We have recently had cases where people are putting in characters like ’ in the text fields and this goes on to break custom pages and module on the CRM. (there is a huge amount of customisation on this install)
It breaks it mainly by disrupting sql statements. It would be huge amounts of work looking for every SQL statement and modifying it for these potential errors
Is there anything in Suitecrm that will stop users putting in certain characters in to the text fields? If not does any one know such a feature on MariaDB 10 that will just remove these characters?
If you have an example of such a field that breaks SQL queries due to ' characters, and it happens in the live demo (or any other clean installation without custom code), you should report it as a security issue via private email.
Do you know if there is away to do something globally, or once per a php file. This system has about 50 custom entry points and hundreds of MySQL statements being built.
Hi, sorry for the delay replying. There is no way to do stuff globally because you always need to sanitize user input (or publicly manipulable data such as URL parts), but that cleansing is different depending on the how that data will be used. In this case you’re using input to generate SQL statements, you need to quote that for DB purposes (different than for echoing as HTML to the browser, or JS).
You need this kind of thing for each unsanitized input that goes into a query:
$file_type = $db->quote($file_type);
It’s not that hard. Of course it might be boring if you’re too far behind in applying this sort of thing to your custom code, but it really is a basic best-practice, it is minimal security… it really doesn’t look good if you skip this sort of care. and your queries will easily break.