[TomatoCart] Sanitize Inputs to Enhance Your Store’s Security!

I received an email from a user to report that there are two serious security issue existing in latest TomatoCart version.

Security issue 1:

Classification: XSS

Suggested Attack Complexity: Low

Suggested Severity: High

Description: Multiple vulnerabilities have been discovered in current
version of TomatoCart that could allow attackers to:

* Perform reflective cross site scripting

Technical Details:
* TomatoCart improperly sanitizes an HTTP GET variable, resulting in a
reflective XSS vulnerability.

Root Cause: Lack of and/or improper input validation

Security issue 2:

Classification: SQL injection, unsafe string replacement

Suggested Attack Complexity: Low

Suggested Severity: High

Status: Vendor contacted

Description: TomatoCart suffers from a systemic vulnerability in its query factory,
allowing attackers to circumvent user input sanitizing to perform remote
SQL injection.

Root Cause: Lack of and/or improper input validation

For security reason, I will show more details here.

Generally, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim.

SQL Injection is the type of attack that takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database.

In order to clear above two issues, we have to clean and sanitize the inputs from users. Please apply following changes for your store:

Step 1. Go to includes/functions/general.php and then add following code at the bottom of file:

   * Clean the input variable
   * @param string
   * @return string
  function cleanInput($input) {
  	$search = array(
			'@<script[^>]*?>.*?</script>@si',   // Strip out javascript
			'@<[\/\!]*?[^<>]*?>@si',            // Strip out HTML tags
			'@<style[^>]*?>.*?</style>@siU',    // Strip style tags properly
			'@<![\s\S]*?--[ \t\n\r]*>@'         // Strip multi-line comments
  	$output = preg_replace($search, '', $input);
  	return $output;
   * santinize the input variable
   * @param string
   * @return string
  function sanitize($input) {
  	if (is_array($input)) {
  		foreach($input as $var=>$val) {
  			$output[$var] = sanitize($val);
  	else {
  		if (get_magic_quotes_gpc()) {
  			$input = stripslashes($input);
  		$input  = cleanInput($input);
  		$output = mysql_real_escape_string($input);
  	return $output;

Step 2. Go to includes/application_top.php and then find following code:


Add following code before it:

//Sanitization input
  $_POST = sanitize($_POST);
  $_GET  = sanitize($_GET);

That’s it. This will prevent your store from cross site scripting attacks and sql injection. It will clean all the malicious bits from user’s input.

It may be difficult for you to apply above changes for your store if you are not a developer. Don’t worry about it. If you need our technical support or assistance for the upgrade, please don’t hesitate to contact us via support@tomatocart.com. We prefer to provide free technical support service for Arvixe users.

Looking for quality web hosting? Look no further than Arvixe Web Hosting!

Tags: , , , , , , , , , , , | Posted under TomatoCart | RSS 2.0

Author Spotlight

Jack Yin

TomatoCart Developer & Co Founder - Arvixe Web Hosting / TomatoCart Community Liaison

3 Comments on [TomatoCart] Sanitize Inputs to Enhance Your Store’s Security!

  1. Tony says:

    Thanks a ton. Implemented this enhancement.

  2. Carter says:

    Thanks!! This restores my faith in this software! You should repost this fix on the Github as well as the Tomato Cart Homepage!!

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × = 6

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>