Jump to content
Latest News: (loading..)


  • Content count

  • Joined

  • Last visited

  • Days Won


Everything posted by MrPhil

  1. MrPhil

    PCI Report Shows Issues

    I don't know if nginx uses .htaccess. It's yet another server (technically, Apache is your server, not Linux, which is the operating system of the server machine -- yes, "server" is ambiguous). Apache runs on a variety of operating systems, including Windows, Mac, and Linux, and maybe others.
  2. MrPhil

    PCI Report Shows Issues

    Apparently the security scan thinks that there's a chance that 1.0 or 1.1 might end up being used as fallbacks by back-level browsers that don't support 1.2. That's my guess as to why they would flag it. Anyway, you might bring this to the attention of your host and discuss whether it's worth suppressing fallback to 1.0 or 1.1 (I think it can be done, but what's involved, I don't know). Any customer with an old browser that doesn't support TLS 1.2 would be out of luck. You might want to check browser histories and usage statistics, to see how many customers might potentially be affected.
  3. MrPhil

    Product listing strip_tag

    The code in question is intended to offer a short "teaser" from the full product description. This involves taking only a few (20) words and stripping out all HTML tags. If you don't want to lose the audio player, but want to keep the "teaser" functionality for other products, you might be able to add code to check if the audio player is being requested (preg_match call looking for the audio tag), and if it is, don't strip tags. You might have to get the full product description for all products, and only for non-audio player do you trim it down after stripping tags. strip_tags() has a list of tags to exclude, so you might be able to use that (but without other changes, it might have already been cut down too much). For any product, you might want to keep simple in-line tags like <i> and <b> (as well as the audio player tags)... it's really the major block stuff you want to kill. Anyway, there are a bunch of issues to be aware of, and a number of approaches you could take.
  4. MrPhil

    PCI Report Shows Issues

    Are you sure that's not intended to go in the .htaccess file? You might want to check that first. I've never heard of it referred to as "Web.config". Maybe it's a configuration file unique to IIS? If you're using IIS, it should be easy enough to check. Otherwise, ignore it. Regarding your TLS 1.0, you should remind your host that 1.0 and 1.1 are quite insecure, and they should be at 1.2 soon. Also, the major browser makers (Mozilla, Microsoft, Google) have announced that they will drop browser support in the spring of 2020 for TLS 1.0 and 1.1, so hosts should be planning to upgrade before long.
  5. MrPhil

    Pet Supplies E-commerce

    What answer do you think you'll get on the osCommerce discussion forum?
  6. I watched it online after you mentioned it. Nothing really new to us, but a look at the young lawyer who drove this thing through, with a discussion of "whose data is it?". Not GDPR-related, but covering a lot of issues in ecommerce, was a segment yesterday on "Marketplace" (marketplace.org for 2018-11-12) starting at 08:36 and running 4 minutes. 70% of shopping carts are abandoned being hit with unexpected fees late in the process is a big killer need to create an account turns off many shoppers (want guest checkout) many shoppers are so lazy that they can't be bothered to fish out a credit card, and would like to use something like ApplePay, available with one click shoppers want simplified information gathering -- three fields for the phone number is so much work, compared to a single phone field stores need to encourage impulse buying, or most shoppers won't be excited enough to complete the purchase if anticipated delivery time exceeds 48 hours, many shoppers will say "forget it" many online shoppers are not serious about making a purchase, but are in it for the experience suggests a need to discourage coupon use (?? that would seem to discourage buying even further) Amazon Prime effect: need to divert marketing budget from coupons to lower cost/free shipping to attract customers End Times, anyone?
  7. I see now that you're using 2.4. Are you aware of the PHP levels it requires? I suspect your live server may be a bit back-level. Also keep in mind that 2.4 is a developmental version not completely ready for production -- you should be using Frozen or Edge if you want a production shop and not another hobby.
  8. You want to remove it from links being produced by your store, or from incoming URLs? I think that it comes from someone using the "select language" feature in osC. Is some search engine indexing this Query String, and it's overriding your (non-English) users' choice? Removing language= on incoming URLs could result in disabling the ability to choose a language (if you have multiple languages enabled), so be careful about doing that. Perhaps there is a way to persuade search engines not to index with that language= Query String? I'm not sure how to do that on the osC side of things. Maybe language selection could be disabled for certain User Agents?
  9. If you have no control over the prices you can charge, and can't get your costs down enough to earn a living from it, then it sounds like your business model is not viable. That's the unfortunate truth today. When the only retailers left in the world are Amazon and Walmart, perhaps people will have learned that low prices aren't everything. Your only choice is to not accept payment systems that charge excessive fees. And legally, you can't tack on a new fee at the end of the process, without having adequately warned the customer that you would be doing that, and giving them a chance to change their mind about the payment method (or the entire purchase). It's fraud on your part.
  10. Seen on the 'net. Sing along! He's making a list, He's checking it twice, He's gonna find out who's naughty or nice, Santa Claus is -- in contravention of article 4 of the General Data Protection Regulation (EU) 2016/679.
  11. If this message is indeed coming from the browser itself, it will depend on the language that the browser is configured for. For most people, it will still be English, and messages will be in English. You can try some of the techniques in the referenced StackOverflow thread to add some PT text to the message. You may even be able to do some Javascript that replaces the English message with PT, but there's no guarantee that it will work on all browsers. I'll assume that you've scanned through the English language text files to check whether this text is supplied by osCommerce. If it is, you should be able to come up with a PT language file equivalent, if it doesn't already exist.
  12. That sounds like you're self-hosting on a PC with a *AMPP stack. That's a very bad idea -- hackers know far more about site security issues than you ever will, and they'll eat you alive. Unless you're an absolute expert on site security, spend a few bucks a month to host with a pro.
  13. Exactly what version of osCommerce (and "official" or "BS" version)? What PHP versions on the localhost and the live server? It sounds like you have some code somewhere that finds your live server's PHP a little too back-level. This is an example of why it's a bad idea to develop on a localhost (e.g., WAMPP installation on your PC) and then move it over to a live server. If you already have a live server, you should do your development and test work in a private test directory on that server (it might be password protected). *AMPP installations tend to have bleeding-edge PHP versions that don't work well with old osC versions. By the way, since you're just starting up, you should be using only "Frozen" (stable) or "Edge" (unstable)... see my sig below.
  14. If PayPal discovers you're charging customers extra to use them, at least in the old days they would threaten to dump you (ban you from their service). Nowadays, with more competition, they might not go to such drastic lengths, but still they discourage the practice. Almost any payment method involves some per-transaction amount, so why not take your average customer's transaction fee percentage and just bury it in your base price? As has been pointed out, such fees are a normal business expense and you should be expected to account for them in some above-board manner (i.e., not simply eat them).
  15. MrPhil

    Checkout confirmation blank white page

    Kellie, I hope you can find a more-or-less working copy in your (or your host's) backup, and at least get running again. You need to keep a log of exactly everything you change, so that when you break it, you can quickly roll back your changes and at least be working again. You also need to keep orderly backups, know which one is which, and be able to restore them when needed. Blunt speaking time. When changing a website, you have to go about it in a rational, orderly manner; and have some idea what you're doing. From the sound of it, you know nothing about programming, are unable or unwilling to learn, and get into a blind panic, changing everything frantically and losing track of where you are. You have to stop that. I think you should give up on trying to modify the site yourself, and hire someone fairly locally to do it for you. If you really want to learn how to do it, and think you can, you should not modify your live site. You should be setting up a sandbox to play in, as a private test system on your site, and don't copy over changes to your live system until you have tested it thoroughly on the test system. That's the only way you can avoid such disasters. Even experienced programmers do it this way for major changes, although they may put minor changes on the live site, knowing they can quickly back them out.
  16. MrPhil

    Checkout confirmation blank white page

    Check your configurations... in some places you show the shop installed directly in root (public_html/), and other places you show in "catalog" (public_html/catalog/). You need to find out what your actual file directory structure is (with or without catalog/) and consistently use that. Then, I've seen "admin" and "admin-name" in file paths. At some point, you probably (should have) changed your "admin" to something else. Both "admin" and "admin-name" in configuration files should match whatever your actual admin directory name is. And finally, "username" is another placeholder that needs to be changed to your actual account name. Do not show your account username or the admin name in any public forum, such as this one. Be sure to change them before posting. Using "****" or "[username]" and "[admin]" makes it clear that you've changed it.
  17. MrPhil

    Checkout confirmation blank white page

    Just to be clear, if you added the line for defining DIR_FS_ADMIN, you have to change "admin-name" in the string to the actual name of your admin directory. "admin-name" is just a placeholder, as is "username".
  18. MrPhil

    Checkout confirmation blank white page

    Does it literally say "admin-name", rather than the actual name of the admin directory? You should have given (or changed) your admin directory from the default "admin" to something else during installation (and never give out that name, including in this forum!). It's also a little late now, but you should not give out your hosting account name, either, as someone sharing your server might be able to get into your files (or at least, take a look around). The error messages say that it's looking for /catalog/<adminname>/includes/languages/english/invoice.php in /includes/modules/email_invoice/email_invoice.php. email_invoice.php would appear to be in a root installation of the catalog (public store side), while it's looking for the file in /catalog/<adminname>/ area... did you put your store into the root, and the admin under catalog? That's a strange setup, but I suppose it's possible. BTW, if you wanted customers to not have to type in /catalog, you would have been better off leaving it in /catalog and using a URL rewrite to jump visitors to / (root) to /catalog. I don't know if something on the public side looking for files on the admin side is normal in your version of osC, or if something is seriously screwed up. What changed since November 3? Could you have been hacked?
  19. I'm sure it's possible, but I can't tell you how much work it will be to convert your old shop's data to osC. I wouldn't do it by trial and error ("testruns exporting existing tables") -- you really need to fully understand what the data is all about in the old and new shops, to determine whether and how you can move it over. Very likely the mapping from old to new will be fairly straightforward once you understand the data in both shops (unless FWS has a very strange setup). You still may end up discarding some data that osC doesn't use, or synthesizing some data that doesn't exist in the old shop (e.g., which mailing address format a customer uses). I'm not clear what you mean by the "A" and "B" parts of the shop. There's information on the shop itself, and products which will go into the database (is that 'A'?), and there is customer data on past orders, addresses, etc. which you say you want to preserve (is that 'B'?). Speaking of customer accounts, were passwords "hashed" in the old database, or did they store plaintext passwords? If they were hashed, you likely will not be able to recover the plaintext password, unless FWS and osC use the same hashing system and you can simply copy over the old hashed password (unlikely, but possible). You might end up having to generate a new password for each customer, and email it to them (requiring them to change it within a certain time period), like a lost password recovery function. A clarification on the osC version to use: Edge is still under development (but reasonably stable), while Frozen is a frozen milestone release that's not quite as up-to-date. I think Gary is working primarily on Bootstrap v4 and PHP 7.2 compatibility on Edge.
  20. MrPhil

    Checkout confirmation blank white page

    The White Screen of Death often means that there was a fatal PHP error encountered -- your code is messed up. Undo all your changes, see if you're running again, and as suggested, reintroduce changes one at a time. Be very, very careful that you don't make mistakes editing (you probably did, somewhere). As for one file being unaccountably updated recently, take a close look at that file to make sure you haven't been hacked. Compare it to a known-good backup copy.
  21. By the way, before you get too far with this, are you using the correct osC version? It is Edge (or Frozen), not the obsolete official download from this site. The official release will have lots of problems running with PHP 7.2. Even Frozen (and to a lesser extent, Edge), while fine with PHP 7.1, have some patches needed for PHP 7.2.
  22. Sometimes these defined language strings are in a language file, and sometimes they are put in the database. In either case, if you are missing one or more strings, it's likely that something didn't go right with your install (base product or an add-on). Double check your work that you didn't skip a step, or overlook a warning message that a file couldn't be read or written, or data couldn't be put in the database. Look for the missing strings in your install package (language files and .sql files) and if you find them, you may be able to either manually copy the file(s) into place, manually update the proper file(s), or import them into the database. This will take some knowledge of how osC installs things, so don't go about it blindly (i.e., know what you're doing, and be able to recover from backups if you screw up).
  23. MrPhil

    wrong urls do not redirect to 404 Not Found

    The first solution is wrong. It forces the URL to http (non-SSL), which is not what you want these days (https/SSL is much preferred), and potentially adds or removes www from the domain name, which may not be desirable. To simply remove the "index.php/" part from the URL (if that works for you): RewriteEngine On RewriteRule ^index\.php/(.*)$ /$1 [R=301,L] which would not disturb the protocol (http or https) or the domain name that you may have adjusted already. The same comments apply to the second solution. In both cases, the browser (or search engine) gets a bounceback that says, "use this new URL instead of that old one you sent me." You want to try to avoid multiple 301 or 302 status messages (combine them into one if possible) so you aren't penalized by search engines.
  24. MrPhil

    </head> location

    This "Surfalot" product appears to be an HTML editor, rather than a proper PHP editor (or plain text editor). Never use an HTML editor (such as Dreamweaver) to edit PHP code. If it has a PHP (or plain text) edit mode, perhaps that would be safe to use. Whatever you're doing, it's thoroughly corrupting your code, as shown in your screen image. Something like Surfalot might be suitable for WYSIWYG-style editing of product descriptions, but don't touch PHP code with it!