Affected versions
J2Store 2.5. to 2.8.3
Corrective Action
We have released a new version - J2Store 2.8.4 - which fixes the issue. Please update to the latest version.
In case, you have customised J2Store and is not able to update it, you can implement the following fix.
Open /administrator/components/com_j2store/controllers/geozone.php
Around line 58, you will find the following code
function getZone()
{
$app=JFactory::getApplication();
$data = $app->input->post->get('jform',array(),'array');
$country_id =isset($data['country_id'])?$data['country_id']:$app->input->getInt('country_id', '0');
//$country_id = isset($data['country_id'])?$data['country_id']:0;
$zone_id = isset($data['zone_id'])?$data['zone_id']:$app->input->getInt('zone_id');
$z_fname =isset($data['field_name'])?$data['field_name']:$app->input->getString('field_name');
$z_id = isset($data['field_id'])?$data['field_id']:$app->input->getString('field_id');
/*$z_fname=$data['field_name'];
$z_id=$data['field_id'];*/
// based on the country id, get zones and generate a select box
if(!empty($country_id))
{
$db = JFactory::getDBO();
$query = $db->getQuery(true);
$query->select('zone_id,zone_name');
$query->from('#__j2store_zones');
$query->where('country_id='.$country_id);
$db->setQuery((string)$query);
$zoneList = $db->loadObjectList();
$options = array();
$options[] = JHtml::_('select.option', 0,JTEXT::_('J2STORE_ALL_ZONES'));
if ($zoneList)
{
foreach($zoneList as $zone)
{
// this is only to generate the tag inside select tag da i have told n times
$options[] = JHtml::_('select.option', $zone->zone_id,$zone->zone_name);
}
}
// now we must generate the select list and echo that... wait
//$z_fname='jform[state_id]';
$zoneList = JHtml::_('select.genericlist', $options, $z_fname, '', 'value', 'text',$zone_id,$z_id);
echo $zoneList;
}
$app->close();
}
Replace the above with :
function getZone()
{
$app=JFactory::getApplication();
$data = $app->input->post->get('jform',array(),'array');
$country_id =isset($data['country_id'])?$data['country_id']:$app->input->getInt('country_id', '0');
if (!is_numeric($country_id)) {
// error the country id is not supplied properly
$app->close();
}
$zone_id = isset($data['zone_id'])?$data['zone_id']:$app->input->getInt('zone_id');
$z_fname =isset($data['field_name'])?$data['field_name']:$app->input->getString('field_name');
$z_id = isset($data['field_id'])?$data['field_id']:$app->input->getString('field_id');
$z_id=htmlspecialchars($z_id);
if(!empty($zone_id)){
if (!is_numeric($zone_id)) {
// error the zone id is not supplied properly
$app->close();
}
}
if(!empty($z_fname)){
$z_fname=htmlspecialchars($z_fname);
if(!$this->validate_string($z_fname)){
// invalid field name passed
$app->close();
}
}
if(!empty($z_id)){
if(!$this->validate_string($z_id)){
// invalid field id passed
$app->close();
}
}
// based on the country id, get zones and generate a select box
if(!empty($country_id))
{
$db = JFactory::getDBO();
$query = $db->getQuery(true);
$query->select('zone_id,zone_name');
$query->from('#__j2store_zones');
$query->where('country_id='.$country_id);
$db->setQuery((string)$query);
$zoneList = $db->loadObjectList();
$options = array();
$options[] = JHtml::_('select.option', 0,JTEXT::_('J2STORE_ALL_ZONES'));
if ($zoneList)
{
foreach($zoneList as $zone)
{
// this is only to generate the tag inside select tag da i have told n times
$options[] = JHtml::_('select.option', $zone->zone_id,$zone->zone_name);
}
}
// now we must generate the select list and echo
$zoneList = JHtml::_('select.genericlist', $options, $z_fname, '', 'value', 'text',$zone_id,$z_id);
echo $zoneList;
}
$app->close();
}
function validate_string($str) {
$allowed = array("-", "_");
if ( ctype_alnum( str_replace($allowed, '', $str ) ) == TRUE) {
return TRUE;
} else {
return FALSE;
}
return FALSE;
}
Save the file. This will check and allow only numeric values as country id and zone id.
