Jump to content


  • Content count

  • Joined

  • Last visited

  • Days Won


Posts posted by ecartz

  1. 10 hours ago, Gary Tayman said:

    I've been using the table rate, and it sorta kinda works for some shipments, but when it charges $6 to ship auto parts to Switzerland there's a real problem

    If you want your shipping costs to be different by geographic region (zone), use zone shipping.  That comes with the latest community edition release.  You might try joining the Phoenix Club for more help with the community edition. 

    In terms of installing modules, you do that at admin > Modules > Shipping.  Click the Install button to see a list of available modules.  Note that you have to upload the files first if it's not one of the ones that come with core. 

  2. 1 hour ago, glamocanilaktasi said:

    My host told me that I am on shered hosting and thay can't remove TLS 1.0 and 1.1  becouse other users use this options.

    But TLS is configurable per VirtualHost.  So it can have multiple values on the same shared server.  I.e. they can have one setting for most everyone and then put just those sites that need the historical settings on a different VirtualHost. 

    If your host can't do that for you, then switching to one that can is highly advised.  I mean, the very fact that they didn't just fix it is an argument in favor of switching hosts. 

  3. 2 hours ago, anya2001 said:

    Is there any update on this?  Is osCommerce developing a new module?

    As far as I know, no one associated with osCommerce or Phoenix is working on a new module. 

    Note that there is no requirement that a payment module be provided by osCommerce or Phoenix.  Authorize.net or a third party could make a payment module.  Like all modules (including the old Authorize.net modules), it should be a drop-in install without any need to modify core. 

  4. The obvious place to put it would be in a hook or header tags module (as a footer script). 

    class hook_shop_checkout_confirmation_pending_order_email {
      public function listen_injectSiteEnd() {
        if ($GLOBALS['order']->info['payment_method'] === 'Paypal') {
          require 'includes/functions/pending_order_email.php';

    That's probably the most literal translation of it.  You may have to move some of the contents of that file into the hook file instead.  E.g. the actual function declarations.  I presume that it's written to have some side effect.  Perhaps move the side effect into where the require is and move the function declarations after the hook class declaration. 

  5. 1 minute ago, discxpress said:

    Where do I place ---> }

    I keep getting an error on line 78 when I remove it.

    Leave it where you had it in your previously posted code.  The only change from your previously posted code should be to switch the order of the two lines that I posted. 

    You could also switch two of the } but since they are identical, there doesn't seem to be any point.  The positions where they are are correct enough (if I were doing the change, I'd indent them to match everything else; but that won't affect functionality). 

  6. @discxpress

    You have two lines in your code: 

    if ($GLOBALS['PHP_SELF'] == 'index.php') {
        function execute() {

    replace those two lines with

        function execute() {
            if ($GLOBALS['PHP_SELF'] == 'index.php') {

    I.e. swap the order of those two lines.

    The rest of the code can stay the same as in your previous post. 

  7. 3 minutes ago, Dj-Viper said:

    Nieuwe order is not send, that's is before the payment module will kick in.

    This is not the normal workflow.  Normally, when the order is first inserted in the database, the email is sent. 

    So two possibilities: 

    1.  Your payment module performs its own workflow where it inserts the order before processing the payment. 

    2.  You have order emails turned off. 

    If the latter, turn them on.  If the former, then the payment module would need to be modified. 

    It would be problematic to modify such a payment module to work the way that you describe.  Because payment modules that insert the order into the database before processing payment do not necessarily process the payment.  Because payment failures happen after the order is inserted. 

    Typically, if your payment module works that way, what you want to happen is for the email to be initiated in two ways. 

    1.  When the customer returns to the web site after paying, it sends the email.  This happens automatically on checkout_process in the normal flow. 

    2.  If the customer does not return to your web site, the payment processor sends a payment message which triggers sending the email.  PayPal calls this an IPN. 

    Perhaps your payment module is missing the latter portion.  Or it could be bypassing the former.  Or both. 

    Regardless, this isn't a matter of simple configuration (unless you have order emails turned off).  You need development on the payment module. 

  8. 10 hours ago, ce7 said:

    showSub($dir2, $sub)

    It's telling you that that function is not returning an array.  It would need to consistently return an array to be used that way. 

  9. If you do not have the .htaccess file and try to open the images directory in your browser (just the directory, no file), what happens?  If it says you are not authorized, you can delete the following line from the .htaccess file

    Options -Indexes

    It is conceivable that that would fix things. 

    I suspect that your host has set some configuration that conflicts with the .htaccess file.  If your error logs don't give any more information, then they would be the ones who would have to do the next steps of debugging.  You might ask them about AllowOverride and AllowOverrideList values in httpd.conf.  E.g. in the documentation:  https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride


    In the example above, all directives that are neither in the group AuthConfig nor Indexes cause an internal server error.

    The .htaccess file uses the Limit directives. 

    It is possible that they might have to incorporate the directives from the old version of the .htaccess file into the httpd.conf in a Directory section.  The old version because they are using Apache 2.2.  The new version should be compatible with both 2.4 and 2.2 but otherwise has no advantages over the old version. 

    I.e. the choices are either for them to configure your site

    AllowOverride Limit

    or to incorporate

    <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
       Order Deny,Allow
       Deny from all
    Options -Indexes

    into the httpd.conf files. 

  10. More ways to check the Apache version from PHP:  https://stackoverflow.com/questions/2927954/how-to-get-the-apache-version

    Yet more ways to check:  https://stackoverflow.com/questions/166607/how-do-i-find-the-version-of-apache-running-without-access-to-the-command-line

    If none of that works, ask your host.  They also may be able to tell you if there are restrictions on .htaccess files that would cause trouble. 

  11. Apache version? 

    The .htaccess doesn't help with file permissions.  It keeps people who upload .php files to the server from being able to run them.  It's to cover for the directory permissions being 777. 

    I'd create a test file, test.php with content

    echo 'Hello world!';

    Try to visit it in the browser.  Then upload smaller versions of the .htaccess and see which makes it stop working and which makes the images stop working.  If you can find a smaller version that lets the images work while stopping the PHP file, then use that version. 

    You can see an older version of that file at https://github.com/gburton/CE-Phoenix/blob/41601da342152b010247083c1a70101aa2468d84/images/.htaccess

  12. Depending on why you want to show it, you might also put it in your conditions.  As in, Must Agree Terms & Conditions.  Messaging it from the payment module is best for letting the buyer know.  But if you simply want them to be legally advised, that's what the terms and conditions does. 

    Note that the payment module messaging dates back to


    initial import for the osCommerce 2.x version; taken from the 2.2 MS2…

    … 20051113 release

    I.e. it is older than the osCommerce GitHub. 

  13. In Phoenix, the line that triggers the session_set_save_handler call is in application_top.php at

      require 'includes/functions/sessions.php';

    It seems to be claiming that output is being sent before that line.  One possibility to find what is causing it is to keep moving that line higher in the file until it either works or you get a different error.  Sometimes that helps if that line is not dependent on other code having run first.  Could not be moved prior to the includes/configure.php line.  Not sure about other dependencies. 

    It does seem like PHP 7.2 became stricter in its session handling.  So something that was always broken may now be announcing that it is broken.  Compare what you have above that line and in files included before that to what Frozen has to see what may have changed. 

    It's also worth noting that this can happen if you have a different error or warning displayed before the session started.  You can fix that by turning off display_errors.  E.g. at the top of includes/application_top.php put

    ini_set('display_errors', 0);

    Put it right before the starting time is set, after the previous comment is closed.  That may shift things from totally broken to just moderately broken.  If that is what the problem is.  So this error would go away and you could concentrate on the other problems that would still be there. 

  14. 20 minutes ago, kgtee said:

    When you make wishlist into a hook, I am curious how you ensure the wishlist action is executed before the shopping cart action. This order of execution is important as you do not want shopping cart to act first leaving nothing for the wishlist.

    Put it in the hook before the shopping cart action is processed? 

    This will be a little more complicated in, as the shopping cart actions are also processed by a hook.  But in, there is a hook call immediately prior to the processing of the shopping cart actions. 

    22 hours ago, LeeFoster said:

    The wishlist addon has its class file that contains its own count_contents function.

    Then it seems to be saying that the $wishlist object is not set.  I would probably replace it with $_SESSION['wishlist'] and it's possible that it is not triggering the wishlist creation for some reason.  Or perhaps it needs to be gated by

    if (isset($_SESSION['wishlist'])) {


  15. 1 hour ago, domiosc said:

    The hosting company say is all secure... and the vulnerable is the website...

    If you can run executable code in .ico files, that is a security hole. 

    Similarly, X-Frame-Options is generally set by Apache, not by individual applications.  https://geekflare.com/secure-apache-from-clickjacking-with-x-frame-options/

    Allowing image uploads should only be available to the admin, which should be secured by Apache's Basic Authentication (htpasswd).  Writing image files to anywhere other than images/ admin/backups and a few more locations should be blocked by directory file permissions. 

    You can disable osCommerce from allowing .ico uploads.  Look for set_extensions or I seem to recall that older versions had a default set somewhere. 

    Only the last of those is settable in application.  Some of the third is configuring for use by the application.  Some is host configuration (who owns the site files and directories; what are the permissions).  The first two are purely host configuration.  Although perhaps the .ico file is being included by something else (what?). 

    In general, clickjacking only works if you use the same browser instance to both log into your osCommerce admin and view other pages.  If you only ever use the browser instance for looking at the osCommerce admin, clickjacking won't work.  Keep one browser only for osCommerce.  This could be Chrome, Edge, Firefox, Safari, Opera, etc.  And use a different browser for regular web browsing.  Chrome and Firefox also support multiple profiles (Chrome will let you have multiple profiles open at the same time).