Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

PCI scan causing ERRNO: 2 TEXT: htmlspecialchars()

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> General
View previous topic :: View next topic  
Author Message
drgl
Smarty Rookie


Joined: 06 Oct 2017
Posts: 26

PostPosted: Thu Apr 16, 2020 3:51 pm    Post subject: PCI scan causing ERRNO: 2 TEXT: htmlspecialchars() Reply with quote

Hi, Not sure how to debug this. I have the following error that is ONLY happening when our site has a PCI scan running : -


Quote:
ERRNO: 2
TEXT: htmlspecialchars() expects parameter 1 to be string, array given
LOCATION: /home/bttorj45/public_html/smarty_templates_c/dbbe565f1731d4158472b66b75c85442498e81b9_0.file.top_menu_bar.tpl.php, line 42, at April 11, 2020, 5:05 pm
Showing backtrace:
htmlspecialchars(Array[1], "3", "UTF-8", true) # line 42, file: /home/siteaddress/public_html/smarty_templates_c/dbbe565f1731d4158472b66b75c85442498e81b9_0.file.top_menu_bar.tpl.php
content_5e83087341d089_14126332(Object:Smarty_Internal_Template) # line 123, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_resource_base.php
Smarty_Template_Resource_Base.getRenderedTemplateCode(Object:Smarty_Internal_Template) # line 114, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_compiled.php
Smarty_Template_Compiled.render(Object:Smarty_Internal_Template) # line 216, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_template.php
Smarty_Internal_Template.render() # line 385, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_template.php
Smarty_Internal_Template._subTemplateRender("file:page_elements/top_menu_bar.tpl", null, null, "0", "120", Array[0], "0", false) # line 56, file: /home/siteaddress/public_html/smarty_templates_c/0e4c1495f7a25cef1d85553f951690964f702a5a_0.file.error404.tpl.php
content_5e4ffba4a49c66_36622821(Object:Smarty_Internal_Template) # line 123, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_resource_base.php
Smarty_Template_Resource_Base.getRenderedTemplateCode(Object:Smarty_Internal_Template) # line 114, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_compiled.php
Smarty_Template_Compiled.render(Object:Smarty_Internal_Template) # line 216, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_template.php
Smarty_Internal_Template.render(false, "1") # line 232, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_templatebase.php
Smarty_Internal_TemplateBase._execute(Object:Smarty_Internal_Template, null, null, null, "1") # line 134, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_templatebase.php
Smarty_Internal_TemplateBase.display("pages/error404.tpl") # line 65, file: /home/siteaddress/public_html/errors/404.php
include("/home/siteaddress/public_html/errors/404.php") # line 34, file: /home/siteaddress/public_html/smarty_plugins/function.load_product.php
Product.init("api") # line 5, file: /home/siteaddress/public_html/smarty_plugins/function.load_product.php
smarty_function_load_product(Array[2], Object:Smarty_Internal_Template) # line 39, file: /home/siteaddress/public_html/smarty_templates_c/53725e8a2fc4b6c7c0c42e801dab2741a0994a8e_0.file.product.tpl.php
content_5e579e9761f086_59385269(Object:Smarty_Internal_Template) # line 123, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_resource_base.php
Smarty_Template_Resource_Base.getRenderedTemplateCode(Object:Smarty_Internal_Template) # line 114, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_compiled.php
Smarty_Template_Compiled.render(Object:Smarty_Internal_Template) # line 216, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_template.php
Smarty_Internal_Template.render(false, "1") # line 232, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_templatebase.php
Smarty_Internal_TemplateBase._execute(Object:Smarty_Internal_Template, null, null, null, "1") # line 134, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_templatebase.php
Smarty_Internal_TemplateBase.display("pages/product.tpl") # line 85, file: /home/siteaddress/public_html/dirs.php


I ***think*** the scan must be inputting something in the search box to cause this (I'm awaiting any info from Security Metrics with regard to this).

Code:
{load_chat assign="chat"}

{if $chat->mChat}
<script type="text/javascript" id="763333b0f312f025d780a8f4451bf6f3" src="https://www.siteaddress.com/online-support/script.php?id=763333b0f312f025d780a8f4451bf6f3"></script>
{/if}
{if !$chat->mChat && $settings->mSettings[13]}
<script type="text/javascript" id="aaa07817d7cd2a7dce9e0ffac6286dbb" src="https://www.siteaddress.com/online-support/script.php?id=aaa07817d7cd2a7dce9e0ffac6286dbb"></script>
{/if}

<div id="menu_switch"><i class="fa fa-bars fa toggler"></i></div>
<form id="product_search" method="get" action="{$smarty.const.SITE_ROOT}/searchresults/">
    <input type="text" name="search" placeholder="&#xf002; Product Search" style="font-family: FontAwesome, Arial; font-style: normal; font-size:18px;" {if isset($smarty.request.search) && $settings->mSettings[107]}value="{$smarty.request.search|escape:'htmlall'}"{/if} /><button type="submit" class="button"><i class="fa fa-search" aria-hidden="true"></i> <i class="fa fa-caret-right" aria-hidden="true"></i></button>
</form>
<form id="code_search" method="post" action="{$smarty.const.SITE_ROOT}/cart/quickadd.php">
    <input type="text" name="code" maxlength="14" placeholder="&#xf061; Product Code" style="font-family: FontAwesome, Arial; font-style: normal; font-size:18px;" /><button type="submit" name="submit" class="orange"><i class="fa fa-shopping-cart" aria-hidden="true"></i> Quick Add <i class="fa fa-caret-right" aria-hidden="true"></i></button>
</form>
{if !isset($hidecart) && isset($cartsmall) && $cartsmall->mCart.sub > 0}
    <p id="view_cart"><a class="button orange" href="{$smarty.const.SITE_ROOT}/cart/"><span class="hidden-xs hidden-sm"><i class="fa fa-shopping-cart" aria-hidden="true"></i> View Cart &nbsp;</span>&pound;{$cartsmall->mCart.sub} <i class="fa fa-caret-right" aria-hidden="true"></i></a></p>
{/if}
<script>
$('.toggler').click(function() {
$(this).toggleClass("fa-bars fa-times");
});
</script>


Any idea's on how I can debug this? If more info is required (as the error references a few files) please reply!
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1785

PostPosted: Fri Apr 17, 2020 6:58 pm    Post subject: Reply with quote

Quote:
Code:
$smarty.request.search

Don't do that without any validation whatsoever.
It is NEVER guaranteed that all request parameters are strings.
Overall, don't use Smarty as your programming language. You programming language is PHP, Smarty should control presentation logic ONLY.
Back to top
View user's profile Send private message
drgl
Smarty Rookie


Joined: 06 Oct 2017
Posts: 26

PostPosted: Mon Apr 20, 2020 8:50 am    Post subject: Reply with quote

I thought the PHP was dealing with the programming? ie, this is function.load_search.php :-

Code:
<?php
      
   function smarty_function_load_search($params, $smarty) {
      $search = new Search();
      $search->init();
      $smarty->assign($params['assign'], $search);
   }
   
   class Search {
      
      // public fields
      public $mSearchString;
        public $mSearchArray;
        public $mProducts;
        public $mProductCount;
      
      // private fields
        private $mDoSettings;
      private $mDoCatalogue;
      
      function __construct() {
            require_once FILE_ROOT . '/data_objects/do_settings.php';
            $this->mDoSettings = new DoSettings();
         require_once FILE_ROOT . '/data_objects/do_catalogue.php';
         $this->mDoCatalogue = new DoCatalogue();
           
            if (isset($_REQUEST['search']) && strlen(trim($_REQUEST['search']))>0 ) {
                $this->mSearchString = trim(stripslashes($_REQUEST['search']));
                $this->mSearchArray = explode(" ", $this->mSearchString);
            
            } else {
                header ("Location: /emptysearch/");
            die ();
            }
      }
      
      public function init() {
            $this->mProducts = $this->mDoCatalogue->SearchProducts($this->mSearchArray);
            $this->mProductCount = count($this->mProducts);
            for ($i = 0; $i < count($this->mProducts); $i++) {
                $this->mProducts[$i]['price_inc'] = number_format($this->mProducts[$i]['price'] * (($this->mDoSettings->GetSetting(1) / 100) + 1), 2, ".", ",");
            }
      }
      
   }
   
?>


do_catalogue.php :-

Code:
public function SearchProducts($search) {
         $fields = array("code", "title", "keywords");
            $query_string = "SELECT p.code, p.title, p.cattext, p.price, p.img, p.url, p.available, p.due, p.special, p.newproduct, p.discontinued, c.name, c.menulinktext FROM " . $this->mProductTable . " p " .
                "JOIN categories c ON p.category = c.id " .
                "WHERE ((";
            for ($f = 0; $f < count($fields); $f++) {
                if ($f != 0) { $query_string .= ") OR ("; }
                for ($s = 0; $s < count($search); $s++) {
                    if ($s != 0) { $query_string .= " AND "; }
                    $query_string .= "p." . $fields[$f] . " LIKE '%" . $this->mDoQuery->dbManager->DbEscape($search[$s]) . "%'";
                }
            }
         $query_string .= ")) AND active=1 AND live=1 " .
                "ORDER BY p.rating ASC";
            return $this->mDoQuery->dbManager->DbGetAll($query_string);
        }
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1785

PostPosted: Mon Apr 20, 2020 2:54 pm    Post subject: Reply with quote

And how these are related to your original question? They AREN'T EVEN USED where the error happens.
Back to top
View user's profile Send private message
drgl
Smarty Rookie


Joined: 06 Oct 2017
Posts: 26

PostPosted: Tue Apr 21, 2020 8:10 am    Post subject: Reply with quote

The problem appears to be from {$smarty.request.search|escape:'htmlall'} which function.load_search.php is used for. If you aren't gong to help just say it, I'll ask elsewhere.
Back to top
View user's profile Send private message
AnrDaemon
Administrator


Joined: 03 Dec 2012
Posts: 1785

PostPosted: Mon Apr 27, 2020 3:12 pm    Post subject: Reply with quote

I'm not going to write code for you for free. I already outlined your issue. If you did not understand my answer, I suggest you go back to reading documentation.
Back to top
View user's profile Send private message
drgl
Smarty Rookie


Joined: 06 Oct 2017
Posts: 26

PostPosted: Mon Apr 27, 2020 3:39 pm    Post subject: Reply with quote

Thankfully other people are a LOT more helpful than you! Fixed and won't be coming back here ever again. Kindly delete my account and ALL associated data.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> General All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP