Announcement:Materials and articles for ProductCart 5 can be found at our brand new support center.

Create an account to edit articles | See Formatting Syntax for Wiki syntax | We look forward to your contribution!

Properly sanitizing strings in ProductCart


If you customize the ProductCart source code or add new files to your Web store, make sure you take advantage of some functions that exist in ProductCart and that can help you properly sanitize any strings before you use them in your code, and especially before you use them in any MS SQL query.


The file stringFunctions.asp in the includes folder contains two very important functions.


Use the getUserInput function to sanitize a string when you request it. The function was recently updated to further protect against possible SQL injection attacks. See the May 2008 Security Alert for more information and to download the latest version of the file. Here is a simple example of how it can be used:

Dim idCategory
idCategory = getUserInput(Request("id"),5)

The number 5 indicates that you will truncate the string after the first 5 characters. Here, for instance, it's hard to imagine that a store will have more than 10,000 categories. So you can request the first five characters and stop there. If you are requesting a large string of data, you can use 0 to allow for an unlimited amount of characters.


Use the validNum function to ensure that the string is an integer. This is particularly useful to validate a category, product, or customer ID before using those values in any database query. The syntax is as follows:

if not validNum(idCategory) then
end if

Here we check that the category ID is indeed an integer. If not, we assign it the value 1. Or you could redirect to another page or a special message.

QR Code
QR Code Properly sanitizing strings in ProductCart (generated for current page)