Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.


  • Content count

  • Joined

  • Last visited

  • Days Won


Posts posted by tgely

  1. @ArtcoInc

    If I understand well, probably you are missing GET forms with POST forms. All modul use parameters in href link. tep_draw_hidden_field() not means POST parameters in these cases because hidden field transformed in HTTP header as GET parameters.


    search_in_description = 1

    than this means search results from product_description while 0 not search in products_description.

    Store search bar call direct ajax POST method header link with href="" parameters instead use hidden field in a search GET form.

  2. @ArtcoInc

    Its not possible in near furure. I am working on v2.4 core but there is hard coded BS3. Language search functionality is more close to v2.4 than v2.3 codebase. When v2.4 core will be totaly separated into 2 parts (core and template) then will be a chance to use different template systems. We are in a sack street at this moment.

  3. UNIX_TIMESTAMP(date(o.customers_dob))

    I forgot to use direct calculations and start to use UNIX time format by this reason.

    Here is a zero equal example code snipet with modulus calculation:

    where MOD(UNIX_TIMESTAMP(CURDATE())-UNIX_TIMESTAMP(date(c.customers_dob)), " . (int)SETTING_DAYS*86400 . ") = 0

    It could be very effective. For example: define('SETTING_DAYS', 365);

    I use daily mail cron jobs for similar projects.

  4. I have seen duplications on several cases. I have non PP payment module with same rarely duplication. But I have seen duplicated emails. I suspect to double entry threads from the shop server side sometimes.
    I have deleted duplicated post from oscommerce forum treads...

  5. 9 hours ago, Psytanium said:

    @Gergely already enabled, I checked the view-source, I can see the

    <link rel="canonical" href="https://macrotronics.net/product_info.php/samsung-850-evo-500gb-ssd-mz-75e500b-p-12045" />

    in the header

    could be the htaccess ?

    Its time for the google to repair it.

    My solution:


    Run this sql script before update:

    ALTER TABLE `categories` 
    ADD COLUMN `cpath` VARCHAR(255) NOT NULL AFTER `last_modified`;


  6. @raiwa

    Not exactly its attack only mysql. Probably mysql 5.6
    I remember something from the past... Secure App:

    It could be a Hook. catalog/includes/hooks/shop/global/security_pro.php

    From Security Pro Start here page:


    Yes it is still just as valid. The target of Security Pro is not the core osCommerce coding which we all know is good, the target is the thousands of contributions which are usually poorly written.

    This is all new code but the concept remains the same .. with Security Pro installed it is impossible to pass bad characters through the querystring so long as the page loads application_top.php, which all osCommerce pages do.


  7. Hi everybody,

    just examined php error logs and discovered that USU5 database cache system was attacked with sql injection codes. Its probably a security issue if someone use database (mysql or sqlite) cache interfaces.
    I dont have any imagination how could be registered into MySQL UNION script but looks like very danger.

    DO NOT USE database cache modules!


    Could you drop database cache modules or fix it in responsive/original addons?

    An error example with file cache module:

    [21-Mar-2017 xx:xx:xx Europe/X] PHP Warning:  file_put_contents(/xxxxx/xxxxxxx/xxxxxxxxxxx.xx/includes/modules/ultimate_seo_urls5/cache_system/cache/2_index_manufacturers_id_23111111111111120UNION20SELECT20CHAR4512049458145CHAR4512050458145CHAR4512051458145CHAR4512052458145CHAR4512053458145CHAR4512054458145CHAR4512055458145CHAR4512056458145CHAR4512057458145CHAR451204948458145CHAR451204949458145CHAR451204950458145202020.cache) 
    [<a href='function.file-put-contents'>function.file-put-contents</a>]: failed to open stream: File name too long in /xxxxx/xxxxxxx/xxxxxxxxxxx.xx/includes/modules/ultimate_seo_urls5/cache_system/file.php on line 82

    I am afraid that injection script stored directly when database interface used.