AbleCommerce Forums
»
AbleCommerce
»
AbleCommerce 9 Bug Reports
»
9.0.8 - error with single quotes in /webpage/suggest
Rank: Advanced Member
Groups: Authorized User, Developers Joined: 7/1/2022(UTC) Posts: 71
Thanks: 5 times Was thanked: 1 time(s) in 1 post(s)
|
Hi, I spotted this in the error log recently:
--- An error has occured at /Webpage/Suggest Exception: Invalid object passed in, ':' or '}' expected. (27): { 'keyword': 'mother mary's messages' } Stack Trace: at System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth) at System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth) at System.Web.Script.Serialization.JavaScriptObjectDeserializer.BasicDeserialize(String input, Int32 depthLimit, JavaScriptSerializer serializer) at System.Web.Script.Serialization.JavaScriptSerializer.Deserialize(JavaScriptSerializer serializer, String input, Type type, Int32 depthLimit) at System.Web.Mvc.JsonValueProviderFactory.GetDeserializedObject(ControllerContext controllerContext) at System.Web.Mvc.JsonValueProviderFactory.GetValueProvider(ControllerContext controllerContext) at System.Web.Mvc.ValueProviderFactoryCollection.GetValueProvider(ControllerContext controllerContext) at System.Web.Mvc.ControllerBase.get_ValueProvider() at System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) at System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) at System.Web.Mvc.Controller.ExecuteCore() at System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) at System.Web.Mvc.Async.AsyncResultWrapper.<>c.<.cctor>b__15_0(IAsyncResult asyncResult, Action action) at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) ---
It looks like it doesn't properly handle single quotes.
Thanks, Charles
|
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers Joined: 2/17/2019(UTC) Posts: 909
Thanks: 3 times Was thanked: 15 time(s) in 15 post(s)
|
This is also true for 9.0.7, and I suspect all previous versions as well, probably because of SQL injection.
-Ray
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk Joined: 10/29/2018(UTC) Posts: 472
Thanks: 4 times Was thanked: 34 time(s) in 33 post(s)
|
hi Charles,
Can you give a little more information, such as where the character was entered?
As with all bug reports, we need the steps to reproduce...
Thank you |
Thanks for your support!
Katie Secure eCommerce Software and Hosting |
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers Joined: 2/17/2019(UTC) Posts: 909
Thanks: 3 times Was thanked: 15 time(s) in 15 post(s)
|
Using version 9.0.7 If I were to enter the following below: 'Cp200d Radios' Motorola's Radios That would be enough for it to return 0 results and start logging error messages in the backend. Any instance of a single quote, will do it, please refer to the above examples. Double quotes returns 0 results, but does not report anything in the back end. Again, probably has to do with SQL injection prevention. I hope this helps. -Ray Edited by user Wednesday, May 3, 2023 12:06:36 PM(UTC)
| Reason: Not specified
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk Joined: 10/29/2018(UTC) Posts: 472
Thanks: 4 times Was thanked: 34 time(s) in 33 post(s)
|
Thank you for providing this additional information.
I'll get it reported. |
Thanks for your support!
Katie Secure eCommerce Software and Hosting |
|
|
|
Rank: Newbie
Groups: Admin, HelpDesk, Developers, Registered Joined: 3/31/2023(UTC) Posts: 3
Was thanked: 1 time(s) in 1 post(s)
|
To resolve this issue you have to follow the given steps 1. Open file Website\Scripts\app.js. 2. Search for Code:function getSource(request, response) {
$.ajax({
url: $(".search-phrase-url").data('url'),
data: "{ 'keyword': '" + request.term + "' }",
dataType: "json",
type: "POST",
contentType: "application/json; charset=utf-8",
dataFilter: function (data) { return data; },
success: function (data) {
response($.map(data, function (item) {
return {
value: item
}
}))
}
});
}
3. Replace with Code:function getSource(request, response) {
$.ajax({
url: $(".search-phrase-url").data('url'),
data: request.term ,
dataType: "json",
type: "POST",
dataFilter: function (data) { return data; },
success: function (data) {
response($.map(data, function (item) {
return {
value: item
}
}))
}
});
}
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC) Posts: 303
Thanks: 21 times Was thanked: 5 time(s) in 5 post(s)
|
|
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers Joined: 7/1/2022(UTC) Posts: 71
Thanks: 5 times Was thanked: 1 time(s) in 1 post(s)
|
Originally Posted by: Katie S hi Charles,
Can you give a little more information, such as where the character was entered?
As with all bug reports, we need the steps to reproduce...
Thank you I'm sorry, I missed your reply somehow. I don't know how this is entered. I just know single quotes trigger it, like there's malformed quote handling somewhere. Please confirm the proposed solution above from a dev that is his first post is legit. Thanks. Edited by user Wednesday, May 17, 2023 9:06:23 AM(UTC)
| Reason: Not specified
|
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers Joined: 7/1/2022(UTC) Posts: 71
Thanks: 5 times Was thanked: 1 time(s) in 1 post(s)
|
Originally Posted by: judy at Web2Market Thanks. I know what SQL injection is. I disagree that this was triggered by SQL injection code. If the javascript solution above is accurate, it clearly explains the issue. You can't build a javascript string with single quotes and have it work with content containing a single quote without some sort of escaping.
|
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers Joined: 7/1/2022(UTC) Posts: 71
Thanks: 5 times Was thanked: 1 time(s) in 1 post(s)
|
Would a dev please respond to this thread and indicate whether the above recommended change is a confirm and okay to implement fix?
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk Joined: 10/29/2018(UTC) Posts: 472
Thanks: 4 times Was thanked: 34 time(s) in 33 post(s)
|
Hi Charles,
There is a response from Moiz above (moizkiyani027991993) who is one of our new developers. He provided the fix for this issue.
|
Thanks for your support!
Katie Secure eCommerce Software and Hosting |
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers Joined: 7/1/2022(UTC) Posts: 71
Thanks: 5 times Was thanked: 1 time(s) in 1 post(s)
|
Originally Posted by: Katie S Hi Charles,
There is a response from Moiz above (moizkiyani027991993) who is one of our new developers. He provided the fix for this issue.
Thanks. Being his first post, I wasn't sure it was legit.
|
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers Joined: 7/1/2022(UTC) Posts: 71
Thanks: 5 times Was thanked: 1 time(s) in 1 post(s)
|
Hi, I'm back, as this isn't working entirely correct yet.
We have an item "Mother Mary's Messages". Searching on "Mary's" brings it up, when before it didn't.
We have another item "Jesus' Jewels of Joy". Search on "Jesus' Jewels" (with the apostrophe) does not find it. Searching on "Jesus Jewels" (without the apostrophe) DOES find it.
Please advise.
Thanks, Charles
|
|
|
|
Rank: Advanced Member
Groups: Authorized User, Developers Joined: 2/17/2019(UTC) Posts: 909
Thanks: 3 times Was thanked: 15 time(s) in 15 post(s)
|
I knew, looking at the modified code, that this would not work. When something is sent to the background database, it is sent as a string.
The database server is going to automatically enclose the contents in quotations, that's just the way strings work, it's that way too in any programming language.
The main problem is, you want to accept a single quote as part of the string; this can be done, but it will take quite a bit of effort.
When a string is usually sent to a query, the SQL database probably removes many characters including starting and ending extra spaces, in fact, any extra space within the string usually gets removed.
A procedure would have to be created that would still keep the single quote, but be able to pass it to the database as a character or part of the string.
I'm not saying that it's impossible, but I am saying it's going to take some work. You could create a procedure that, if it sees something being sent already wrapped in double quotes, to takes it literally or as is, however, I can see where this can open up an opportunity for SQL injection.
Interesting to see how this post will turn out.
|
|
|
|
Rank: Advanced Member
Groups: Admin, Developers, Registered, HelpDesk, Authorized User Joined: 10/5/2018(UTC) Posts: 704
Thanks: 5 times Was thanked: 113 time(s) in 112 post(s)
|
Quote:Hi, I'm back, as this isn't working entirely correct yet.
We have an item "Mother Mary's Messages". Searching on "Mary's" brings it up, when before it didn't.
We have another item "Jesus' Jewels of Joy". Search on "Jesus' Jewels" (with the apostrophe) does not find it. Searching on "Jesus Jewels" (without the apostrophe) DOES find it.
Please advise. I am not seeing any issue with the string you mentioned. Am I missing something. Can you please reconfirm or share more details. I created a product with a name "Jesus' Jewels of Joy" Search three times with the string "Jesus' Jewels" After third time I can see the suggested string after writing Jesus'
|
|
|
|
AbleCommerce Forums
»
AbleCommerce
»
AbleCommerce 9 Bug Reports
»
9.0.8 - error with single quotes in /webpage/suggest
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.
Important Information:
The AbleCommerce Forums uses cookies. By continuing to browse this site, you are agreeing to our use of cookies.
More Details
Close