If you customize the ProductCart source code or add new files to your Web store, make sure you take advantage of some functions that exist in ProductCart and that can help you properly sanitize any strings before you use them in your code, and especially before you use them in any MS SQL query.
The file stringFunctions.asp in the includes folder contains two very important functions.
Use the getUserInput function to sanitize a string when you request it. The function was recently updated to further protect against possible SQL injection attacks. See the May 2008 Security Alert for more information and to download the latest version of the file. Here is a simple example of how it can be used:
Dim idCategory
idCategory = getUserInput(Request("id"),5)
The number 5 indicates that you will truncate the string after the first 5 characters. Here, for instance, it's hard to imagine that a store will have more than 10,000 categories. So you can request the first five characters and stop there. If you are requesting a large string of data, you can use 0 to allow for an unlimited amount of characters.
Use the validNum function to ensure that the string is an integer. This is particularly useful to validate a category, product, or customer ID before using those values in any database query. The syntax is as follows:
if not validNum(idCategory) then idCategory=1 end if
Here we check that the category ID is indeed an integer. If not, we assign it the value 1. Or you could redirect to another page or a special message.
In ProductCart version 2.x, the getUserInput function did not contain enough validation, and the validNum function did not exist in the file stringFunctions.asp. See the May 2008 Security Alert to download an updated version of the file. You can then use the functions mentioned above to better sanitize and validate strings in ProductCart. This might be helpful for ProductCart stores that cannot update to later versions of the software due to extensive customizations.