1

My question is, what can be done to prevent malicious search phrases in mysql databases?

Search terms spamming example: guayabera en espa�a//?option=com_product//catalog/seo_sitemap/account//index2.php?option=c

I'm thinking of doing this in PHP by preventing a query with the ? character. Or perhaps to simply block IP addresses from using the search function. Is there a better way?

Wesley
  • 32,690
  • 9
  • 82
  • 117
Luis
  • 11
  • 1
  • 2

2 Answers2

1

Magento already has a lot of code to protect you against this. The best way to protect yourself is to keep on a current version and build of Magento. (As flaws are found, Magento fixes them.)

The biggest danger is to leave old versions of Magento (or any other app) up for years at a time. Flaws are found in them all, and the only way to stay relatively safe is to stay up to date.

Jonesome Reinstate Monica
  • 5,445
  • 10
  • 56
  • 82
  • good to know what code I need, my version is 1.5.0.1 – Luis Jun 16 '12 at 14:02
  • 2
    That's fairly shocking advice. Magento is a complex application and bugs are continually being found that backdate to earlier versions (even as far as 1.1). It would be very foolhardy to think that you are suitably protected just by the core-code alone. – Ben Lessani Jul 18 '12 at 17:33
1

Magento has some support for injection attacks and XSS, but it has been compromised in several releases in the past, so do not rely on it having sufficient stand alone protection.

Consider adding a web application firewall (naxsi) to your server, in conjunction with a IPS/IDS firewall - that would add extra protection for you and your customers.

Speak to your host, any specialised Magento host will have provisions for this in place, and if not, change host.

Ben Lessani
  • 5,244
  • 17
  • 37