Jump to content

All Activity

This stream auto-updates     

  1. Past hour
  2. Today
  3. ArtcoInc

    Security checks gone

    @GoCastaway58 As @MrPhil suggested, ask your host if they can roll back to an earlier version of PHP. That *may* resolve your problem ... temporarily. If it does work, use the time to consider updating your shop to the latest Community Edition of osC. (link in my signature). M
  4. BrockleyJohn

    How do I use function __construct in this code?

    Nope these are all deliberate. Shopping cart's eponymous method is called to reset it (but there's no point in resetting it on construction). Table block and altert box's methods are called from child classes which override the constructor so the parent's never gets called.
  5. A recent attack on one of my shops revealed that hackers will use the search function to try and gain access to the shop and/or database. Since SmartSuggest records search inquires to a database table, there is a possibility that this could be used in an attack Malcolm
  6. JcMagpie

    Hack attempt - is there a way to prevent this?

    just put the chars you want to not remove in the [] and you be fine , see i have added ' and - after the 9 $scrub = preg_replace("/[^a-zA-Z0-9'-\w\ ]/", "", $input); this will give Result: iaja'-'- this 1237412 is @^*() how -=+_ from echo ScrubInput("iaja'-'- this 1237412~! is @#$%^&*() how -=+_] it [{};:/ works .,>?OKAMNBVCXZLKJHG'\""); Please check before using on live site. only tested in sandbox.
  7. GoCastaway58

    Security checks gone

    I sure have deprecated errors, its an error log from 3 weeks and 45Mb.... Its all like the last one: [19-May-2019 22:41:41 Europe/Amsterdam] PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; ht_product_title has a deprecated constructor I will take a look at your solutions, hope i can fix it, i am not really a good coder and OsCommerce mediate. Thanks!
  8. ArtcoInc

    Search add-on Reviews

    *** UPDATE *** In my initial review, I noted that SmartSuggest records the search inquiry. It does so by adding a database table in which to store these inquires. A recent hack attempt on one of my shops revealed that hackers will use the search function to try and gain access to the shop and/or the database. This was discussed in another thread: While I am not aware that any actual damage occurred, nor that any data was compromised, people should be aware that SmartSuggest does save the search inquires in a database table, which potentionaly could be used in an attack to one's shop. Malcolm
  9. MrPhil

    Hack attempt - is there a way to prevent this?

    It will depend on your osCommerce version, and what add-ons you have that put stuff to database, but any decent DB code should disable (usually escape, not removal) any special characters that might be interpreted as database commands. That way, the string content can't be used to run commands, but it still might interfere with searches. For example, escaping an apostrophe so that it can't be used to end a field and add SQL commands (change it to a literal apostrophe, not a delimiter for SQL commands), might prevent searching for "A Bug's Life", but I'm not sure in this code. I haven't looked lately, but there may be ways around that problem.
  10. puggybelle

    Hack attempt - is there a way to prevent this?

    @Jack_mcs @JcMagpie Any way to keep apostrophes, quotation marks, dashes, letters and numbers? LOL. My buyers really need to use quotation marks in some circumstances, in order to find the exact name or phrase. When the edits are made, you can't even find the test product A Bug's Life unless you leave out the apostrophe. Smart buyers are going to include the apostrophe...get no search results...and leave. These edits are only making search more difficult. And after viewing my keywords search report for months now....buyers need all the help they can get! Is there a way to sanitize against the inclusion of weird characters that always accompany a malicious code string, but preserve the other ones I mentioned? - Andrea
  11. greasemonkey

    Hack attempt - is there a way to prevent this?

    @ArtcoInc I think the link to your review is very relevant to the thread - and the threat of this hack attempt (I can’t recall the level of detail in your review but maybe you’d update to include this potential risk).
  12. ArtcoInc

    Hack attempt - is there a way to prevent this?

    @greasemonkey (while off topic regarding hack attempts ...) I also reviewed that search add-on here ... M
  13. greasemonkey

    Hack attempt - is there a way to prevent this?

    As a suggestion for a different smart search that doesn’t write to your DB... try this one (I’ve been using it for a couple years... works great). https://apps.oscommerce.com/Redirect=9351
  14. ArtcoInc

    Stop Google adding bogus names

    @trophy As others have stated, Google is not doing this. A spammer or hacker is doing it. Using Google as an email address, or as a company name, is very common. I get a number of these on one of my shops all the time. M
  15. JcMagpie

    Hack attempt - is there a way to prevent this?

    A simple string scrubbing function using, https://www.php.net/manual/en/function.preg-replace.php function ScrubInput($input) { // allow only letters //$scrub = preg_replace("/[^a-zA-Z]/", "", $input); // allow only letters and numbers //$scrub = preg_replace("/[^a-zA-Z0-9]/", "", $input); // allow only letters, numbers, and whitespace $scrub = preg_replace("/[^a-zA-Z0-9\s]/", "", $input); // Let's get rid of all CAPS $scrub = strtolower($scrub); // limit input to 40 chars $scrub = substr($scrub, 0, 40); // Let's get rid of all CAPS $scrub = strtolower($scrub); return $scrub; } // test the function echo ScrubInput("iaja this 1237412~! is @#$%^&*() how -=+_] it [{};:/ works .,>?OKAMNBVCXZLKJHG'\""); ?> Result: iaja this 1237412 is how it works ok
  16. ArtcoInc

    Hack attempt - is there a way to prevent this?

    @pete2007 Out of the box, osC does not save search queries in the database. I'm using an add-on called SmartSuggest that, amongst other things, creates a new database table and saves the search queries. I find this important since I can now see what people are searching for, and use that information to either adjust the text on my site, or adjust my product lines (if I sell apples, and people are searching for oranges ... ). M
  17. Jack_mcs

    Hack attempt - is there a way to prevent this?

    @ArtcoIncThe r87 dot com is a site on godaddy. You could report it as a spammer and/or block its IP's. Although the whois for it lists quite a few similar names so I suspect this guy wouldn't be easily stopped. Limiting the search string probably won't make a difference since they can type directly into the url. Many times the hackers will enter some invalid command so that an error is displayed that gives them more details about the database. You can test your site here to see if that is the case. Also be sure that anything entered in the search does not show up on the page after the search. This doesn't occur with the CE version but might with older versions. If your search doesn't require any special characters, then I suggest you change this code in the advanced_search_result.php file if (isset($_GET['keywords'])) { $keywords = tep_db_prepare_input($_GET['keywords']); } to this if (isset($_GET['keywords'])) { $keywords = preg_replace('/[^\w]/', '', $_GET['keywords']); $keywords = tep_db_prepare_input($keywords); } That will remove everything from the search string other than letters and numbers.
  18. pete2007

    PayPal Express ~ Duplicate Orders

    @peterbuzzin is it possible to add a script like this to the contact us submit button, this is also very slow? thanks
  19. Your host ought be able to tell you if you're on some spam blacklist. They may even tell you that they added you because you sent out too many emails in a short period. They don't want their servers listed as spammers, either. It's fine to email newsletters from your shop's domain, but it should probably be left to a proper bulk email application that knows how to obey host limits for per-minute, per-hour, per-day mailings. It should also try to distribute evenly and at a polite rate to major email systems like gmail, hotmail, yahoo, etc., so they don't feel overwhelmed and report you as a spammer. Do you really need to get all 5000 emails out within one hour? How about over 2 days or so? Needless to say, all mass mailings must be explicit "opt in", and should include a reminder that the recipient signed up to receive them, and a reminder on how to easily unsubscribe. The latter two items reduce the chances that a recipient will report you as a spammer, simply to stop receiving mass mailings from you.
  20. MrPhil

    How do I use function __construct in this code?

    admin/includes/classes/shopping_cart.php admin/includes/classes/table_block.php includes/classes/alertbox.php Do any of these look like trouble? I.e., a dummy __construct() added to silence the PHP 7 deprecated warnings, but should either have been function classname() renamed to __construct, or __construct() calling classname()?
  21. JcMagpie

    Hack attempt - is there a way to prevent this?

    As the input filed is controled by function html_output.php we can not control directly. So in the template file of the search simply add a bit of js to limit input. <script> $("input").attr("maxlength", 20) </script> You should let your customers know a limit is set.
  22. Tsimi

    Stop Google adding bogus names

    Fake accounts with google as company name? Check here https://forums.oscommerce.com/topic/492566-fake-accounts/?do=findComment&amp;comment=1781581
  23. Hotclutch

    Stop Google adding bogus names

    It's not Google, you're being spammed.
  24. trophy

    Stop Google adding bogus names

    Not sure about Google results, they appear in my customers section. I assume it is google as they put google in the company name. The names are bizarre like wise the address .
  25. Hotclutch

    Stop Google adding bogus names

    Google does not do this. If there is something appearing in Google results that you don't like, then it's your script generating it, and it must be fixed.
  26. pete2007

    Hack attempt - is there a way to prevent this?

    Thank you for your reply, where about's can I limit the text for the search?
  27. JcMagpie

    Hack attempt - is there a way to prevent this?

    It's not just search, any form on your website that allows the visitor to enter text that is saved to your database is a backdoor for hackers. Search is easy, just remove osC search and replace it with google search nothing saved on your db by this, or limit text input to just on or 2 words. All forms should have some sort of captcha and text cleanser built in to prevent saving scripts to db. Reviews is another one that is targeted by hackers.
  1. Load more activity
×