241
-
Posts
6,154 -
Joined
-
Last visited
Posts posted by 241
-
-
Uploaded full package with the code changes in place for sql injection prevention and sanatization of the string.
-
If you are just copy and pasting then you will get the error for < as that is the beginning of your html tagging which you are pasting into the middle of php tagging thus breaking the php.
You would need to post more of the code to see whether or not the HTML tagging is required for positioning, if not then you could use
<?php session_start(); if(($_SESSION['security_code'] == $_POST['security_code']) && (!empty($_SESSION['security_code'])) ) { // Insert you code for processing the form here, e.g emailing the submission, entering it into a database. echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). ' <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS_WRITE, '', 'NONSSL'); unset($_SESSION['security_code']); } else { // Insert your code for showing an error message here } ?>
-
Hi
Does this apply to Customer Testimonials v3 which is a seperate contribution (or has it just been taken from this one?)
Thanks
Julie
Yes it applies to all and is an injection that they can use to then setup a database user which requires no password to gain access.
They setup with an open all access user in the database and then have the priveledges to setup databases etc.
I will not post the code used here as this will further compound the issue.
I have informed a member of the team and requested that all testimonial contributions be disabled until the issue is resolved.
-
There is a further vulnerability where user information names the encrypted password and email address for every testimonial can be harvested.
-
Anyone running this have problems with not being able to order more than one of any particular item?
I am suddenly having problems with this... Not good.
Anyone have any ideas?
Thanks!
--Jeff
The third piece of code is for passing attributes information and is a part of the osCommerce Paypal IPN
It may be a part of some of the others or it may be coded slightly different in which case you would need to look at the code section dealing with attributes for the paypal module that you are using.
Do you know which Paypal module you are using?
-
Arther,?
There is also a > missing close to the code for the save button in admin/attributes_groups.php. On Safari no problem, most other browsers did have a problem with it (rightly so of course) obscuring the save button.
This would be approx line # 202
<?php echo '<p style="margin-top: 20px;"' . tep_image_submit('button_save.gif', IMAGE_SAVE, 'name="submitbutton"') . ' ' . tep_image_button('button_cancel.gif', IMAGE_CANCEL, 'onclick=\'self.close()\'') .'</p>' . "\n";
and is to close the opening paragraph tag just before the tep_image_submit
<?php echo '<p style="margin-top: 20px;">' . tep_image_submit('button_save.gif', IMAGE_SAVE, 'name="submitbutton"') . ' ' . tep_image_button('button_cancel.gif', IMAGE_CANCEL, 'onclick=\'self.close()\'') .'</p>' . "\n";
-
Arther,?
For the sql it shouldn't matter which products_id (from which table) it should be because it is a join using products_id. Interestingly, MySQL5 has no problem with it, but MySQL4 does apparently.
I have it changed to this in my last version (catalog/includes/classes/shopping_cart.php):
if (is_numeric($products_id) && is_numeric($qty) && ($attributes_pass_check == true)) { // BOF SPPC attribute hide check, original query expanded to include attributes $check_product_query = tep_db_query("select p.products_status, options_id, options_values_id, IF(find_in_set('" . $this->cg_id . "', attributes_hide_from_groups) = 0, '0', '1') as hide_attr_status from " . TABLE_PRODUCTS . " p left join " . TABLE_PRODUCTS_ATTRIBUTES . " using(products_id) where p.products_id = '" . (int)$products_id . "'");
There is also a > missing close to the code for the save button in admin/attributes_groups.php. On Safari no problem, most other browsers did have a problem with it (rightly so of course) obscuring the save button.
The code for the last update which was SPPC attributes mod rev.1 is still using the old code.
The code that you have posted here works as does the change I made prior to seeing this post.
$check_product_query = tep_db_query("select p.products_status, pa.options_id, pa.options_values_id, pa.attributes_hide_from_groups, '0' as hide_attr_status from " . TABLE_PRODUCTS . " p left join " . TABLE_PRODUCTS_ATTRIBUTES . " pa on p.products_id = pa.products_id where p.products_id = '" . (int)$products_id . "'");
-
I have gone through the contributions section installing my way through the various files for SPPC
I am now receiving this error
1052 - Column 'products_id' in where clause is ambiguous select products_status, options_id, options_values_id, attributes_hide_from_groups, '0' as hide_attr_status from products left join products_attributes using(products_id) where products_id = '923'
The query is for the attributes part of catalog/includes/classes/shopping_cart.php
if (is_numeric($products_id) && is_numeric($qty) && ($attributes_pass_check == true)) { // BOF SPPC attribute hide check, original query expanded to include attributes $check_product_query = tep_db_query("select products_status, options_id, options_values_id, attributes_hide_from_groups, '0' as hide_attr_status from " . TABLE_PRODUCTS . " left join " . TABLE_PRODUCTS_ATTRIBUTES . " using(products_id) where products_id = '" . (int)$products_id . "'");
The error is from product_listing.php (which uses buy_now) and product_info.php (which uses add_product) when trying to add an item to the cart.
The item does not have any attributes.
the catalog/includes/application_top.php is using
case 'add_product' : if (isset($HTTP_POST_VARS['products_id']) && is_numeric($HTTP_POST_VARS['products_id'])) { // BOF price-break-1.11.3 $cart->add_cart($HTTP_POST_VARS['products_id'], $cart->get_quantity(tep_get_uprid($HTTP_POST_VARS['products_id'], $HTTP_POST_VARS['id'])) + $HTTP_POST_VARS['cart_quantity'], $HTTP_POST_VARS['id']); // EOF price-break-1.11.3 } tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); break; // performed by the 'buy now' button in product listings and review page case 'buy_now' : if (isset($HTTP_GET_VARS['products_id'])) { if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) { tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'])); } else { $cart->add_cart($HTTP_GET_VARS['products_id'], $cart->get_quantity($HTTP_GET_VARS['products_id'])+1); } } tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); break;
-
There a third bug, when we use the Search Filter + submit =
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'o.payment_method like '%david%' or o.cc_number like '%david%' order by o.orders' at line 1
select distinct * from orders o where o.orders_id like '%david%' or o.orders_id like '%david%' or o.customers_name like '%david%' or o.customers_id like '%david%' or o.customers_id like '%david%' or o.customers_company like '%david%' or o.customers_street_address like '%david%' or o.customers_suburb like '%david%' or o.customers_city like '%david%' or o.customers_postcode like '%david%' or o.customers_state like '%david%' or o.customers_country like '%david%' or o.customers_telephone like '%david%' or o.customers_email_address like '%david%' or o.delivery_name like '%david%' or o.delivery_company like '%david%' or o.delivery_street_address like '%david%' or o.delivery_suburb like '%david%' or o.delivery_city like '%david%' or o.delivery_postcode like '%david%' or o.delivery_state like '%david%' or o.delivery_country like '%david%' or o.billing_name like '%david%' or o.billing_company like '%david%' or o.billing_street_address like '%david%' or o.billing_suburb like '%david%' or o.billing_city like '%david%' or o.billing_postcode like '%david%' or o.billing_state like '%david%' or o.billing_country like '%david%' o.payment_method like '%david%' or o.cc_number like '%david%' order by o.orders_id DESC
[TEP STOP]
PN : David is a name of a costumer i am searching.
Missing or in the query should be
or o.billing_country like '%david%' or o.payment_method like '%david%'
-
have you looked in the contributions section, a very quick look got these to start with.
http://www.oscommerce.com/community/contributions,3072
http://www.oscommerce.com/community/contributions,3753
http://www.oscommerce.com/community/contri...ng+quote/page,1
-
are you using option type attributes by any chance http://www.oscommerce.com/community/contributions,160
-
my guess would that the issue is with paypal payments and that what you get in the order is TEXT
If this is correct then you need to modify your paypal_ipn.php file
locate code:
'products_options_values' => $attributes_values['products_options_values_name'],
change to:
'products_options_values' => $order->products[$i]['attributes'][$j]['value'],
locate code:
$parameters['os' . $j . '_' . $item] = $attributes_values['products_options_values_name'];
change to:
$parameters['os' . $j . '_' . $item] = $order->products[$i]['attributes'][$j]['value'];
locate code:
$products_ordered_attributes .= "\n\t" . $attributes_values['products_options_name'] . ' ' . $attributes_values['products_options_values_name'];
change to:
$products_ordered_attributes .= "\n\t" . $attributes_values['products_options_name'] . ' ' . tep_decode_specialchars($order->products[$i]['attributes'][$j]['value']);
-
In the UK you would be VAT registered to charge tax and would be required to show this tax amount on the invoice.
TITLE:
<td class="dataTableHeadingContent" align="right"><?php echo TABLE_HEADING_TAX; ?></td>
VALUE:
' <td class="dataTableContent" align="right" valign="top">' . tep_display_tax_value($order->products[$i]['tax']) . '%</td>' . "\n" .
Unless it is the price(inc) parts that you are wanting to remove or the tax line from the totals amount.
If the tax line from totals amount then switch this off in the admin modules Order Total
-
Hi Guys,
It seems all my other posts have "disappeared"!
I've applied all the instructions and the home page featured is working like a bomb, only prob now is when i try click on any of the categories, i get a message "Unable to determine the page link!".
I'm still desperately trying to get this working. If anyone has any suggestions, i'd really appreciate it!
Thanks,
Chris
Your other posts were removed because they were not relevent to the thread as the issue was not caused by the contribution as is the same with the issue you are now posting which is caused by having Search engine safe urls set to true in the admin.
The resolve is to set Use Search-Engine Safe URLs (still in development) to false in the admin.
-
Do not bump posts as it is against the forum rules.
Ok I miss read the error message you have whitespace in your file
download includes/database_tables.php via ftp then open using a file editor or program such as dreamweaver.
go to the end of the file find the last ?> place your cursor after the > and hit delete several times.
Save the file and upload via ftp
-
in both your catalog/includes/configure.php and admin/includes/configure.php files change the last line to
define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'
-
Hi, there is some pack that do this thing:
I want when the custumer register his account will apper two kind of login, if he has a company, he will put there his company number, and a normal registration.
Because when a registred company custumer login, will appear different price, because he will be a peddler, and this prices will appear just if he is logged in, and received our approve to bem a peddler.
And the normal loggin, is normal :)
So, I dont know if you understand, if dont, let me know.
Thnks.
This may be what you are looking for http://www.oscommerce.com/community/contributions,716
-
You may have the reset issue discussed and resolved here http://www.oscommerce.com/forums/index.php?s=&...st&p=932499
-
do you have this in admin/includes/application_top.php
// include the articles functions require(DIR_WS_FUNCTIONS . 'articles.php'); // Article Manager if (isset($HTTP_GET_VARS['tPath'])) { $tPath = $HTTP_GET_VARS['tPath']; } else { $tPath = ''; } if (tep_not_null($tPath)) { $tPath_array = tep_parse_topic_path($tPath); $tPath = implode('_', $tPath_array); $current_topic_id = $tPath_array[(sizeof($tPath_array)-1)]; } else { $current_topic_id = 0; }
-
check that you have the file catalog/admin/includes/functions/articles.php and that this file contains the function
function tep_get_topic_tree(
-
You are missing the define in includes/database_tables.php for the coupons table should be something like
define('TABLE_COUPONS', 'coupons');
-
<div align="right"><?php if ($product_info['products_price'] < 0.01){ echo 'Please Phone To Buy'; } else { echo tep_draw_hidden_field('products_id', $product_info['products_id']) . tep_image_submit('button_in_cart.gif', IMAGE_BUTTON_IN_CART); } ?>
-
well I guess that you did not read the install text file
ALTER TABLE `admin` ADD `admin_cat_access` TEXT NOT NULL ;ALTER TABLE `admin` ADD `admin_right_access` TEXT NOT NULL;
UPDATE admin SET admin_cat_access = 'ALL' WHERE admin_groups_id = 1;
-
Nivo Slider Content Module (Bootstrap)
in General Add-Ons Support
Posted
Not sure if the intension is to have this work as banner manager with impressions and expiry.
The set slide function has a reference to 2 missing columns in the table and a reference to the banner id string so falls over if changing the status flag in admin.
admin/slides_manager.php
if not used as banner manager then code need changing to