Zip Code Integration Bugs (and fix!)

[benFF]

Found a few, some relate to everyone, some just for people with letters in their zipcodes.

Firstly, the datatype for "zipcode" in the product table is int, this should be varchar

Secondly code changes required as if you had a Lat or Long < 0 (where I am is -0.XXX), the current code would assume an error! so we change it so only EQUAL to 0 will throw a problem)

REMOVED TO NOT CONFUSE PEOPLE--OMEGATRON

Thats it! I've now got classifieds running using the UK postcode system, and works great!

[Chuck S]

Our zipcode integration is coded and works fine. You may post code hacking instructions on photopostdev.com

I have removed your examples of how to hack the files to UK so as not to confuse people and thing there is bugs when there are not.

In fact in the code you posted you removed a security thing in the query which in your installation would allow a user to inject malicious url into your site

".intval($prodzipcode)." THAT IS A SANITISER you do not remove that

[benFF]

I'm sorry, but that security comment is just not correct. If you browse the source for both showcat and showproduct, you will see intval is only used the once, it is NOT used on the users zip they input in the forum:

$query = "SELECT lon,lat FROM zipData WHERE zipcode = '$zipcode'"; (showproduct, line 505)

The datatypes also do not match up, in the zipcodes table it uses varchar, products int.

And the error on line 510 of showproduct IS an error:

Code:

Content visible to verified customers only.

So only if both values are above 0 will it be ok, well, here in the UK, my long lat position is 51.453 / -0.16 ... which automatically fails that logic (obviously -0.16 is not higher than 0 ).

The correct coding is used when doing long2 and lat2 (line 526) which makes sure they dont equal 0...

Code:

Content visible to verified customers only.

[Chuck S]

Our zipcode integration is only US supported and what is packaged with the product.

You may post all the file modifications at the hack site meantioned above

You are the one wrong about the intval thing.

".intval($prodzipcode)." THAT IS A SANITISER you do not remove that

You dont need to sanatize a SELECT statement (thats pulling info from the database) however you do need to sanatize or check that the INPUTED DATA into an INSERT is sanatized to prevent malicious html etc from being entered.

We do not allow users to post potential bugs on our support forum hense is why I removed your code and asked you to post this elsewhere. Please refrain from posting any more code blocks that could confuse our customers and have them alter there code unsecurely.

[benFF]

I dont want to get in a fight with you and i am sorry if i am coming across as such, however the .intval(etc) IS a select statement.. (showproduct line 521), i have not modified any insert statements.

What is the point of a bug forum though, if you don't allow users to post bugs?

The >0 problem is also addressed in all the other coding parts by Michael himself (he users != 0 later on) - so it would seem that is a bug. Likewise with the datatype mismatch (why have one as varchar and one as int.....)

[alfaowner]

photophostdev is just some dudes site> there is nothing there??? confused!