Jump to content

wetzel

Members
  • Content count

    45
  • Joined

  • Last visited

Everything posted by wetzel

  1. Hello. I am having difficult getting PayPal up and going. When I choose 'Retrieve Live Credentials' in Admin it logs me in just fine at PayPal. However, instead of returning to Admin with updated credentials, I am landing on a blank page at https://www.oscommerce.com/index.php simply displaying : {"rpcStatus":-110} There is a long query string on this oscommerce.com URL with merchantId, merchantIdInPayPal, secret etc. and a few other variables. A query string seems like an insecure way to pass these variables! What do I know? I would just like to get PayPal up and going and I can't seem to figure out how to get the live credentials.
  2. wetzel

    Can't retrieve live credentials to get started

    The trouble is PayPal just redesigned their interface (again) so the fine folks on Google will only tell me where I could have found the credentials last year. I'll try again when the full spectrum CBD oil gets here tomorrow.
  3. wetzel

    Can't retrieve live credentials to get started

    Using Phoenix. Thanks. Will try again, though so far I have found the interface at PayPal where I am supposed to be able to navigate their developer tools and locate the credentials, basically, inscrutable.
  4. For the past couple of months I've been rebuilding heavily modded 2.2 site (10000s of lines of custom code) within Phoenix. It's going alright. Things are working okay. Today I noticed we're being attacked by SQL injection methods, ie. get variables concatenated with stuff like 51111111111111'%20UNION%20SELECT%20CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45),CHAR(45,120,49,55,45,81,45),CHAR(45,120,49,56,45,81,45),CHAR(45,120,49,57,45,81,45),CHAR(45,120,50,48,45,81,45),CHAR(45,120,50,49,45,81,45),CHAR(45,120,50,50,45,81,45),CHAR(45,120,50,51,45,81,45),CHAR(45,120,50,52,45,81,45),CHAR(45,120,50,53,45,81,45),CHAR(45,120,50,54,45,81,45)--%20%20 This does generate an SQL error visible to the user, which is often the point of these things, I understand, at the start of the attack. In the old 2.2 framework, we sanitized get variables within application_top using an addon 'Security Pro', which seemed to work pretty well. I'm pretty sure this relied on global variables in a way the new framework doesn't permit, though I'm not sure. At any rate, Phoenix doesn't seem to have a method of sanitizing get variables pre-installed in a global way. Nobody's fault but our own, but this is leaving us vulnerable in many of our custom scripts in that these injections are actually being evaluated as SQL. Is there a general protocol in Phoenix, an addon or accepted method, for protection against SQL injection that does not involve individually cleansing get variables at the script level? This would be a lot of work and we might miss something. If there is not and we need to go script by script, is there a good practice PHP implementation at the script level that can be recommended? Thanks!
  5. Thanks Jack! That's a nifty addon!
  6. Thank you, ecartz and burt. That's very helpful.
  7. I understand. That's fine to alter the topic title. I see now that the current title implies a vulnerability in the standard installation. Maybe 'Protecting custom coded query strings from SQL injection within the Phoenix framework'. Someone may be inspired to add a few paragraphs of 'best practices' which would be helpful for pluggers like me. An aside, maybe not so important, maybe a little defensive, but my understanding is that Security Pro arose to address vulnerabilities in the base 2.2 installation. Additionally, if you did have Security Pro present, then an addon wouldn't necessarily be terrible programming that were to rely on it. It was useful in that it allowed simple handling of get variables and they could be passed to SQL queries without the need to sanitize them at the script level. It's not properly consistent with other security measures in the old installation, a bit ad hoc, but it worked. It doesn't any more. That's okay! So I guess the better question would be: Is there an addon for protecting simply passed and simply called get variables in a global manner within Phoenix. If not, I guess I can just use mysqli_real_escape_string script by script. It's no big deal. If there is a better way, it is very much appreciated. It might be valuable for me or for another in a similar predicament in the future. Cheers.
  8. Thank you for your reply, but I'm not sure if you understand the question, which is more general. Basically I am hoping to find out if there a general script method for Phoenix that functions such as Security Pro functioned in the old framework to sanitize get variables as a general, sitewide protocol. Here is Security Pro. https://apps.oscommerce.com/zNblL . Is there something like this for Phoenix? It looks like I can do this at the script level with this statement. $my_get_variable=mysqli_real_escape_string($db_link,$_GET['my_get_variable']); I am hoping to avoid doing this script by script. It's no big deal if I need to. Thanks.
  9. Hi there. I am wondering if there is a module for recurring payments for subscriptions, restricted areas etc. There looks like there is a module from 2008 for PayPal recurring payments, but I definitely don't want to go that far back because of the debugging challenge and because I am concerned it will be obsolete from the PayPal standpoint. Outside of the world of completed contributions, I am wondering if any others have implemented a system for monthly subscriptions controlling access to certain content pages within the oscommerce framework and how it was accomplished. Thanks!
  10. So we are in the midst of adjusting to Phoenix, building out my site onto the engine. It's a very big educational site that began a long development process years ago with an oscommerce 2.2 core. A few years ago we built out a Bootstrap 3 presentation layer. Now we are putting in the new engine and and adjusting to Bootstrap 4. It's fun! We have run into an issue that has us confused, though. It doesn't make any sense at all. We log in at index.php and when we return to home the navbar tells us we still need to 'login'. It doesn't look like login was successful. $_session['customer_id'] is not available to the page. However, if we travel to products_info.php, navbar tells us we are actually logged in and $_session['customer_id'] is now available. Then if we go to account.php it redirects us to 'login.php' but when we get there $_session['customer_id'] is now available again! If you can figure this out you will have my eternal gratitude. Best.
  11. wetzel

    very strange session variable behavior

    Thank you Matt! I had tried most everything you mention, but I had not actually experimented with a different browser! Seriously. So it seemed to work fine in Safari with the problem occurring in Chrome. I reset to default settings under security in Chrome and now it appears to work. If anyone has an idea as to why this was happening, it might be helpful someday for a customer. Otherwise, that's that. Thank you!
  12. Hello. I have a heavily modified old 2.2 engine I'm moving into 2.3.4.1. A few years ago I rebuilt the 2.2 site into a bootstrap framework. Things are going okay building it out into 2.3.4.1., except . . . I am stuck on trying to get statements like the following to behave properly. <li class="dropdown"> <a href="#" class="dropdown-toggle btn btn-danger" data-toggle="dropdown" style="color:#fff;">Syllabus<strong class="caret"></strong></a> Instead of functioning as a null anchor tag for the design element, it is adding the root URL in the rollover and onclick, so that instead of functioning as a dropdown it just redirects to www.domain.com/#. This does not seem to have anything to do with relative URLs, base URL, or anything like that. I am convinced there is a javascript event handler set up somewhere that is doing this, but I cannot find it, how essential it is, or how to fix it. Any ideas would be most helpful.
  13. Nothing is working. The problem derives, I believe, from the mixture of bootstrap components. I think it is going to be more time efficient and ultimately more reliable to join you all in Bootstrap 4. Yuck. Thanks for your help.
  14. Thanks. With href="javascript:void(0)" the pulldown doesn't function. Neither with it removed.
  15. Thank you. Raiwa posted the code reference, which shows how to properly construct these elements. I appreciate that. However, I believe the dropdowns are properly constructed. They have been working properly for years within the presentation layer that we have had running on top of osCommerce 2.2. The basic usage of 'href="#"' within anchor tags is being prevented. It happens if I use it in a simple anchor in plain HTML text. The problem is not at the level of the bootstrap, but how the null hashtag destination is interpreted. It is supposed to be interpreted as nothing, yet serve as a clickable element which can be styled as a dropdown or for other purposes. It's essential within bootstrap to be able to do this. Somehow the hashtag is being appended as a relative link, appended to the parent URL of the page it is within. I have never been this stuck on a bug honestly. Any suggestions would be greatly appreciated.
  16. Alright. I have Phoenix running. I have a lot of work ahead of me, but for now I've installed my presentation layer onto the home page. The problem continues. For a typical dropdown such as this, instead of behaving properly, clicking sends me to 'mydomain.com#' <li class="dropdown"> <a href="#" class="dropdown-toggle btn btn-danger" data-toggle="dropdown" style="color:#fff;">Syllabus<strong class="caret"></strong></a> Any suggestions would be most helpful.
  17. Thank you for your reply, and I don't mean to be critical in any way, but in visiting oscommerce.com, it does say "Download the latest version to install on your own web server." where 2.3.4.1 download is located. I assumed, apparently wrongly, that this meant 2.3.4.1 is actually the latest version! Before I back out of 2.3.4.1 and redo the last week's work, please let me know what has happened here? If I stay with 2.3.4.1 does that mean that the community will not provide advice? It might be best for me to solve this problem and keep moving forward because I see a path to the end of this job.
  18. Great contribution! I have gotten it working well on my site. I am going to take it live soon for selling access codes for some premium content. It's not high stakes, so I feel pretty comfortable with the contribution. (It is academic content, so it won't be like criminals will be breaking down the door!) One thing I noticed. When I went through with some test customers, it seems that I am receiving two identical emails to the store as part of checkout process now, where before I was receiving one. I've combed through checkout_process.php and can't seem to locate where this might be coming from. Any ideas? (My site is pretty heavily modded) Thanks again for a great contribution. It is exactly what I need! Cheers!
  19. wetzel

    [Contribution]Paypal IPN - Devosc

    Hi, Thank you for a great contribution. I spent about a week trying unsuccessfully to get either of the Paypal Payments Pro contributions going on my heavily modded site. I gave up and have been successful with Paypal IPN. I have gone live and have successfully put through two small transactions using my private Paypal account. Everything looks like its working. Except that every day, I get this email. As far as I know, it doesn't correspond to an order, because I haven't begun promoting the site at all and don't have any record of orders or customer contacts. (I haven't started promoting the site at all and only recently removed my password protection, so I'm pretty positive no real order is associated). When I do my test orders, a similar email arrives full of proper information. I have searched and found others who have gotten this message, but not, apparently, auto-generated. I think the module is working, so if anyone know, please let me know what's going on and if this is a problem: ------------------------------------------------------ Unknown Post ------------------------------------------------------ An unknown POST from 66.135.197.164 was received. Are you running any tests? ------------------------------------------------------ PayPal Response ------------------------------------------------------ ------------------------------------------------------ Connection Type ------------------------------------------------------ curl: 1 transport: domain: www.paypal.com port: ------------------------------------------------------ Attention! ------------------------------------------------------ This is email has NOT been sent by PayPal. You have received this email via the osCommerce PayPal_Shopping_Cart_IPN Contribution To discontinue receiving this notice disable 'Debug Email Notifications' in your osCommerce PayPal configuration panel.
  20. Although I have only been working with OS Commerce a few months, I think that Article Manager is one of the best contributions. Really excellent. I am going to be trying to stretch its capabilities over the next few weeks to serve some individual needs, and I want to do it in a way that adheres to OS Commerce principles so that others may benefit. I am going to aim to allow different sets of articles to appear in different boxes in the left or right column. Object oriented programming wouldn't be necessary. Using a function based approach initiated by the scripts from either the left or right columns, a query of a new 'article_group' table in the database etc. could gather the particular 'info_box_contents' for the particular set of articles. In that case, each set wouldn't be separately 'configured'. It would just be a more flexible presentation layer. To make such a system run completely from Admin would require placing a half-dozen or so dormant articles boxes in left_column.php and right_column.php which would be activated by the configuration of a new article group. Ultimately, I think it would be a great thing to rebuild Article Manager from the ground up using object oriented techniques, so that Admin could be used to instantiate separate Article Manager objects. That would be a heck of an application. My brain hurts thinking about it. I know I can bull-doze through over the next week to get this to work for me in a patchwork way, but I would like to create something useful to this group, which has saved me enormous time and effort already. Judging from some of the latest messages, though, Article Manager is on the edge of being hard to troubleshoot already. It looks like some of the veterans of the thread have decided not to support the newcomers because of how hard it is to problem solve. What I don't want to do is overcomplicate it. Please let me know wht you guys think.
  21. wetzel

    Article Manager v1.0

    Here's the fix to do that.
  22. Thanks! Being able to search only in titles really helped weed out extraneous results. (For those interested in my question: although there isn't a direct way to sort articles by other fields, RobAnderson, the originator of Article Manager, answered a similar question in the main Article Manager thread by proposing a few easy adjustments to the query sort orders in a few files. Here's the link
  23. I am trying to find the main support thread for Article Manager. (I want to see if someone has already created a way to order the articles within a topic, other than by date submitted). I am new to the OS Commerce forums, and I am not having a very easy time learning how to optimize my searches. :( Thanks
  24. First post! Over the last few months I've given myself a good orientation with OS Commerce and I've successfully re-routed a basic store through my own presentation layer. (after I've made my drop-shadowed, rounded corner boxes more OSC compliant, I'll share them with everybody). Let me say that this is the most greatest open source communities I've ever seen :D The site I'm building is pretty ambitious as far as product relationships go, and the on-line documentation and downloads it needs to provide, and I've compiled a series of approximately thirty contributions to install over the next month. The first big hurdle is adjusting the site to accomodate the complexity of my company's products and their relationships. I need to do things like expanding the product records with more fields, enabling multiple products in the same category, setting up bundles, product families, etc. I have noticed many contributions for these purposes, and there is a lot of function overlap, and I don't have enough perspective yet on which are accepted standards and which contributions work well together. Contributions I am looking at include: 'Add_ISBN_SKU_UPC', 'Products Extra Fields', 'Products Short Description', 'Related Products', 'Bundled Products', 'Family Products', 'Multiple Categories', 'Products Multi Checkboxes'. There is also a contribution that I have seen mentioned 'Advanced Categories Admin' that I can't seen to find. (There seems to be a numerical index system for Contributions that gets referred to, but I can't seem to find the handle for this in 'Contributions'.) I would be most grateful for any advice as to which mods are the classic 'essentials' for this stage of my project. Thanks!
×