Reputation: 573
Codeigniter - is it risky to modify the cart $product_name_rules to accept any character?
I'm using the Cart Class in CI, and my product names contain lots of "dangerous" characters, such as apostrophe, brackets, semicolon, ampersands, and many non latin characters.
The Cart Class limits the allowed characters like so:
var $product_name_rules = '\.\:\-_ a-z0-9'; // alpha-numeric, dashes, underscores, colons or periods
I know I can extend the Cart Class and override this limitation with something like this in a MY_Cart Class:
$this->product_name_rules = '\d\D';
But this makes me wonder - perhaps the CI people had a reason for limiting the product names. Maybe by removing the limitation I'm opening a backdoor to hackers.
Obviously, when I add items from the cart to my database, I use Active Records and query binding, which should (to my best understanding) provide a sufficient defense against sql injections and the like.
So what was the idea behind limiting the characters in the first place?
Upvotes: 0
Views: 2508
Answers (2)
Reputation: 1179
NO! Well, let me say: "None that I could see":
Although codeigniter seemed to throw some errors when I modified regex of the cart core directly. So I just tweaked by leaving what's there and just adding /d/D at the end like this:
var $product_name_rules = '\.\:\-_ a-z0-9\d\D'; // alpha-numeric, dashes, underscores, colons or periods
To not mess with original classes for reasons you might not know, try to extend the class
You could find guides here:
http://ponderwell.net/2010/07/codeigniter-extending-the-cart-class-for-robust-product-names/
Create a file in application/libraries and call it "MY_cart.php". In that file, paste the following code:
< ?php
if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class MY_Cart extends CI_Cart {
function __construct() {
parent::__construct();
$this->product_name_rules = '\d\D';
}
}
Upvotes: 2
Reputation: 3148
Its worth getting to know the CI cart library. Because then when you make your own cart, it will make you feel really good about yourself. :-) Seriously though, everyone who tries the CI cart runs into this issue and there are many posts about it. So yes you can modify it so you can use different characters in the names - but i would seriously urge you to make your own cart as soon as possible.
what does a shopping cart really need from the product page? It needs the ID of the product, and the Qty. thats it - everything else should come directly from your product table.
do not set up your app so that there is a price on a product page, and then you take that price and send it to the cart. someone could easily modify the form and send a lower price to the cart.
so verify the product id - then get the product price DIRECTLY from the product table. and thats easy because you just did it to show the product. you can also get the product name that way and - hey suddenly you dont have to worry at all about dangerous characters, and you know that the price will be accurate.
and Steward has the excellent answer for working with ci cart lib, and the blog post he links to steps through the issues. you can also copy parts of the cart lib and put them in MY_cart, its a good way to see how it works and you can do simple mods.
Upvotes: 0
Related Questions
- CI Validate request with special characters
- CodeIgniter Add to Cart does not insert data in Cart array where name has a special character
- Why codeigniter shopping cart class doesn't allow any special character in the name?
- Removing restriction on characters in cart in CodeIgniter
- Disallowed Key Characters in Codeigniter
- CI how risky is to leaving CodeIgniter Disallowed Key Characters empty?
- Magento: Nick-naming products added to the cart
- CodeIgniter - Disallowed Key Characters via $_GET
- codeigniter set_rules allow more characters
- codeigniter disallowed characters error