Stephan Gebbers

i just updated Phpass from 0.3 to 0.5 in /includes/classes/passwordhash.php http://www.openwall.com/phpass/ and changed in includes/functions/password_funcs.php in function tep_encrypt_password($plain) and in function tep_validate_password($plain, $encrypted) { this $hasher = new PasswordHash(10, true); to $hasher = new PasswordHash(10, false); i now have a 60 char blowfish hash output. before i had a 34 char hash in the database field. Is there a reason not to change it that way? i think the passwords are encrypted with a stronger hash function that way and it should be php5.3+ compatible. account creation, change password and reset password seems to work just fine. and as someone asked about max length of password in Oscommerce Discord Chat. Is there a password length limit? i dont think so. Should there be a limit? (see https://sunnysingh.io/blog/secure-passwords ) "Passwords should never be longer than 72 characters to prevent DoS attacks". Regards, Stephan

i did not understand a word you said ;) i did a "beyond compare" on the phpass update and it seems the update is not that revolutionary. it should basicly work as the 0.3 or 0.4 version i think. the most significant change is my change of true to false in the passwordhash function call, as it will use the php crypt function and blowfish hash function $hasher = new PasswordHash(10, false); 10x iterations and $portable_hashes = false that will allow blowfish (from php crypt) and that is what i also asked. if that is a stronger/better encryption. i think so. function HashPassword($password) { $random = ''; if (CRYPT_BLOWFISH === 1 && !$this->portable_hashes) { $random = $this->get_random_bytes(16); $hash = crypt($password, $this->gensalt_blowfish($random)); if (strlen($hash) === 60) return $hash; } if (strlen($random) < 6) $random = $this->get_random_bytes(6); $hash = $this->crypt_private($password, $this->gensalt_private($random)); if (strlen($hash) === 34) return $hash; # Returning '*' on error is safe here, but would _not_ be safe # in a crypt(3)-like function used _both_ for generating new # hashes and for validating passwords against existing hashes. return '*'; }

as i wanted the best possible password encryption available. initialy i got into the password functions as someone asked about password length on oscommerce discord today and i had to look into it.

looks realy good! do you want to share what you did to make it look like that?

looks nice! but maybe the title space could line up with the other ones in a row?

since regex and stuff is a book of seven seals to me, i would need some help to bring those two lines to php7.0 it should be transformed into preg_replace_callback because of the e modifier, but i dont understand how this preg_replace_callback works. Can someone help and transform those lines for me? Thanks alot! $text = preg_replace("#\{\{((STORE_|OWNER_|EMAIL_)[A-Z0-9_]+)\}\}#e", '$1', $text); $email_subject = preg_replace("#\{\{((STORE_|OWNER_|EMAIL_)[A-Z0-9_]+)\}\}#e", '$1', $email_subject);

i just tried to make my product_info.php urls customizable, as i dont like that the url is gonna change once you change the product name just a little Modifications are made to work with the rewrite functionality (where you need to have rewrite rules in htaccess). page module index.php still needs to be modified to have the customized category urls there as well. categories.php in admin would need a modification if you want to edit the seo url database fields from there. based on v208 https://apps.oscommerce.com/Hj4y0&ultimate-seo-urls-5-for-responsive-oscom looks good so far for product_info.php, but a) i could need some help with page module index.php to show the categories with the customized urls also. b) will that break any of the usu5 modules functionality? add fields to database ======================================= in table categories_description add field categories_seo_url (varchar 255) in table products_description add field products_seo_url (varchar 255) modify page modules ======================================= in /includes/modules/ultimate_seo_urls5/page_modules/product_info.php find this: protected $dependencies = array( 'products_id' => array( 'marker' => '-p-', 'query' => "SELECT pd.products_name, m.manufacturers_name, cd.categories_name, p.products_model, p2c.categories_id FROM products_description pd INNER JOIN products_to_categories p2c ON p2c.products_id = pd.products_id INNER JOIN products p ON pd.products_id = p.products_id LEFT JOIN manufacturers m ON m.manufacturers_id = p.manufacturers_id INNER JOIN categories_description cd ON p2c.categories_id = cd.categories_id AND cd.language_id=':languages_id' WHERE pd.products_id=':pid' AND pd.language_id=':languages_id' LIMIT 1", 'to_replace' => array( ':languages_id', ':pid' ) ) ); and replace with this: protected $dependencies = array( 'products_id' => array( 'marker' => '-p-', 'query' => "SELECT pd.products_seo_url, pd.products_name, m.manufacturers_name, cd.categories_seo_url, cd.categories_name, p.products_model, p2c.categories_id FROM products_description pd INNER JOIN products_to_categories p2c ON p2c.products_id = pd.products_id INNER JOIN products p ON pd.products_id = p.products_id LEFT JOIN manufacturers m ON m.manufacturers_id = p.manufacturers_id INNER JOIN categories_description cd ON p2c.categories_id = cd.categories_id AND cd.language_id=':languages_id' WHERE pd.products_id=':pid' AND pd.language_id=':languages_id' LIMIT 1", 'to_replace' => array( ':languages_id', ':pid' ) ) ); right after: // manufacturers_name is gained through a left join and may not exist array_key_exists( 'manufacturers_name', $details ) ? $text_types['b'] = $details['manufacturers_name'] : null; add: //if we have a products_seo_url, we use that string instead of products_name if (!empty($details['products_seo_url'])) { $text_types['p'] = $details['products_seo_url']; } //if we have a categories_seo_url, we use that string instead of categories_name if (!empty($details['categories_seo_url'])) { $text_types['c'] = $details['categories_seo_url']; } Removing .html from the rewrite URLs ======================================= in /includes/modules/ultimate_seo_urls5/uri_modules/path_rewrite.php and in /includes/modules/ultimate_seo_urls5/uri_modules/rewrite.php replace: if ( false === strpos( Usu_Main::i()->getVar( 'request_uri' ), '.html' ) ) { // path_rewrite seo url must have .html return false; } with: /* if ( false === strpos( Usu_Main::i()->getVar( 'request_uri' ), '.html' ) ) { // path_rewrite seo url must have .html return false; } */ find: return usu5_multi_language( $separator = 'right' ) . $text . $seperator . $value . '.html'; and replace it with: return usu5_multi_language( $separator = 'right' ) . $text . $seperator . $value; in /.htaccess replace: RewriteRule ^([a-z0-9/-]+)-p-([0-9]+).html$ product_info.php [NC,L,QSA] RewriteRule ^([a-z0-9/-]+)-c-([0-9_]+).html$ index.php [NC,L,QSA] RewriteRule ^([a-z0-9/-]+)-m-([0-9]+).html$ index.php [NC,L,QSA] with: RewriteRule ^([a-z0-9/-]+)-p-([0-9]+)$ product_info.php [NC,L,QSA] RewriteRule ^([a-z0-9/-]+)-c-([0-9_]+)$ index.php [NC,L,QSA] RewriteRule ^([a-z0-9/-]+)-m-([0-9]+)$ index.php [NC,L,QSA]

another question. if i change the language on a page, the page reloads, the language changes but the url does not refresh to the language url but stays and the initial language url alias like, if you select german coming from english: www.domain.de/en/alias?language=de initial url is www.domain.de/en/alias then you switch language and get www.domain.de/en/alias?language=de (with language on the page already switched to german and canonical link (from canonical module) in page source changed to german already) where i would expect the resulting url after language switching to be www.domain.de/de/alias

@gadiol thanks for the modul and help on installation. i have a 2.3.4.1 CE Shop and 2 languages. german and english. The english language links seem to work as far i can see (with /en/ in front of the alias), but the standard german category links behave different. Currently i cant get the Category link in standard language to work. it just shows www.xxxxx.de/?cPath=22 instead of the alias. i also tried to define a custom alias, but still get the ?cPath=22 for that standard language link. also, do i have to clear the cache after changing SFU settings or just when changes to aliases or products are made?

@puggybelle https://apps.oscommerce.com/Rqx8A&out-of-stock-ribbon-for-osc2-3-4-bs-edge not tested, but looks like it. modules can be searched here https://apps.oscommerce.com/

the way the original preg_replace was coded was to replace {{STORE_OWNER}} etc with defined constants (its all in a payment module). so, this works now. i hope this is usefull to someone someday. and please if you are asked if you can fix a small thing on an old car, dont try to sell a new car if you can just help with the problem. maybe i already have a new car, but still want to drive around a little longer with my old car as well. yes i know, the new car is the real deal! ;) thank you @JcMagpie for your feedback/help! $text = preg_replace_callback( "#\{\{((STORE_|OWNER_|EMAIL_)[A-Z0-9_]+)\}\}#", function ($matches) { return constant($matches[1]); }, $text ); another one that i have hopefully changed the right way in a helper function of this payment module is this one //$historyComments['seller'] = preg_replace('#\{\{([a-zA-Z0-9_]+)\}\}#e', '$$1', $historyComments['seller']); $historyComments['seller'] = preg_replace_callback( '#\{\{([a-zA-Z0-9_]+)\}\}#', function ($matches) { return ('$$matches[1]'); }, $historyComments['seller'] );

it sounds like it is explained here realy nicely, but i still dont get how to transform those 2 lines. https://stackoverflow.com/questions/15454220/replace-preg-replace-e-modifier-with-preg-replace-callback#15454454

PHP Parse error: syntax error, unexpected '('

btw: What can someone do, who can not code in php but is interessted in Oscommerce moving forward? If you want to be of use from a developer stance, you would need to run a seperate webserver etc and have been able to use github to at least test new code. but i think thats quite difficult for a non coder. So most people would only be able to help by buying modules/services and maybe be helpfull in the forum if possible. I am hanging around as much as possible on Oscommerce discord btw. trying to help if i can (people ask funny questions there.. ;) ) well, Oscommerce 2.3.4.1BS will be good for some years i guess. Look how long 2.2MS2 was running :) So, it's great to have that, now. i think it is up to us to build/share some modules around it (if you can), help people in the forums, help developers to make a living by buying their modules and services, to eventually attract more new users/shopowners and keep the flame alive. :)

@Antonio Garcia Imagine there would be a official marketplace where developers could offer professional modules.. and.. they would offer updated versions of their modules for updated versions of oscommerce. would you buy the updated versions of the needed modules to move from one oscommerce version to another? i would, but my problem is, that i have created alot of code myself and did not document that very well. Ok, with Oscommerce 2.2 you had no other chance as to change core code almost everytime you would use a contribution. But even if i did document the changes that have been made, it would still and is alot of work to get all functionality back when moving to 2.3.4.1BS for example. And thats what i have seen in 2.3.4BS, that for the first time, even for hobby developers, it is possible to do quite alot with modules without changing core code. But this took and takes time. To understand how 2.3.4BS is doing things. And now that i am finally almost finished acomplishing what i could do with my rusty old 2.2MS2 (updated to UTF8 etc), i have a slightly feeling that the BS Version is going to be abandoned as soon as it is finished. To me, since the BS Version started, that was the new Oscommerce to me. I have never looked into what is going on with a 2.4 or 3.0 as this was all in development and alpha state and i had no idea if it would ever come to life. So, years after 2.3.4BS started i am still working on keeping it up2date by just following the changes that are "merged" at github. At least i am trying to, since i have no idea how it is done the right way with github. What i do, and i know this is not the way to keep updated the easy way, is looking what has been changed and using Beyong Compare if necessary. Beside that i had to learn about php composer, to make it possible to use external libraries and to make things like phonenumber validating with libphonenumber and making verification calls using twilio, using a pdf library to offer downloadable pdf invoices or integrating the new maxmind api for fraud scoring into 2.3.4BS. Still need a system that checks other fraud stuff, like total order amount over ip/account/etc etc. All that i have in my old and rusty 2.2MS2. Made it possible there over the years with much "blood, sweat and tears". So when 2.3.4BS started i decided to jump on it with my little skills and try to bring what i have had with 2.2MS2 into 2.3.4BS. still not completly finished yet. In the meantime google is almost killing my old shop that is still running due to all the changes to their index and mobile first etc. So, even if i am not yet ready to jump over to 2.3.4BS i am extremely thankful that Garry and many others took it into their hands and created Oscommerce 2.3.4BS. i am an "old dog" and it is getting harder to learn new tricks ;) but what i know a little is Oscommerce and i decided to keep it that way. I like to be able to make changes to my shop myself. At least as far as possible. And i needed to make those changes, as most shopsystems did not have what i needed for my shop back then. I am sure, i would have been lost with many other shopsystems and would have not been able to make changes there like i do with Oscommerce. Over the years i learned a little php and oscommerce. that is what i can handle. I am thankful for any developer who is giving his time and effort to offer a better Oscommerce or new modules to the community. i am thankful for Garys xxdays of code and i wish there would be a Gary store (or a marketplace in general) with all his cool stuff, so more people would buy from him. I am thankful for every developer who helped make 2.3.4.1BS a responsive reality! And i am thankful that Harald made the old 2.2 and all following versions as well as the payment modules and stuff he created. So, the Question is. Why did you choose Oscommerce? Why do you still choose Oscommerce 2.3.4BS? And is Oscommerce still a shopsystem with a bright future where developers can make a living and customers/shopowners find what they need and can run a succesful shop?

any chance that this module will get an update to be able to use minfraud score/insights/factors ?

i'd prefer a finished and polished BS Version first (whatever you call the version exactly 2.3.4/2.3.4.1/edge/gold.. i have lost track) and long time "support" with addons, templates and services. Nobody needs an always almost finished, but never realy officially released Oscommerce. Customers need stability (as said, long time support), code that is as future proof as possible and sure, free addons are nice, but i would also pay for professional addons. i dont get it for example, why there is no shop here for all the good Gary Addons Stuff and i have to wait a year for the next xxdays of code always. Why is there no marketplace for developers who want to sell their addons?

https://2016.export.gov/europeanunion/marketresearch/sellingusproductsandservicesintheeu/index.asp https://www.bizjournals.com/milwaukee/news/2018/02/02/many-u-s-businesses-will-be-surprised-to-discover.html

i just contacted maxmind with a request how they are prepared for GDPR (DSGVO in Germany). They are on it and plan to be ready in Q1 they say. And if i have any specific questions i can send my questions to their support.

sure, but no oscommerce stores ;)

maybe that is what we eu citizens should do. use the system and request data 24/7 until it becomes clear that it is stupid :)

Yes they can and they already did. Take a look at the VAT Rules if you sell digital services or digital goods into EU. You would have to register with one EU Country for VAT Moss and report for every tax rate on every eu country how much vat you added while selling to a eu customer. Sure, what the EU can do regarding non EU business not doing as regulated by EU is limited.

If you need some external services like Maxmind or Fraudlabs, what do you need to take care for external services in regards of GDPR?

https://github.com/gburton/Responsive-osCommerce/pull/237 well, at least it would explain where the code is coming from. i try to keep up with all changes of 2.3.4BS as good as possible, but i dont use github directly but insert changes manually or with "beyond compare". maybe i did not realize that "closed" means its not going into the projects code. well, at least we found this error now. anyway, thanks again for the title fix @raiwa :)