Jump to content

createvideo

Members
  • Content count

    7
  • Joined

  • Last visited

  1. createvideo

    Ajax Buy Now

    Joe, looks like you already have the answer... but why are you using post data on product_listing.php and get data on your other pages where you said this works? Even though post data doesn't show up in the header line, its just as easy to read your post variables as get variables from a hackers view; so make sure you don't ever rely on post for security. if you decide you can't live without post data, then you'll have to build yourself a new ajax_sc.js to send post data and a new ajax_shopping_cart.php to receive the post data and complete the http request. fortunately the server doesn't care if it is post or get for any application including Ajax apps. I'd recommend getting your product_listing working with get statements if possible... and before you start rebuilding ajax apps I'd recommend Head Rush Ajax from Oreilly books, it's simple to understand (good for me) and makes reworking Ajax apps a breeze.
  2. createvideo

    Ajax Buy Now

    nothing special on product_info, if this is working on other pages but not here... then check the key functions individually on broken page and compare to something that is working. in an Ajax program, you have the following: 1) set up response handler from server; this is done in ajax_shopping_cart.php... make sure you are calling this cart on every page where you use the function; in readme.txt, this is show in edits for column_right.php. The response handler is setup here and also the div tag id where the updated info is to be displayed. oh, btw watch the name on the div tag... it is "divShoppingCard" not cart? may be a typo that slipped in. if you don't have this right... you'll send the request to server, but you're page won't know to update? sounds similar to your case. I'd compare my column_right.php and shopping_cart.php calls as a start. 2) call to server to do something; if you've made code changes to html_output and general.php, you should be ok here. 3) handle server response at browser... you setup this in #1; once server has added to cart, it sends back response that is targeted at your new div tag set up earlier.
  3. createvideo

    Ajax Buy Now

    like others on this forum, it's part personal taste and part lesson hard learned. I always aim for simple & functional for customers and can accomplish this without using flying image. The ajax loading/added to cart message combined with common colors between the message and shopping cart box works well with our customers; ie. lets them buy more with less effort by eliminating full page reloads and having to view shopping cart after every add. Good luck to all working on the fly to cart feature... given all the compatibility caveats with javascript, I'd make sure the fly-to-cart adds enough real value to cover the risk and extra code size.
  4. createvideo

    Ajax Buy Now

    Posted a new ajax_sc.js javascript file that will fix the location of the loading image in various browsers. if you haven't modified ajax_sc.js, simply replace this file; otherwise you already know a bit about programming so use a file diff. tested on ie5,ie6,ie7 and mozilla; but should work on most others to see in action: ajax buy now example
  5. Mark, my files are likely pre-3.1a, but I didn't see anything in the newer release notes addressing this issue, so I didn't check the latest releases. I'll find time this week to look at the latest release, but as you stated, as long as data is cleaned before making the sql call, it should be ok. I found the issue when running a large number of automated combinations against my site, and my fix seemed adequate to block them all. Best wishes, David
  6. no problem Alex, meaning to do this when I found time. I started on PHP/SQL not long ago and found the PHP/SQL Bible from Wiley books to be very helpful for newbs. Step 1: Open /includes/functions/general.php Add the following clean_url funciton at the top of the file after your first comments sections. // rev14 - createvideo: security - add URL string cleaning // add or remove characters as needed to enchance security function clean_url($url) { // $string = ereg_replace(' +', ' ', trim($url)); $string = $url; return preg_replace('/[\;\<\>\'\"\:\;\|\(\)$^]/', '', $string); } STEP 2: open /includes/classes/supertracker.php Find: $current_page=$_SERVER['PHP_SELF']; Replace with: //rev14 - security fix - clean incput // $current_page=$_SERVER['PHP_SELF']; $current_page= clean_url($_SERVER['PHP_SELF']); // Find: $refer_data = $_SERVER['HTTP_REFERER']; Replace with: //rev14 - security fix // $refer_data = $_SERVER['HTTP_REFERER']; $refer_data = clean_url($_SERVER['HTTP_REFERER']); Find: $ip = $_SERVER['REMOTE_ADDR']; $current_page=$_SERVER['PHP_SELF']; $time_arrived = date('Y-m-d H:i:s'); $landing_page = $_SERVER['REQUEST_URI']; Replace with: //rev14 - securuity fix // $ip = $_SERVER['REMOTE_ADDR']; $ip = clean_url($_SERVER['REMOTE_ADDR']); //rev14 - $current_page=$_SERVER['PHP_SELF']; $current_page= clean_url($_SERVER['PHP_SELF']); $time_arrived = date('Y-m-d H:i:s'); //rev14 - $landing_page = $_SERVER['REQUEST_URI']; $landing_page = clean_url($_SERVER['REQUEST_URI']); That's all for cleaning the supertracker variables before they are passed to the database. In general, you should always santize your input data before sending to the database. Harold has taken care of several similar security holes in the latest OSC release, make sure you've made these updates also. BR, createvideo
  7. Found an SQL Injection risk with Supertracker, to see if you are at risk, pull up a product page: /index/product_info.php/ ... some_product_name Now insert a some roque characters into the product name. ie. som'e"produc(t<)name Hit return, if you see a SQL error message, then your site can be hacked from here. I added my copy of /includes/functions/general.php and /includes/classes/supertracker.php to the contribution section for anyone interested in using or improving. Please do a compare & merge ONLY with my files; as most people here, I have 10,000 customizations on my site and with only 100 documented :) The SECURITY FIX revisions are NOTED with REV 14 - createvideo
×