logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

Options
Go to last post Go to first unread
charles25686713  
#1 Posted : Monday, May 1, 2023 1:15:33 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Hi, I spotted this in the error log recently:

---
An error has occured at /Webpage/Suggest
Exception: Invalid object passed in, ':' or '}' expected. (27): { 'keyword': 'mother mary's messages' } Stack Trace: at System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeDictionary(Int32 depth) at System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth) at System.Web.Script.Serialization.JavaScriptObjectDeserializer.BasicDeserialize(String input, Int32 depthLimit, JavaScriptSerializer serializer) at System.Web.Script.Serialization.JavaScriptSerializer.Deserialize(JavaScriptSerializer serializer, String input, Type type, Int32 depthLimit) at System.Web.Mvc.JsonValueProviderFactory.GetDeserializedObject(ControllerContext controllerContext) at System.Web.Mvc.JsonValueProviderFactory.GetValueProvider(ControllerContext controllerContext) at System.Web.Mvc.ValueProviderFactoryCollection.GetValueProvider(ControllerContext controllerContext) at System.Web.Mvc.ControllerBase.get_ValueProvider() at System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) at System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) at System.Web.Mvc.Controller.ExecuteCore() at System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) at System.Web.Mvc.Async.AsyncResultWrapper.<>c.<.cctor>b__15_0(IAsyncResult asyncResult, Action action) at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
---

It looks like it doesn't properly handle single quotes.

Thanks,
Charles

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

ray22901031  
#2 Posted : Monday, May 1, 2023 1:39:20 PM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
This is also true for 9.0.7, and I suspect all previous versions as well, probably because of SQL injection.

-Ray
Katie S  
#3 Posted : Monday, May 1, 2023 9:23:34 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 471

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
hi Charles,

Can you give a little more information, such as where the character was entered?

As with all bug reports, we need the steps to reproduce...

Thank you
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
ray22901031  
#4 Posted : Wednesday, May 3, 2023 12:05:57 PM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Using version 9.0.7

If I were to enter the following below:

'Cp200d Radios'
Motorola's Radios

That would be enough for it to return 0 results and start logging error messages in the backend. Any instance of a single quote, will do it, please refer to the above examples. Double quotes returns 0 results, but does not report anything in the back end.

Again, probably has to do with SQL injection prevention.

I hope this helps.

-Ray

Edited by user Wednesday, May 3, 2023 12:06:36 PM(UTC)  | Reason: Not specified

Katie S  
#5 Posted : Wednesday, May 3, 2023 1:08:54 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 471

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Thank you for providing this additional information.

I'll get it reported.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
moizkiyani027991993  
#6 Posted : Wednesday, May 17, 2023 4:32:19 AM(UTC)
moizkiyani027991993

Rank: Newbie

Groups: Admin, HelpDesk, Developers, Registered
Joined: 3/31/2023(UTC)
Posts: 3

Was thanked: 1 time(s) in 1 post(s)
To resolve this issue you have to follow the given steps

1. Open file Website\Scripts\app.js.

2. Search for
Code:
function getSource(request, response) {
    $.ajax({
        url: $(".search-phrase-url").data('url'),
        data: "{ 'keyword': '" + request.term + "' }",
        dataType: "json",
        type: "POST",
        contentType: "application/json; charset=utf-8",
        dataFilter: function (data) { return data; },
        success: function (data) {
            response($.map(data, function (item) {
                return {
                    value: item
                }
            }))
        }
    });
}


3. Replace with
Code:
function getSource(request, response) {
    $.ajax({
        url: $(".search-phrase-url").data('url'),
        data:  request.term ,
        dataType: "json",
        type: "POST",
        dataFilter: function (data) { return data; },
        success: function (data) {
            response($.map(data, function (item) {
                return {
                    value: item
                }
            }))
        }
    });
}
judy at Web2Market  
#7 Posted : Wednesday, May 17, 2023 6:10:20 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
For your safety, you should check that for Sql Injection after you make the change. The reason the error is showing up is that an error was thrown for a reason- to prevent sql injection.
https://owasp.org/www-pr...esting_for_SQL_Injection
charles25686713  
#8 Posted : Wednesday, May 17, 2023 9:05:16 AM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: Katie S Go to Quoted Post
hi Charles,

Can you give a little more information, such as where the character was entered?

As with all bug reports, we need the steps to reproduce...

Thank you


I'm sorry, I missed your reply somehow.

I don't know how this is entered. I just know single quotes trigger it, like there's malformed quote handling somewhere.

Please confirm the proposed solution above from a dev that is his first post is legit.

Thanks.

Edited by user Wednesday, May 17, 2023 9:06:23 AM(UTC)  | Reason: Not specified

charles25686713  
#9 Posted : Wednesday, May 17, 2023 9:08:40 AM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: judy at Web2Market Go to Quoted Post
For your safety, you should check that for Sql Injection after you make the change. The reason the error is showing up is that an error was thrown for a reason- to prevent sql injection.
https://owasp.org/www-pr...esting_for_SQL_Injection


Thanks. I know what SQL injection is.

I disagree that this was triggered by SQL injection code. If the javascript solution above is accurate, it clearly explains the issue. You can't build a javascript string with single quotes and have it work with content containing a single quote without some sort of escaping.
charles25686713  
#10 Posted : Tuesday, May 30, 2023 2:33:44 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Would a dev please respond to this thread and indicate whether the above recommended change is a confirm and okay to implement fix?
Katie S  
#11 Posted : Tuesday, May 30, 2023 2:46:33 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 471

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi Charles,

There is a response from Moiz above (moizkiyani027991993) who is one of our new developers. He provided the fix for this issue.

Thanks for your support!

Katie
Secure eCommerce Software and Hosting
charles25686713  
#12 Posted : Tuesday, May 30, 2023 3:04:10 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Originally Posted by: Katie S Go to Quoted Post
Hi Charles,

There is a response from Moiz above (moizkiyani027991993) who is one of our new developers. He provided the fix for this issue.



Thanks. Being his first post, I wasn't sure it was legit.
charles25686713  
#13 Posted : Thursday, June 1, 2023 4:18:10 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Hi, I'm back, as this isn't working entirely correct yet.

We have an item "Mother Mary's Messages". Searching on "Mary's" brings it up, when before it didn't.

We have another item "Jesus' Jewels of Joy". Search on "Jesus' Jewels" (with the apostrophe) does not find it. Searching on "Jesus Jewels" (without the apostrophe) DOES find it.

Please advise.

Thanks,
Charles
ray22901031  
#14 Posted : Friday, June 2, 2023 12:44:58 PM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
I knew, looking at the modified code, that this would not work. When something is sent to the background database, it is sent as a string.

The database server is going to automatically enclose the contents in quotations, that's just the way strings work, it's that way too in any programming language.

The main problem is, you want to accept a single quote as part of the string; this can be done, but it will take quite a bit of effort.

When a string is usually sent to a query, the SQL database probably removes many characters including starting and ending extra spaces, in fact, any extra space within the string usually gets removed.

A procedure would have to be created that would still keep the single quote, but be able to pass it to the database as a character or part of the string.

I'm not saying that it's impossible, but I am saying it's going to take some work. You could create a procedure that, if it sees something being sent already wrapped in double quotes, to takes it literally or as is, however, I can see where this can open up an opportunity for SQL injection.

Interesting to see how this post will turn out.
shaharyar  
#15 Posted : Tuesday, June 13, 2023 6:51:21 AM(UTC)
shaharyar

Rank: Advanced Member

Groups: Admin, Developers, Registered, HelpDesk, Authorized User
Joined: 10/5/2018(UTC)
Posts: 704

Thanks: 5 times
Was thanked: 113 time(s) in 112 post(s)
Quote:
Hi, I'm back, as this isn't working entirely correct yet.

We have an item "Mother Mary's Messages". Searching on "Mary's" brings it up, when before it didn't.

We have another item "Jesus' Jewels of Joy". Search on "Jesus' Jewels" (with the apostrophe) does not find it. Searching on "Jesus Jewels" (without the apostrophe) DOES find it.

Please advise.


I am not seeing any issue with the string you mentioned. Am I missing something. Can you please reconfirm or share more details.

I created a product with a name "Jesus' Jewels of Joy"
Search three times with the string "Jesus' Jewels"
After third time I can see the suggested string after writing Jesus'
Users browsing this topic
Guest
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.