Hack attempt (Order -> total_paid)

[Axari]

All,

I changed the DB tables to accept up to about a trillion dollars. Everything in the cart adds up fine. I'm using the cheque payment module.

I add enough items to the cart to hit double digit billions and I get this nasty error:

Hack attempt (Order -> total_paid = 11882196900)

I added

Tools::dieObject($order);

to line 112 in the /classes/PaymentModule.php file, per one of the posts I found here. I then ran 2 orders. 1 that generated the hack attempt and one it would accept. The results are identical. The only thing that changed was the dollar amount.

It's odd that double digit billions trigger a hack attempt, it single digit billions is okay?

Anyone have any idea's on how to fix this?

Thank you!

[artjunky]

The figure is being verified somewhere in the script, though I don't know exactly where. It's the same things as the database, except a floatval() is operating on the number. There is a $total_paid in the order class, that might be it.

[Paul C]

I would look in the validation class to check what the payment is typecast to. It may be that the variable type can't cope with such large numbers.

Paul

[Axari]

Thanks guys, appreciate the responses!

Checking the validate class, it has;
return preg_match('/^[0-9]{1,10}(\.[0-9]{1,9})?$/ui', $price);

I wish I understood this better, but I changed it to:

return preg_match('/^[0-9]{1,12}(\.[0-9]{1,9})?$/ui', $price);

And now it works! Thanks for getting me started in the right direction.

[Axari]

Just following up...

This does NOT solve the problem. While it did allow large dollar amounts to be placed, it randomly has problems with low dollar amounts. ironically sub-million dollar orders were fine. 10 million (or even billion) was fine. But I kept having the same problems in the million to 3 million range.

As a short term solution, I have disabled this validation. Like with everything else, not sure what long term effects that will have.