Jump to content


  • Content count

  • Joined

  • Last visited

1 Follower

Profile Information

  • Real Name
    John Wetzel

Recent Profile Visitors

2,870 profile views
  1. wetzel

    Can't retrieve live credentials to get started

    The trouble is PayPal just redesigned their interface (again) so the fine folks on Google will only tell me where I could have found the credentials last year. I'll try again when the full spectrum CBD oil gets here tomorrow.
  2. wetzel

    Can't retrieve live credentials to get started

    Using Phoenix. Thanks. Will try again, though so far I have found the interface at PayPal where I am supposed to be able to navigate their developer tools and locate the credentials, basically, inscrutable.
  3. Hello. I am having difficult getting PayPal up and going. When I choose 'Retrieve Live Credentials' in Admin it logs me in just fine at PayPal. However, instead of returning to Admin with updated credentials, I am landing on a blank page at https://www.oscommerce.com/index.php simply displaying : {"rpcStatus":-110} There is a long query string on this oscommerce.com URL with merchantId, merchantIdInPayPal, secret etc. and a few other variables. A query string seems like an insecure way to pass these variables! What do I know? I would just like to get PayPal up and going and I can't seem to figure out how to get the live credentials.
  4. Thanks Jack! That's a nifty addon!
  5. Thank you, ecartz and burt. That's very helpful.
  6. I understand. That's fine to alter the topic title. I see now that the current title implies a vulnerability in the standard installation. Maybe 'Protecting custom coded query strings from SQL injection within the Phoenix framework'. Someone may be inspired to add a few paragraphs of 'best practices' which would be helpful for pluggers like me. An aside, maybe not so important, maybe a little defensive, but my understanding is that Security Pro arose to address vulnerabilities in the base 2.2 installation. Additionally, if you did have Security Pro present, then an addon wouldn't necessarily be terrible programming that were to rely on it. It was useful in that it allowed simple handling of get variables and they could be passed to SQL queries without the need to sanitize them at the script level. It's not properly consistent with other security measures in the old installation, a bit ad hoc, but it worked. It doesn't any more. That's okay! So I guess the better question would be: Is there an addon for protecting simply passed and simply called get variables in a global manner within Phoenix. If not, I guess I can just use mysqli_real_escape_string script by script. It's no big deal. If there is a better way, it is very much appreciated. It might be valuable for me or for another in a similar predicament in the future. Cheers.
  7. Thank you for your reply, but I'm not sure if you understand the question, which is more general. Basically I am hoping to find out if there a general script method for Phoenix that functions such as Security Pro functioned in the old framework to sanitize get variables as a general, sitewide protocol. Here is Security Pro. https://apps.oscommerce.com/zNblL . Is there something like this for Phoenix? It looks like I can do this at the script level with this statement. $my_get_variable=mysqli_real_escape_string($db_link,$_GET['my_get_variable']); I am hoping to avoid doing this script by script. It's no big deal if I need to. Thanks.
  8. For the past couple of months I've been rebuilding heavily modded 2.2 site (10000s of lines of custom code) within Phoenix. It's going alright. Things are working okay. Today I noticed we're being attacked by SQL injection methods, ie. get variables concatenated with stuff like 51111111111111'%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45),CHAR(45,120,49,55,45,81,45),CHAR(45,120,49,56,45,81,45),CHAR(45,120,49,57,45,81,45),CHAR(45,120,50,48,45,81,45),CHAR(45,120,50,49,45,81,45),CHAR(45,120,50,50,45,81,45),CHAR(45,120,50,51,45,81,45),CHAR(45,120,50,52,45,81,45),CHAR(45,120,50,53,45,81,45),CHAR(45,120,50,54,45,81,45)--%20%20 This does generate an SQL error visible to the user, which is often the point of these things, I understand, at the start of the attack. In the old 2.2 framework, we sanitized get variables within application_top using an addon 'Security Pro', which seemed to work pretty well. I'm pretty sure this relied on global variables in a way the new framework doesn't permit, though I'm not sure. At any rate, Phoenix doesn't seem to have a method of sanitizing get variables pre-installed in a global way. Nobody's fault but our own, but this is leaving us vulnerable in many of our custom scripts in that these injections are actually being evaluated as SQL. Is there a general protocol in Phoenix, an addon or accepted method, for protection against SQL injection that does not involve individually cleansing get variables at the script level? This would be a lot of work and we might miss something. If there is not and we need to go script by script, is there a good practice PHP implementation at the script level that can be recommended? Thanks!
  9. Hi there. I am wondering if there is a module for recurring payments for subscriptions, restricted areas etc. There looks like there is a module from 2008 for PayPal recurring payments, but I definitely don't want to go that far back because of the debugging challenge and because I am concerned it will be obsolete from the PayPal standpoint. Outside of the world of completed contributions, I am wondering if any others have implemented a system for monthly subscriptions controlling access to certain content pages within the oscommerce framework and how it was accomplished. Thanks!
  10. wetzel

    very strange session variable behavior

    Thank you Matt! I had tried most everything you mention, but I had not actually experimented with a different browser! Seriously. So it seemed to work fine in Safari with the problem occurring in Chrome. I reset to default settings under security in Chrome and now it appears to work. If anyone has an idea as to why this was happening, it might be helpful someday for a customer. Otherwise, that's that. Thank you!
  11. So we are in the midst of adjusting to Phoenix, building out my site onto the engine. It's a very big educational site that began a long development process years ago with an oscommerce 2.2 core. A few years ago we built out a Bootstrap 3 presentation layer. Now we are putting in the new engine and and adjusting to Bootstrap 4. It's fun! We have run into an issue that has us confused, though. It doesn't make any sense at all. We log in at index.php and when we return to home the navbar tells us we still need to 'login'. It doesn't look like login was successful. $_session['customer_id'] is not available to the page. However, if we travel to products_info.php, navbar tells us we are actually logged in and $_session['customer_id'] is now available. Then if we go to account.php it redirects us to 'login.php' but when we get there $_session['customer_id'] is now available again! If you can figure this out you will have my eternal gratitude. Best.
  12. Nothing is working. The problem derives, I believe, from the mixture of bootstrap components. I think it is going to be more time efficient and ultimately more reliable to join you all in Bootstrap 4. Yuck. Thanks for your help.
  13. Thanks. With href="javascript:void(0)" the pulldown doesn't function. Neither with it removed.
  14. Thank you. Raiwa posted the code reference, which shows how to properly construct these elements. I appreciate that. However, I believe the dropdowns are properly constructed. They have been working properly for years within the presentation layer that we have had running on top of osCommerce 2.2. The basic usage of 'href="#"' within anchor tags is being prevented. It happens if I use it in a simple anchor in plain HTML text. The problem is not at the level of the bootstrap, but how the null hashtag destination is interpreted. It is supposed to be interpreted as nothing, yet serve as a clickable element which can be styled as a dropdown or for other purposes. It's essential within bootstrap to be able to do this. Somehow the hashtag is being appended as a relative link, appended to the parent URL of the page it is within. I have never been this stuck on a bug honestly. Any suggestions would be greatly appreciated.
  15. Alright. I have Phoenix running. I have a lot of work ahead of me, but for now I've installed my presentation layer onto the home page. The problem continues. For a typical dropdown such as this, instead of behaving properly, clicking sends me to 'mydomain.com#' <li class="dropdown"> <a href="#" class="dropdown-toggle btn btn-danger" data-toggle="dropdown" style="color:#fff;">Syllabus<strong class="caret"></strong></a> Any suggestions would be most helpful.