Error adding coupons that use apostrophes


  • Default avatar
    dave81    
     5 months ago
    0

    PHP: 5.4.45
    MySQL: 5.5.32
    Joomla: 3.5.1
    VirtueMart: 3.0.16
    AWO Coupon: 2.4.8

    When creating a new coupon I get "The page you are trying to access is restricted due to a security rule".
    Everything seems to be because of having apostrophes in the Coupon Name, Assets (Category/product/Manufacturer), or Customers.

    It seems like it's not sanitizing the MySQL inputs.

    Is there something that I can modify in the code to make it work for now until this can be fixed?
  • Your avatar
    seyi    
     5 months ago
    0

    Hello,

    Yes that can be fixed:
    www/administrator/components/com_awocoupon/models/coupon.php, line 284:

    <?php
                $sql 
    'SELECT id FROM #__awocoupon WHERE estore="'.AWOCOUPON_ESTORE.'" AND coupon_code = \''.$row->coupon_code.'\'';
    ?>


    changed to
    <?php
                $sql 
    'SELECT id FROM #__awocoupon WHERE estore="'.AWOCOUPON_ESTORE.'" AND coupon_code = \''.awolibrary::dbEscape($row->coupon_code).'\'';
    ?>




    and line 292
    <?php
                $sql 
    'SELECT id FROM #__awocoupon WHERE estore="'.AWOCOUPON_ESTORE.'" AND coupon_code = \''.$row->coupon_code.'\' AND id NOT IN ('.$row->id.')';
    ?>


    changed to
    <?php
                $sql 
    'SELECT id FROM #__awocoupon WHERE estore="'.AWOCOUPON_ESTORE.'" AND coupon_code = \''.awolibrary::dbEscape($row->coupon_code).'\' AND id NOT IN ('.$row->id.')';
    ?>



    That will fix the problem, in the backend. In the front end, if using virtuemart the coupon would not still work as Virtuemart changes the character to its html equivalent.

    So this code:
    code'with'apos

    Would be changed to
    code'with'apos