Jump to content


  • Content count

  • Joined

  • Last visited

1 Follower

Profile Information

  • Real Name
    John Wetzel

Recent Profile Visitors

2,693 profile views
  1. Thanks Jack! That's a nifty addon!
  2. Thank you, ecartz and burt. That's very helpful.
  3. I understand. That's fine to alter the topic title. I see now that the current title implies a vulnerability in the standard installation. Maybe 'Protecting custom coded query strings from SQL injection within the Phoenix framework'. Someone may be inspired to add a few paragraphs of 'best practices' which would be helpful for pluggers like me. An aside, maybe not so important, maybe a little defensive, but my understanding is that Security Pro arose to address vulnerabilities in the base 2.2 installation. Additionally, if you did have Security Pro present, then an addon wouldn't necessarily be terrible programming that were to rely on it. It was useful in that it allowed simple handling of get variables and they could be passed to SQL queries without the need to sanitize them at the script level. It's not properly consistent with other security measures in the old installation, a bit ad hoc, but it worked. It doesn't any more. That's okay! So I guess the better question would be: Is there an addon for protecting simply passed and simply called get variables in a global manner within Phoenix. If not, I guess I can just use mysqli_real_escape_string script by script. It's no big deal. If there is a better way, it is very much appreciated. It might be valuable for me or for another in a similar predicament in the future. Cheers.
  4. Thank you for your reply, but I'm not sure if you understand the question, which is more general. Basically I am hoping to find out if there a general script method for Phoenix that functions such as Security Pro functioned in the old framework to sanitize get variables as a general, sitewide protocol. Here is Security Pro. https://apps.oscommerce.com/zNblL . Is there something like this for Phoenix? It looks like I can do this at the script level with this statement. $my_get_variable=mysqli_real_escape_string($db_link,$_GET['my_get_variable']); I am hoping to avoid doing this script by script. It's no big deal if I need to. Thanks.
  5. For the past couple of months I've been rebuilding heavily modded 2.2 site (10000s of lines of custom code) within Phoenix. It's going alright. Things are working okay. Today I noticed we're being attacked by SQL injection methods, ie. get variables concatenated with stuff like 51111111111111'%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45),CHAR(45,120,49,55,45,81,45),CHAR(45,120,49,56,45,81,45),CHAR(45,120,49,57,45,81,45),CHAR(45,120,50,48,45,81,45),CHAR(45,120,50,49,45,81,45),CHAR(45,120,50,50,45,81,45),CHAR(45,120,50,51,45,81,45),CHAR(45,120,50,52,45,81,45),CHAR(45,120,50,53,45,81,45),CHAR(45,120,50,54,45,81,45)--%20%20 This does generate an SQL error visible to the user, which is often the point of these things, I understand, at the start of the attack. In the old 2.2 framework, we sanitized get variables within application_top using an addon 'Security Pro', which seemed to work pretty well. I'm pretty sure this relied on global variables in a way the new framework doesn't permit, though I'm not sure. At any rate, Phoenix doesn't seem to have a method of sanitizing get variables pre-installed in a global way. Nobody's fault but our own, but this is leaving us vulnerable in many of our custom scripts in that these injections are actually being evaluated as SQL. Is there a general protocol in Phoenix, an addon or accepted method, for protection against SQL injection that does not involve individually cleansing get variables at the script level? This would be a lot of work and we might miss something. If there is not and we need to go script by script, is there a good practice PHP implementation at the script level that can be recommended? Thanks!
  6. Hi there. I am wondering if there is a module for recurring payments for subscriptions, restricted areas etc. There looks like there is a module from 2008 for PayPal recurring payments, but I definitely don't want to go that far back because of the debugging challenge and because I am concerned it will be obsolete from the PayPal standpoint. Outside of the world of completed contributions, I am wondering if any others have implemented a system for monthly subscriptions controlling access to certain content pages within the oscommerce framework and how it was accomplished. Thanks!
  7. wetzel

    very strange session variable behavior

    Thank you Matt! I had tried most everything you mention, but I had not actually experimented with a different browser! Seriously. So it seemed to work fine in Safari with the problem occurring in Chrome. I reset to default settings under security in Chrome and now it appears to work. If anyone has an idea as to why this was happening, it might be helpful someday for a customer. Otherwise, that's that. Thank you!
  8. So we are in the midst of adjusting to Phoenix, building out my site onto the engine. It's a very big educational site that began a long development process years ago with an oscommerce 2.2 core. A few years ago we built out a Bootstrap 3 presentation layer. Now we are putting in the new engine and and adjusting to Bootstrap 4. It's fun! We have run into an issue that has us confused, though. It doesn't make any sense at all. We log in at index.php and when we return to home the navbar tells us we still need to 'login'. It doesn't look like login was successful. $_session['customer_id'] is not available to the page. However, if we travel to products_info.php, navbar tells us we are actually logged in and $_session['customer_id'] is now available. Then if we go to account.php it redirects us to 'login.php' but when we get there $_session['customer_id'] is now available again! If you can figure this out you will have my eternal gratitude. Best.
  9. Nothing is working. The problem derives, I believe, from the mixture of bootstrap components. I think it is going to be more time efficient and ultimately more reliable to join you all in Bootstrap 4. Yuck. Thanks for your help.
  10. Thanks. With href="javascript:void(0)" the pulldown doesn't function. Neither with it removed.
  11. Thank you. Raiwa posted the code reference, which shows how to properly construct these elements. I appreciate that. However, I believe the dropdowns are properly constructed. They have been working properly for years within the presentation layer that we have had running on top of osCommerce 2.2. The basic usage of 'href="#"' within anchor tags is being prevented. It happens if I use it in a simple anchor in plain HTML text. The problem is not at the level of the bootstrap, but how the null hashtag destination is interpreted. It is supposed to be interpreted as nothing, yet serve as a clickable element which can be styled as a dropdown or for other purposes. It's essential within bootstrap to be able to do this. Somehow the hashtag is being appended as a relative link, appended to the parent URL of the page it is within. I have never been this stuck on a bug honestly. Any suggestions would be greatly appreciated.
  12. Alright. I have Phoenix running. I have a lot of work ahead of me, but for now I've installed my presentation layer onto the home page. The problem continues. For a typical dropdown such as this, instead of behaving properly, clicking sends me to 'mydomain.com#' <li class="dropdown"> <a href="#" class="dropdown-toggle btn btn-danger" data-toggle="dropdown" style="color:#fff;">Syllabus<strong class="caret"></strong></a> Any suggestions would be most helpful.
  13. Thank you for your reply, and I don't mean to be critical in any way, but in visiting oscommerce.com, it does say "Download the latest version to install on your own web server." where download is located. I assumed, apparently wrongly, that this meant is actually the latest version! Before I back out of and redo the last week's work, please let me know what has happened here? If I stay with does that mean that the community will not provide advice? It might be best for me to solve this problem and keep moving forward because I see a path to the end of this job.
  14. Hello. I have a heavily modified old 2.2 engine I'm moving into A few years ago I rebuilt the 2.2 site into a bootstrap framework. Things are going okay building it out into, except . . . I am stuck on trying to get statements like the following to behave properly. <li class="dropdown"> <a href="#" class="dropdown-toggle btn btn-danger" data-toggle="dropdown" style="color:#fff;">Syllabus<strong class="caret"></strong></a> Instead of functioning as a null anchor tag for the design element, it is adding the root URL in the rollover and onclick, so that instead of functioning as a dropdown it just redirects to www.domain.com/#. This does not seem to have anything to do with relative URLs, base URL, or anything like that. I am convinced there is a javascript event handler set up somewhere that is doing this, but I cannot find it, how essential it is, or how to fix it. Any ideas would be most helpful.
  15. Great contribution! I have gotten it working well on my site. I am going to take it live soon for selling access codes for some premium content. It's not high stakes, so I feel pretty comfortable with the contribution. (It is academic content, so it won't be like criminals will be breaking down the door!) One thing I noticed. When I went through with some test customers, it seems that I am receiving two identical emails to the store as part of checkout process now, where before I was receiving one. I've combed through checkout_process.php and can't seem to locate where this might be coming from. Any ideas? (My site is pretty heavily modded) Thanks again for a great contribution. It is exactly what I need! Cheers!