262 replies to this topic

[sky_diver]

spooks, on 25 January 2010 - 03:27 AM, said:

please can you confirm the issue is gone with the latest version

Issue is now gone and all works correctly. Thank you!  

With the checks in place as they are, there should be no need for an annoying CAPTCHA system, which will make things easier on the customer.

[Munchies]

spooks, on 24 January 2010 - 03:09 PM, said:

[size="2"][b]Uploaded new Version 1.1

I've downloaded the latest but I need the following function added to check if email exists: Thanks for any suggestions on how or where I add in inside your mod.

/**
Validate an email address.
Provide email address (raw input)
Returns true if the email address has the email 
address format and the domain exists.
*/
function validEmail($email)
{
   $isValid = true;
   $atIndex = strrpos($email, "@");
   if (is_bool($atIndex) && !$atIndex)
   {
	  $isValid = false;
   }
   else
   {
	  $domain = substr($email, $atIndex+1);
	  $local = substr($email, 0, $atIndex);
	  $localLen = strlen($local);
	  $domainLen = strlen($domain);
	  if ($localLen < 1 || $localLen > 64)
	  {
		 // local part length exceeded
		 $isValid = false;
	  }
	  else if ($domainLen < 1 || $domainLen > 255)
	  {
		 // domain part length exceeded
		 $isValid = false;
	  }
	  else if ($local[0] == '.' || $local[$localLen-1] == '.')
	  {
		 // local part starts or ends with '.'
		 $isValid = false;
	  }
	  else if (preg_match('/\\.\\./', $local))
	  {
		 // local part has two consecutive dots
		 $isValid = false;
	  }
	  else if (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain))
	  {
		 // character not valid in domain part
		 $isValid = false;
	  }
	  else if (preg_match('/\\.\\./', $domain))
	  {
		 // domain part has two consecutive dots
		 $isValid = false;
	  }
	  else if
(!preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/',str_replace("\\\\","",$local)))
	  {
		 // character not valid in local part unless 
		 // local part is quoted
		 if (!preg_match('/^"(\\\\"|[^"])+"$/',str_replace("\\\\","",$local)))
		 {
			$isValid = false;
		 }
	  }
	  if ($isValid && !(checkdnsrr($domain,"MX")))
	  {
		 // domain has no mail server
		 $isValid = false;
	  }
   }
   return $isValid;
}

[spooks]

Munchies, on 25 January 2010 - 08:41 PM, said:

That seems to be doing a very similar function to the current tep_validate_email, perhaps you just need to enable the domain check of the existing by enabling Verify E-Mail Addresses Through DNS ?

[Roaddoctor]

Spooks

Not sure where my error is but when I try to login or create an account I am not able to. I've carefully installed 1.1 and double checked the work. I followed your intructions verbatim step by step and used winmerge along with the step by step to double check. I was careful.

During login I place the username and password, submit, and the page loops back with the error "Error: No match for E-Mail Address and/or Password." and the email address used to login with is morphed to "p@l."

During create account, when I click submit it loops back to create account with just  "@l." remaining in the email field, the address is truncated to the number and the two street initials only... and most of the other lines are blanked.

strong passwords at false
old exist set to true
I do have start martin master password installed
2.2rc2a on php/mysql5

Any ideas appreciated. I'll be triple checking in the meantime
message me if you wish or care to look at the site directly

[spooks]

Roaddoctor, on 26 January 2010 - 12:20 AM, said:

It appears you have characters in the email that are being sanitised, what are the ones u have that are removed?

[Roaddoctor]

spooks, on 26 January 2010 - 12:31 AM, said:

It appears you have characters in the email that are being sanitised, what are the ones u have that are removed?

definitely getting sanitized for sure
unfortunately the email addy was basic small caps.... vipinquiry @ theactualdomainbeganwith"e...".net and should not have needed sanitization...

Im thinking its something more broad inscope & effect error on my part, or perhaps a conflicting mod... go here and try to create an account... you will see what I mean immediately upon hitting submit. the site is a store under construction so feel free to abuse, er um test, it

Thanks for the quick reply as usual!
In case its relevent, the only thing I did not mention in the first post is that I also changed HTTP_GET and HTTP_POST to the $_GET and $_POST form as I went along.

[spooks]

Roaddoctor, on 26 January 2010 - 12:53 AM, said:

Perhaps your server doesn't understand the charset, what version php do you have?

in account_secure.php try changing

return preg_replace("/[^\p{L}\d\r@ :{}_.-]/i", "", urldecode($vars));

to

return preg_replace("/[^\p{L}\w\r@ :{}_.-]/i", "", urldecode($vars)); 

[Roaddoctor]

spooks, on 26 January 2010 - 01:39 AM, said:

Perhaps your server doesn't understand the charset, what version php do you have?

in account_secure.php try changing

return preg_replace("/[^\p{L}\d\r@ :{}_.-]/i", "", urldecode($vars));

to

return preg_replace("/[^\p{L}\w\r@ :{}_.-]/i", "", urldecode($vars)); 

Wow. That seems to have fixed it. I will test further now. Thank you!!
Can you briefly explain that fix. What was changed with the /w ? Just trying to understand.

and PHP Version: 5.1.6 (Zend: 2.1.0)


Also - a minor bug report: when creating a new account, the zip code would not accept the standard US zip+4 format of 12345-1234. I had to put 123451234 to pass validation.

[spooks]

Roaddoctor, on 26 January 2010 - 02:22 AM, said:

Wow. That seems to have fixed it. I will test further now. Thank you!!
Can you briefly explain that fix. What was changed with the /w ? Just trying to understand.

and PHP Version: 5.1.6 (Zend: 2.1.0)


Also - a minor bug report: when creating a new account, the zip code would not accept the standard US zip+4 format of 12345-1234. I had to put 123451234 to pass validation.

the \w says any alphanumeric char, but the previous \p{L} says any char (or code point to use the regex term) within the letter category (ie including foriegn chars) it seams your server don't understand that!! Its possible your server has chars as code points within the mark category.

You will note you currently clean àáâãäåçéèêëìíîïñòóôõöùúûüýÿ   ÀÁÂÃÄÅÇÉÈÊËÌÍÎÏÑÒÓÔÕÖÙÚÛÜÝŸ which \p{L} is supposed to avoid.

Would you mind replacing the  \p{L} with \p{L}\p{M} and see it the above accented remain?



On the zip code front (I admit I didn't test it much [img]http://forums.oscommerce.com/public/style_emoticons/default/blush.gif[/img] ) try:

return preg_match("/(^[0-9]{5}[-\s]*([0-9]{4})?$)|(^\w{2,4}\ \w{2,4}$)/i", $zip);

would you mind saying exactly what formats are valid? thanks [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]

[Roaddoctor]

As for the server I have complete access so if a misconfigured server is the culprit I could probably fix that.

I tested

return preg_replace("/[^\p{L}\p{M}\w\r@ :{}_.-]/i", "", urldecode($vars));

still sanitized âãäåçéèêëìíîï... when updating the email address.

For Zip, the following two are most proper Zip & Zip+4 inputs. The +4 is not mandatory.
12345
12345-1234

These should probably be acceptable entries (not rejected at least), and if possible be autoformated to 12345-1234 if its easy.
123451234
12345 1234

I quick tested your suggestion and it did accept 12345-1234 format.

Thank you Sam

[spooks]

Roaddoctor, on 26 January 2010 - 04:56 AM, said:

Hi, thats anoying, 1st test with this:

return preg_replace("/[^\p{L}\p{M}\w\r@ :{}_.-]/iU", "", urldecode($vars));

otherwise its perhaps that your PCRE library has not been compiled with Unicode support, I`ve never played with server configs.


The zip test could be modded to reformat, I`ll look to that on a update.

[tigergirl]

Sam,
V1.1 on contact_us I'm getting an uneditable Full Name entry (like sky-diver was getting on email address) if there are invalid inputs on the page, other input fields were editable.

and I'm getting:

[b]Parse error[/b]: syntax error, unexpected $end in [b]/home/XXXXX/public_html/TESTSITE/account_edit.php[/b] on line [b]436[/b]

Line 436, last line:

<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

Edited by Mark Evans, 15 February 2010 - 09:53 PM.

[spooks]

tigergirl, on 26 January 2010 - 03:06 PM, said:

Sam,
V1.1 on contact_us I'm getting an uneditable Full Name entry (like sky-diver was getting on email address) if there are invalid inputs on the page, other input fields were editable.

and I'm getting:

[b]Parse error[/b]: syntax error, unexpected $end in [b]/home/XXXXX/public_html/TESTSITE/account_edit.php[/b] on line [b]436[/b]

Line 436, last line:

<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

[img]http://forums.oscommerce.com/public/style_emoticons/default/sad.gif[/img]

name, thats just so if the name is set (ie logged in) it wont be changed, if u want it different change:

            

<td class="main"><?php echo ($name ? $name . tep_draw_hidden_field('name',$name) : tep_draw_input_field('name', '', 'size="28"')); ?></td>

to

            

<td class="main"><?php echo tep_draw_input_field('name', $name , 'size="28"'); ?></td>

your error is a install mistake, you have added an extra { or removed too many }

Edited by Mark Evans, 15 February 2010 - 09:54 PM.

[tigergirl]

spooks, on 26 January 2010 - 05:06 PM, said:

name, thats just so if the name is set (ie logged in) it wont be changed, if u want it different change:

<td class="main"><?php echo ($name ? $name . tep_draw_hidden_field('name',$name) : tep_draw_input_field('name', '', 'size="28"')); ?></td>

to

<td class="main"><?php echo tep_draw_input_field('name', $name , 'size="28"'); ?></td>

your error is a install mistake, you have added an extra { or removed too many }

I started again and have fixed my error with } . thanks

The name can't be changed when logged out if errors on contact-us page (am happy for name to be unchangeable when logged in though). code posted messes up the formatting on the page? input box moves right

Should the customer be able to send contact_us email if no subject entered?

[spooks]

tigergirl, on 26 January 2010 - 05:57 PM, said:

The name can't be changed when logged out if errors on contact-us page (am happy for name to be unchangeable when logged in though). code posted messes up the formatting on the page? input box moves right [img]http://forums.oscommerce.com/public/style_emoticons/default/pinch.gif[/img]

Should the customer be able to send contact_us email if no subject entered?

you cant have pasted it exactly, sounds like 1 of the td tags is messed, perhaps u would prefer:

<td class="main"><?php echo ($account['customers_lastname'] ? $name . tep_draw_hidden_field('name',$name) : tep_draw_input_field('name', $name, 'size="28"')); ?></td>

that means logged in can't edit name, otherwise always editable

The subject could be checked, but as it never used to have one I didn't bother.

[tigergirl]

spooks, on 26 January 2010 - 06:08 PM, said:

<td class="main"><?php echo ($account['customers_lastname'] ? $name . tep_draw_hidden_field('name',$name) : tep_draw_input_field('name', $name, 'size="28"')); ?></td>

works a treat, ta v much

Quote

The subject could be checked, but as it never used to have one I didn't bother.

Is it possible to use the old tag if customer doesn't enter a subject?

define('EMAIL_SUBJECT', 'Web Enquiry from ' . STORE_NAME);

Sorry for being fussy

[spooks]

'EMAIL_SUBJECT'

tigergirl, on 26 January 2010 - 06:31 PM, said:

Is it possible to use the old tag if customer doesn't enter a subject?

yes after:

  $xipaddress = $_SERVER["REMOTE_ADDR"];

add:

  $subject = $subject ? $subject : EMAIL_SUBJECT;

[tigergirl]

spooks, on 26 January 2010 - 07:44 PM, said:

'EMAIL_SUBJECT'


yes after:

 $xipaddress = $_SERVER["REMOTE_ADDR"];

add:

 $subject = $subject ? $subject : EMAIL_SUBJECT;

You are fantastic!

Everything working - Fan Dabby Dosey.
You can stop now
Thank you so much Sam.

[aelalfy1989]

Hi,

I recently installed a contribution to make my state a drop down menu and it worked fine but then i decided to check for a date of birth drop down and came across this contribution. Its promising, but i have a few question

1) if I create an account its profiled with the store owner country correct? if I switch that to another country will it automatically change the zones?

2) I don't understand some of the instructions provided with this contribution. Most of the files provided with this contribution will be replaced so I don't have to do most of the stuff tigergirl wrote in my case but the initial stuff  don't understand

"If your store uses normal dates in place of the American 'mixed' format you need to ensure you have changed line 21 on"  -------------------> What does this mean? I don't know what format I have. Also if I do am I changing the text below? or something else?

define('DATE_FORMAT_SHORT', '%m/%d/%Y');  // this is used for strftime()
define('DATE_FORMAT_LONG', '%A %d %B, %Y'); // this is used for strftime()
define('DATE_FORMAT', 'm/d/Y'); // this is used for date()
define('DATE_TIME_FORMAT', DATE_FORMAT_SHORT . ' %H:%M:%S');

////
// Return date in raw format
// $date should be in format mm/dd/yyyy
// raw date is in format YYYYMMDD, or DDMMYYYY
function tep_date_raw($date, $reverse = false) {
  if ($reverse) {
    return substr($date, 3, 2) . substr($date, 0, 2) . substr($date, 6, 4);
  } else {
    return substr($date, 6, 4) . substr($date, 0, 2) . substr($date, 3, 2);
  }
}
Replace with:
define('DATE_FORMAT_SHORT', '%d.%m.%Y'); // this is used for strftime()
define('DATE_FORMAT_LONG', '%A, %d. %B %Y'); // this is used for strftime()
define('DATE_FORMAT', 'd.m.Y'); // this is used for strftime()
define('PHP_DATE_TIME_FORMAT', 'd.m.Y H:i:s'); // this is used for date()
define('DATE_TIME_FORMAT', DATE_FORMAT_SHORT . ' %H:%M:%S');

////
// Return date in raw format
// $date should be in format mm/dd/yyyy
// raw date is in format YYYYMMDD, or DDMMYYYY
function tep_date_raw($date, $reverse = false) {
if ($reverse) {
return substr($date, 0, 2) . substr($date, 3, 2) . substr($date, 6, 4);
} else {
return substr($date, 6, 4) . substr($date, 3, 2) . substr($date, 0, 2);
}
}
"You need to do the same for your admin file." -----------------> Need to do what?
"If you enable the strong password option:" -------------------> where is that option to enable strong password option? I don't see any of the files in this contribution going to the admin side so is there a defined option already?

find:
define('ENTRY_PASSWORD_TEXT', '*');
define('ENTRY_PASSWORD_NEW_TEXT', '*');
Replace with:
define('ENTRY_PASSWORD_TEXT', '* (Password must contain at least one lower case letter, one upper case letter & one number.)');
define('ENTRY_PASSWORD_NEW_TEXT', '* (Password must contain at least one lower case letter, one upper case letter & one number.)');

Edited by aelalfy1989, 27 January 2010 - 06:30 PM.

[tigergirl]

aelalfy1989, on 27 January 2010 - 06:29 PM, said:

"If you enable the strong password option:" -------------------> where is that option to enable strong password option? I don't see any of the files in this contribution going to the admin side so is there a defined option already?

Please read the included instruction file for the answer:
Sam's_anti-hacker_account_mods.html