Jump to content


  • Content count

  • Joined

  • Last visited

Everything posted by mhsuffolk

  1. mhsuffolk

    Stripe Payment Module

    Me too. @14steve14 That is the killer sentence. I am sure that there will be other key payment modules that WILL have to be updated. Many, including Stripe, are by HPDL and there lies a problem...
  2. Note to all. New version of Chrome (68) released 24th July will mark ALL HTTP pages as insecure. Now is the time to change to HTTPS. See here Also, from the future version 69, the secure padlock behaviour will reverse, secure pages will have no padlock shown but insecure pages will have a warning. Confusion will reign I feel.
  3. mhsuffolk

    Stripe Elements API V3

    The only add on that I can find is the original one by HPDL which is included in Frozen. Unfortunately it uses V2 of their API and was written in 2014. Things have moved on and their V3 API is required for easy PCI compliance and it will conform to the new Strong Customer Authentication (SCA) that is coming in September. I am not a coder but I have done some research and have found two guides on how to implement V3, which they also call "Stripe Elements", on their website. https://stripe.com/docs/stripe-js/elements/quickstart https://stripe.com/docs/stripe-js/elements/migrating I have looked at the HPDL code and it is above my paygrade. Is there anybody who can help with this required change please. I can do any testing if required. Martin
  4. Yes, that is what I am trying to achieve.
  5. @raiwa @Hotclutch Thank you for your suggestions. Perhaps I did not explain clearly. Your mod alters the width of each products display. What I wanted to change was the quantity that is displayed. 4 featured products on a big screen, but only two featured products on a phone. This is only to apply to the index page.
  6. Is it possible for this module to display, in the central area, 4 products across one row on a PC, but only 2 products on a phone screen size? This is so customer does not have to scroll down so far to find other content when using a phone.
  7. mhsuffolk

    Fake accounts

    Fair point, but the blind customer may be buying a present for a visually unimpaired person.
  8. mhsuffolk

    HoneyPot Captcha

    I was not aware of that. Is that in PHP 7.2 or is it in the XAMPP set up? I cannot see a setting for it.
  9. mhsuffolk

    HoneyPot Captcha

    Testing Version 1.6 on my PHP 7.2 XAMPP test site and get this error when attempting to create a legitimate account. 1048 - Column 'ip_number' cannot be null insert into honeypot_track set count = '1', ip_number = INET_ATON( '::1' ), last_date = now() [TEP STOP]
  10. If using BS3 version Line 55 of cm_jcm_simple_message.php needs changing from include('includes/modules/content/' . $this->group . '/templates/jcm_simple_message.php'); to include('includes/modules/content/' . $this->group . '/templates/jcm_simple_message-BS3.php'); or change the name of the file.
  11. mhsuffolk

    Removing fake customers

    I have "Tell a Friend" switched off in my shop. Can a fake account still do anything naughty?
  12. Thank you @BrockleyJohn I will try that.
  13. I sell DVDs with several different volumes i.e. DVD Volume 1 DVD Volume 2 DVD Volume 3 and so forth I have to change these to One, Two, Three etc. This code change could be useful for short numbers if required.
  14. Try function tep_date_raw($date, $reverse = false) {
  15. IMO securing the admin folder is more secure than the htaccess/htpasswd security layer method. The fact that you have to log in twice is a small price to pay.
  16. mhsuffolk

    Help with Worldpay

    In includes/modules/payment/rbsworldpay_hosted.php find line 36 approx if ( MODULE_PAYMENT_RBSWORLDPAY_HOSTED_TESTMODE == 'True' ) { $this->form_action_url = 'https://secure-test.worldpay.com/wcc/purchase'; } else { $this->form_action_url = 'https://secure.worldpay.com/wcc/purchase'; Change the bottom URL keeping it between the ' ' to the new one supplied by worldpay. The top one is the test site, have they supplied one for that?
  17. By September 2019, EU and UK banks will be requiring a secondary password check by mobile phone for online transactions over £27 or 30 euro. Whilst accepting the fact that probably the majority of transactions are performed using a mobile, there are many millions that are not. If you live, or are in, a poor or no signal area then you are stuffed. Appallingly the suggested alternative is to use PayPal! Another chance for their extortionate fees and kangaroo court mentality to cripple a small business. This impacts all EU online traders and will probably come to the US eventually. Further details in this news article. BBC News Article
  18. PayPal is OK for the larger trader as the rates drop down. My website would fall into PayPal's 2.9% rate and during quiet times 3.4%. I use Stripe at 1.4%, which is a significant difference. That is my problem with PayPal. Small traders are penalised heavily.
  19. " It seeks to open up payment markets to new entrants leading to more competition, greater choice and better prices for consumers." Tell PayPal that then and see if they can become competitive. This is another example of unelected bureaucrats imposing their will on EU countries, look at GPDR and the cookie regulations if you want other examples.
  20. mhsuffolk

    PCI Report Shows Issues

    CE Frozen on PHP 7.2 I have just had a PCI scan by Security Metrics. It has identified four main issues. I feel that items 1 to 3 are an issue with my host but I think 4 may be OSC. May I have a second opinion please before I contact my hosting company. 1. ISC BIND 9.x.x < 9.9.10-P1 / 9.10.x < 9.10.5-P1 / 9.11.x < 9.11.1-P1 Multiple Vulnerabilities Resolution: Upgrade to ISC BIND version 9.9.10-P1 / 9.9.10-S2 / 9.10.5-P1 / 9.10.5- S2 / 9.11.1-P1 or later. Note that BIND 9 versions 9.9.10-S2 and 9.10.5- S2 are available exclusively for eligible ISC Support customers. Data Received: Installed version : 9.9.4-RedHat-9.9.4-61.el7_5.1 Fixed version : 9.9.10-P1 ------------------------------------------------------------------- 2. TLS Version 1.0 Protocol Detection (PCI DSS) Resolution: All processing and third party entities - including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016. All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018. Data Received: TLSv1 is enabled on port 2087 and the server supports at least one cipher. (Note, the server has TLS 1.2 and Stripe , which will only work with 1.2, is fine but both 1.0 and 1.1 are also listed in server info. ------------------------------------------------------------------------ 3. Weak DH Key Exchange Supported (PCI DSS) Resolution: Consult the software's manual and reconfigure the service to use at least 2048-bit DH parameters. Alternatively, disable DH and use only Ellipticcurve Diffie-Hellman (ECDH) instead. --------------------------------------------------------------------------- 4. Web Application Potentially Vulnerable to Clickjacking Resolution: Return the X-Frame-Options or Content-Security-Policy (with the 'frameancestors' directive) HTTP header with the page's response. This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags. Data Received: The following pages do not use a clickjacking mitigation response header and contain a clickable event. Followed by a long list of affected pages encompassing several products, categories and even login.php but by no means all my products.
  21. mhsuffolk

    PCI Report Shows Issues

    You are correct, it was for IIS. Is this for linux .htaccess? ------------------------------------------------------------------- To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration: add_header X-Frame-Options sameorigin;
  22. mhsuffolk

    PCI Report Shows Issues

    What confuses me is that they have 1.2 but 1.0 and 1.1 are still listed in server info. When I run a test in ssllabs only 1.2 is detected but Security metrics detected all 3 versions
  23. mhsuffolk

    PCI Report Shows Issues

    Thanks for that. I have also found this on developer.mozilla.org. Could it be used in template_top? "To configure IIS to send the X-Frame-Options header, add this to your site's Web.config file: " <system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="sameorigin" /> </customHeaders> </httpProtocol> ... </system.webServer>
  24. mhsuffolk

    PCI Report Shows Issues

    I have had a read and cannot decide where the remedy should go. Can something be added to template_top.php so the whole site is covered?
  25. My CE Frozen site has been running on PHP 7.2 for several weeks. I have just spotted these in the error log. I have changed nothing, has something unusual run? [11-Nov-2018 19:57:12 Europe/London] PHP Warning: Use of undefined constant DIR_WS_LANGUAGES - assumed 'DIR_WS_LANGUAGES' (this will throw an Error in a future version of PHP) in /home/*****/public_html/index_maintenance.php on line 15 [11-Nov-2018 19:57:12 Europe/London] PHP Warning: require(DIR_WS_LANGUAGESenglish/index_maintenance.php): failed to open stream: No such file or directory in /home/*****/public_html/index_maintenance.php on line 15 [11-Nov-2018 19:57:12 Europe/London] PHP Warning: require(DIR_WS_LANGUAGESenglish/index_maintenance.php): failed to open stream: No such file or directory in /home/*****/public_html/index_maintenance.php on line 15 [11-Nov-2018 19:57:12 Europe/London] PHP Fatal error: require(): Failed opening required 'DIR_WS_LANGUAGESenglish/index_maintenance.php' (include_path='.:/opt/alt/php72/usr/share/pear') in /home/*****/public_html/index_maintenance.php on line 15