Developer and open source enthusiast. Blogging about software development and other things.
This time I have been moving to weird and good Magento 2 world. How is it good? I have noticed (at least on those modules I’ve gone trough) there is a lot less issues in the code. Starting from best practices to real big good old security issues. However, there is still issues, even tough not so great like plain SQL injections. Or maybe it is just due I have been auditing the only big vendor’s modules and not yet the smaller ones.
As most of people can notice, I have been going trough Magento modules lately hunting for possible security flaws. This time I decided to review BL/CustomGrid, why? This module is not maintained for long time and it is used widely in many Magento 1 shops. Let’s see what problems we were able to find.
I have discovered possible SQL injection (CWE-89) on Raveinfosys/DeleteOrders extensions. This is extension to provide possibility delete orders. Like they describe it
So, as I fetch object from the database by using ORM and I might sometimes return results via REST. This means usually I end up mapping getters to array. This seems boring, time consuming, stupid. So I said enough of this and started looking for a solution.
The requirement was simple. Solution which makes possible to get entity values as array automatically. (As arrays can be always encoded into JSON). This would need reflection, but I decided already go lazy way, so performance loss is accepted. If you want high performance, you should just stay manually writing entities to array.
So, finally. They made it. One of my favorite PHP releases ever. Expecting new PHP 7.4 to be released late 2019. Let’s go trough all features we are going to get in PHP 7.4. I will be posting more deep topics about the features itself to explain them better later.
