
/*$params['field_ids']*/   /*mandatory*/ /*comma separated field_id list, spaces will be trimmed*/
/*$params['resp_ids']*/    /*comma separated list of responce IDs, spaces will be trimmed. If no response id is supplied - all values will be overvritten*/
/*$params['replacement']='' */   /*replace values in DB with*/
/*$params['assign']*/   /*assign sql result to. If ($assign === false), sql query failed*/

if (!empty($params['field_ids'])){

	if (!isset($params['replacement'])){
		$params['replacement'] = '';
	}
	$fields = array();
	$query = 'UPDATE  '.cms_db_prefix().'module_fb_resp_val set value=?  WHERE (';

	array_push($fields, $params['replacement']);

	$field_ids = explode(',',$params['field_ids']);
	foreach($field_ids as $field){
		array_push($fields, trim($field));
		$query .= ' field_id = ? or ';
	}
	$query = rtrim( $query, 'o r');

	$query .= ' ) and ';
	if (isset($params['resp_ids'])) {
		$resp_ids = explode(',', $params['resp_ids']);
		foreach($resp_ids as $resp_id){
			array_push($fields, trim($resp_id));
			$query .= ' resp_id = ? or ';
		}
		$query = rtrim( $query, 'o r');
	}
	else{
		$query = rtrim( $query, 'na d');
	}

	/*
	var_dump($query);
	var_dump($fields);
	exit;
	*/
	global $gCms;
	$db = $gCms->GetDb();
	$assign = $db->Execute($query, $fields);

	if (!empty($params['assign'])){
		$gCms->smarty->assign($params['assign'], $assign);
	}
}
return;
Usage

Code: Select all

{update_fb_response  field_ids='123, 9999'}
Use at your own risk :-X

Re: [SOLVED] FormBrowser and Security

Posted: Fri Aug 31, 2012 7:20 pm
by CMSmonkey
Update: Peciura tried to update the UDT but I still can't get it to work. According to Peciura, it looks like some internal code FormBuilder has changed since then.

Does anyone have any other suggestions as to how to handle this issue?

Basically, we have a FormBuilder form that accepts payment. We do not want to store the cc number and would prefer to just drop the credit card field's value from the database once the form is submitted.

Thank you in advance.

Re: [SOLVED] FormBrowser and Security

Posted: Tue Sep 04, 2012 9:48 pm
by CMSmonkey
BUMP - anyone?

This is a bit of a security issue and high priority. Any suggestions are appreciated.

Thanks.
All times are UTC
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited