241

Members
  • Content count

    6,047
  • Joined

  • Last visited

Community Reputation

0 Neutral

3 Followers

About 241

Profile Information

  • Real Name
    Steve
  • Gender
    Male
  • Location
    Scotland
  • Interests
    Coding, osCommerce, Wolfen Dev Team, developing websites with ecommerce integrated.
    Motorbikes
  1. If you previously had the IPN under osc 2.2 check the transaction records inyour Paypal account for a failed transaction from that period. Also try clearing the server cache.
  2. I would get back to Paypal, I have had an issue there before with IPN took them a year to finally resolve. Normally IPN would be disabled long before 186 in 48 hours. have you cleared the old working directory for Paypal
  3. /includes/modules/payment/paypal_standard.php line 366 /includes/modules/payment/paypal_pro_hs.php line 314
  4. does your oscommerce have a line starting this used to be in includes/modules/payment/paypal_ipn.php
  5. Not sure if the intension is to have this work as banner manager with impressions and expiry. The set slide function has a reference to 2 missing columns in the table and a reference to the banner id string so falls over if changing the status flag in admin. admin/slides_manager.php //// // Sets the status of a slide function tep_set_slider_status($slides_id, $status) { if ($status == '1') { return tep_db_query("update " . TABLE_SLIDES . " set status = '1', expires_impressions = NULL, expires_date = NULL, date_status_change = NULL where slides_id = '" . $banners_id . "'"); } elseif ($status == '0') { return tep_db_query("update " . TABLE_SLIDES . " set status = '0', date_status_change = now() where slides_id = '" . $slides_id . "'"); } else { return -1; } } //// if not used as banner manager then code need changing to //// // Sets the status of a slide function tep_set_slider_status($slides_id, $status) { if ($status == '1') { return tep_db_query("update " . TABLE_SLIDES . " set status = '1', date_status_change = now() where slides_id = '" . (int)$slides_id . "'"); } elseif ($status == '0') { return tep_db_query("update " . TABLE_SLIDES . " set status = '0', date_status_change = now() where slides_id = '" . (int)$slides_id . "'"); } else { return -1; } } ////
  6. Uploaded full package with the code changes in place for sql injection prevention and sanatization of the string.
  7. If you are just copy and pasting then you will get the error for < as that is the beginning of your html tagging which you are pasting into the middle of php tagging thus breaking the php. You would need to post more of the code to see whether or not the HTML tagging is required for positioning, if not then you could use <?php session_start(); if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) { // Insert you code for processing the form here, e.g emailing the submission, entering it into a database. echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). ' <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, '', 'NONSSL'); unset($_SESSION['security_code']); } else { // Insert your code for showing an error message here } ?>
  8. Yes it applies to all and is an injection that they can use to then setup a database user which requires no password to gain access. They setup with an open all access user in the database and then have the priveledges to setup databases etc. I will not post the code used here as this will further compound the issue. I have informed a member of the team and requested that all testimonial contributions be disabled until the issue is resolved.
  9. There is a further vulnerability where user information names the encrypted password and email address for every testimonial can be harvested.
  10. The third piece of code is for passing attributes information and is a part of the osCommerce Paypal IPN It may be a part of some of the others or it may be coded slightly different in which case you would need to look at the code section dealing with attributes for the paypal module that you are using. Do you know which Paypal module you are using?
  11. This would be approx line # 202 <?php echo '<p style="margin-top: 20px;"' . tep_image_submit('button_save.gif', IMAGE_SAVE, 'name="submitbutton"') . ' ' . tep_image_button('button_cancel.gif', IMAGE_CANCEL, 'onclick=\'self.close()\'') .'</p>' . "\n"; and is to close the opening paragraph tag just before the tep_image_submit <?php echo '<p style="margin-top: 20px;">' . tep_image_submit('button_save.gif', IMAGE_SAVE, 'name="submitbutton"') . ' ' . tep_image_button('button_cancel.gif', IMAGE_CANCEL, 'onclick=\'self.close()\'') .'</p>' . "\n";
  12. The code for the last update which was SPPC attributes mod rev.1 is still using the old code. The code that you have posted here works as does the change I made prior to seeing this post. $check_product_query = tep_db_query("select p.products_status, pa.options_id, pa.options_values_id, pa.attributes_hide_from_groups, '0' as hide_attr_status from " . TABLE_PRODUCTS . " p left join " . TABLE_PRODUCTS_ATTRIBUTES . " pa on p.products_id = pa.products_id where p.products_id = '" . (int)$products_id . "'");
  13. I have gone through the contributions section installing my way through the various files for SPPC I am now receiving this error 1052 - Column 'products_id' in where clause is ambiguous select products_status, options_id, options_values_id, attributes_hide_from_groups, '0' as hide_attr_status from products left join products_attributes using(products_id) where products_id = '923' The query is for the attributes part of catalog/includes/classes/shopping_cart.php if (is_numeric($products_id) && is_numeric($qty) && ($attributes_pass_check == true)) { // BOF SPPC attribute hide check, original query expanded to include attributes $check_product_query = tep_db_query("select products_status, options_id, options_values_id, attributes_hide_from_groups, '0' as hide_attr_status from " . TABLE_PRODUCTS . " left join " . TABLE_PRODUCTS_ATTRIBUTES . " using(products_id) where products_id = '" . (int)$products_id . "'"); The error is from product_listing.php (which uses buy_now) and product_info.php (which uses add_product) when trying to add an item to the cart. The item does not have any attributes. the catalog/includes/application_top.php is using case 'add_product' : if (isset($HTTP_POST_VARS['products_id']) && is_numeric($HTTP_POST_VARS['products_id'])) { // BOF price-break-1.11.3 $cart->add_cart($HTTP_POST_VARS['products_id'], $cart->get_quantity(tep_get_uprid($HTTP_POST_VARS['products_id'], $HTTP_POST_VARS['id'])) + $HTTP_POST_VARS['cart_quantity'], $HTTP_POST_VARS['id']); // EOF price-break-1.11.3 } tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); break; // performed by the 'buy now' button in product listings and review page case 'buy_now' : if (isset($HTTP_GET_VARS['products_id'])) { if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) { tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'])); } else { $cart->add_cart($HTTP_GET_VARS['products_id'], $cart->get_quantity($HTTP_GET_VARS['products_id'])+1); } } tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); break;
  14. Missing or in the query should be or o.billing_country like '%david%' or o.payment_method like '%david%'
  15. have you looked in the contributions section, a very quick look got these to start with. http://www.oscommerce.com/community/contributions,3072 http://www.oscommerce.com/community/contributions,3753 http://www.oscommerce.com/community/contri...ng+quote/page,1