How to Properly Sanitize Strings in ProductCart
Please note: The contents of this article apply only to licensed versions of the ProductCart software. They do not apply to stores running as a hosted application under a ProductCart Live agreement.
Overview
If you customize the ProductCart source code or add new files to your Web store, make sure you take advantage of some functions that exist in ProductCart and that can help you properly sanitize any strings before you use them in your code, and especially before you use them in any MS SQL query.
stringFunctions.asp
The file stringFunctions.asp in the includes folder contains two very important functions.
getUserInput
Use the
getUserInput function to sanitize a string when you request it. The function was updated to further protect against possible SQL injection attacks. Here is a simple example of how it can be used:
Dim idCategory
idCategory = getUserInput(Request("id"),5)
The number 5 indicates that you will truncate the string after the first 5 characters. Here, for instance, it's hard to imagine that a store will have more than 10,000 categories. So you can request the first five characters and stop there. If you are requesting a large string of data, you can use 0 to allow for an unlimited amount of characters.
validNum
Use the validNum function to ensure that the string is an integer. This is particularly useful to validate a category, product, or customer ID before using those values in any database query. The syntax is as follows:
if not validNum(idCategory) then idCategory=1 end ifHere we check that the category ID is indeed an integer. If not, we assign it the value 1. Or you could redirect to another page or a special message.