[ic] SQL Injection?

Jon Jensen jon at endpoint.com
Fri Sep 19 16:36:20 UTC 2014

On Fri, 19 Sep 2014, Bob Puff wrote:

> Looks like I may have another issue.  Again, the reference: CentOS 6, 
> Perl 5.10.1 (non-threaded), IC 5.8.2.  Just ran a PCI scan from 
> controlscan.com, and they came back with a mess of SQL Injection vulns.

Thanks for the report, Bob. Most of us running production ecommerce sites 
on Interchange created them some years ago and their template and page 
code has diverged significantly from the standard demo, so our fixes for 
past SQL injections may not have applied to the standard demo.

We welcome any patches you can contribute to fix such problems in the 

It is typically easy to fix in ITL code by using:

[filter op=sql interpolate=1]...[/filter]


[PREFIX-filter sql]...[/filter]

around the SQL, or the js filter in JavaScript code or the entities filter 
for plain HTML text.


Jon Jensen
End Point Corporation

More information about the interchange-users mailing list