Many merchants will use Customer Defined Attributes to allow their customers to personalize a product. One of our clients a few years ago specialized in short-run custom note and greeting cards. We had already implemented her site with StoreFront, so we were “stuck” when we began to implement some Customer Defined Attributes for personalizing her products. At the time, the personalized product was a novelty for the client and not a staple of their business, so when we couldn’t immediately identify a way to retain the apostorophes in the Customer Defined Attributes, we just abandoned the idea.

Recently another client brought this issue back to the forefront for us. For them, it was a business-critical issue. All of their products are personalized and the overhead of calling clients to double check if the personalized text should have an apostrophe or not was becoming a burden. So we took another, deeper look at the StoreFront source-code to see what we could find.

Most pages and controls inherit from CWebPage in the StoreFront architecture. This base class has a method named MakeSafe() whose purpose is to strip out any invalid code from form fields and the query string. The most prevalent reason to do this is to avoid a SQL Injection attack on your website. Their method to ensure that this is prevented is to simply search and destroy any apostrophes it finds in the querystring or text fields. This is a rather simple and valid approach but it doesn’t take into consideration the possibility that the merchant may need to see and store the apostrophe in the database.

After taking a close look at the processing that occurs within this method, we were able add a very minor modification to the code that would continue to protect the site from apostrophes except when the field was a descendant of the custom attributes control. In this case, the apostrophe is ignored, and because the database insert is handled within a dataset, we have no concerns of exposure to a SQL Injection attack.

If you have any questions about how to implement this modification on your StoreFront site or are in need of any StoreFront modifications or consulting, please contact us at sales@hortocam.com or call 913-220-2204.

This entry was posted on Tuesday, April 17th, 2007 at 2:53 pm and is filed under StoreFront. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.