Jump to content
equilla

Support Thread for Supertracker Contribution

Recommended Posts

Have you done this bit?

 

Step 3.

Edit /catalog/includes/application_top.php and add the following code before the last ?> in the file:

 

//Do the superstats business	
 require(DIR_WS_CLASSES . 'supertracker.php');
$tracker = new supertracker;
$tracker->update();

 

I might of originally forgotten to add that bit as well (or I just dreamed that :-" )

 

Oh yes, I have done that bit. I actually just went through the install process once again. Still not inserting rows... very odd. It has to be something stupid on my part, as this does not seem to be a very common problem. Hmmmmm.... :huh:

Share this post


Link to post
Share on other sites

Hello, Thanks to createvideo for posting the security fix. However i can't drop and overwrite my general.php as its already edited by other contributions ( and don't have the coding skills to work out the sections that need changed? ) Could someone post a stage by stage edit for the two files ?

 

Thanks Alex

Share this post


Link to post
Share on other sites
Hello, Thanks to createvideo for posting the security fix. However i can't drop and overwrite my general.php as its already edited by other contributions ( and don't have the coding skills to work out the sections that need changed? ) Could someone post a stage by stage edit for the two files ?

 

Thanks Alex

 

no problem Alex, meaning to do this when I found time. I started on PHP/SQL not long ago and found the PHP/SQL Bible from Wiley books to be very helpful for newbs.

 

 

Step 1: Open /includes/functions/general.php

 

Add the following clean_url funciton at the top of the file after your first comments sections.

 

// rev14 - createvideo: security - add URL string cleaning
// add or remove characters as needed to enchance security
function clean_url($url) {
//  $string = ereg_replace(' +', ' ', trim($url));
 $string = $url; 
 return preg_replace('/[\;\<\>\'\"\:\;\|\(\)$^]/', '', $string);
 }

 

STEP 2: open /includes/classes/supertracker.php

 

Find:

 $current_page=$_SERVER['PHP_SELF'];

Replace with:

 //rev14 - security fix - clean incput
	// $current_page=$_SERVER['PHP_SELF'];
	$current_page= clean_url($_SERVER['PHP_SELF']);
	//

 

Find:

 $refer_data = $_SERVER['HTTP_REFERER'];

 

Replace with:

 //rev14 - security fix
	 //	 $refer_data = $_SERVER['HTTP_REFERER'];
	 $refer_data = clean_url($_SERVER['HTTP_REFERER']);

 

Find:

 $ip = $_SERVER['REMOTE_ADDR'];
			  $current_page=$_SERVER['PHP_SELF'];
			  $time_arrived = date('Y-m-d H:i:s');
			  $landing_page = $_SERVER['REQUEST_URI'];

 

Replace with:

//rev14 - securuity fix
	 //	 $ip = $_SERVER['REMOTE_ADDR'];
	 $ip = clean_url($_SERVER['REMOTE_ADDR']);
	 //rev14 - $current_page=$_SERVER['PHP_SELF'];
	  $current_page= clean_url($_SERVER['PHP_SELF']);

	 $time_arrived = date('Y-m-d H:i:s');
	 //rev14 - $landing_page = $_SERVER['REQUEST_URI'];
	 $landing_page = clean_url($_SERVER['REQUEST_URI']);

 

 

That's all for cleaning the supertracker variables before they are passed to the database. In general, you should always santize your input data before sending to the database. Harold has taken care of several similar security holes in the latest OSC release, make sure you've made these updates also.

BR, createvideo

Share this post


Link to post
Share on other sites

Hello,

 

When I try to make the change required in /catalog/includes/application_top.php, I get the following error on my store:

 

1054 - Unknown column 'sesskey' in 'where clause'

 

select * from supertracker where sesskey = 'ffa498607177bf0bf2e36c7b4a7802e9'

 

[TEP STOP]

 

Please help. Thanks!

Share this post


Link to post
Share on other sites

I am also having the same error after updating the sql file.

 

1054 - Unknown column 'sesskey' in 'where clause'

 

select * from supertracker where sesskey = ''

 

[TEP STOP]

 

Thanks,

 

Charlie

Share this post


Link to post
Share on other sites

Hello,

I've got one problem with this contribution. I can't delete (all or a part of) the database, a SQL syntax error shows up:

 

1064 - You have an error in your SQL syntax near 'ORDER by tracking_id ASC LIMIT 200' at line 1

DELETE from supertracker ORDER by tracking_id ASC LIMIT 200

[TEP STOP]

 

 

Besides this problem, it's still a very good contribution.

Thanks!

Share this post


Link to post
Share on other sites
Found an SQL Injection risk with Supertracker, to see if you are at risk, pull up a product page:

 

/index/product_info.php/ ... some_product_name

 

Now insert a some roque characters into the product name. ie.

som'e"produc(t<)name

 

Hit return, if you see a SQL error message, then your site can be hacked from here.

 

I added my copy of /includes/functions/general.php and /includes/classes/supertracker.php to the contribution section for anyone interested in using or improving.

 

Please do a compare & merge ONLY with my files; as most people here, I have 10,000 customizations on my site and with only 100 documented :)

 

The SECURITY FIX revisions are NOTED with REV 14 - createvideo

 

Hi createvideo,

 

can you just confirm which version of Supertracker you found this issue with? Reason I ask is that code to mitigate the risk of SQL injection was introduced in version 3.1a - the parameters that get used in db transactions are treated immediately before the queries.

 

Certainly, on my installs I haven't been able to pull off your suggested method of attacking through this script.

 

Many thanks,

 

 

 

 

Mark

Share this post


Link to post
Share on other sites
Hi createvideo,

 

can you just confirm which version of Supertracker you found this issue with? Reason I ask is that code to mitigate the risk of SQL injection was introduced in version 3.1a - the parameters that get used in db transactions are treated immediately before the queries.

 

Certainly, on my installs I haven't been able to pull off your suggested method of attacking through this script.

 

Many thanks,

Mark

 

Mark, my files are likely pre-3.1a, but I didn't see anything in the newer release notes addressing this issue, so I didn't check the latest releases. I'll find time this week to look at the latest release, but as you stated, as long as data is cleaned before making the sql call, it should be ok.

 

I found the issue when running a large number of automated combinations against my site, and my fix seemed adequate to block them all.

 

Best wishes, David

Share this post


Link to post
Share on other sites

I applied Supertracker V3.2b. Do I need to still apply the fix suggested by createvideo? I could not even find suggested code blocks in Supertracker.php for replacement.

Thanks,

Share this post


Link to post
Share on other sites

I have a question about deleting oldest data.

 

I only want to delete stuff related to product and catagories viewed.

 

I want to KEEP data concerning referrers, search keywords, and products viewed report.

 

Is there anyway to delete some things and keep others?


26 contributions installed - - And counting ....

 

Just want to take this time to extend my appreciation to everyone who have patiently answered my questions over the months of working on my site. I hope to be able to "pass it forward" and help new folks.

Share this post


Link to post
Share on other sites

I am getting the following error. I uploaded the files few times, still getting the same error. Can someone help me? thanks,

 

Fatal error: error traversing database - perhaps it is corrupt? in /home/xxxx/public_html/includes/geoip.inc on line 416

Share this post


Link to post
Share on other sites

Thanks to this great contrib! It really helps to find out about where the visiters came from and what pages did they went through.

 

I'd like to suggest one more feature:

 

Add filters for specific files: I recently added RSS feed for my product list in my store. Now I have hundreds of records in database everyday which only fetched the rss file by the feed readers. I would really like to keep these activities from being logged into database.

 

And I agree with Moonlight, a better 'delete' feature would help, too.

 

Anyway, great job! Way to go, Mark!

Edited by AlexStudio

Super Download Shop, PayPal Express Checkout IPN, Selling Downloads, Visual Validation (preventing robotic flood), phpBB2 Integration

 

Yes, I'm willing to help, but please ask in the right place. Think twice before trying to PM me, it might be ignored.

Share this post


Link to post
Share on other sites

Hello,

 

i have a problem, all ist ok til i set in the following lines in the application_top.php:

//Do the superstats business

require(DIR_WS_CLASSES . 'supertracker.php');

$tracker = new supertracker;

$tracker->update();

 

and there is the problem the line:

$tracker->update();

 

because when i activate that on the webserver, my site has gone and all is white - wenn i make:

// $tracker->update();

the site is back again, but it did not take the things to the database.

 

Anyone a Idea?

 

Greetings from Germany

Share this post


Link to post
Share on other sites

Hi there,

 

I am one of the unlucky shared SSL Users. On top, i have a dynamic IP like most germans have.

 

This great contrib works excellent, but i can't get any usefull PPC-informations because auf shared SSL and dynamic IP.

 

If a customers comes to my site from a ppc-link i get a working referrer as well as an informative referrer_query_string with "ref=" and "keyw=". So far so good.

 

Now the customers wants to order. He goes to the shopping cart and ...

 

I get a new ID due to shared SSL and supertracker creates a new referrer named "www.mypage.shopping_cart.php" with the referrer_query_string "osCsid...." without "ref" or "keyw".

 

Is there any solution for this problem?

Thanks for any help!

 

 

I tried to find a solution myself. SQL statement looked like:

same shopping cart amount, almost same time, completed_purchase = true, one referrer = www.mypage.shopping_cart.php ==> didn't work the way i want!

Share this post


Link to post
Share on other sites

I just installed this contribtion with the latest security updates and all, but I'm getting the following error:

 

1054 - Unknown column 'sesskey' in 'where clause'

 

select * from supertracker where sesskey = '152fb5cb02f20fe2eb922119a1f24c1d'

 

[TEP STOP]

Share this post


Link to post
Share on other sites
I just installed this contribtion with the latest security updates and all, but I'm getting the following error:

 

1054 - Unknown column 'sesskey' in 'where clause'

 

select * from supertracker where sesskey = '152fb5cb02f20fe2eb922119a1f24c1d'

 

[TEP STOP]

 

Hi,

 

ah yes, it seems we have a configuration control problem here. The supertracker class was rewritten in one of the earlier versions and no longer needed the sesskey field in the database, so it was removed.

 

Unfortunately, the security update posted by createvideo was based on an earlier version of supertracker, and so is trying to use this field.

 

As a temporary fix you could add the sesskey field to the database, but I think we need to organise a new release that fixes this issue properly.

 

Mark

Share this post


Link to post
Share on other sites

well, I uninstalled that version and installed 3.2b and I'm getting this error:

 

Fatal error: Cannot instantiate non-existent class: supertracker in /home/theda17/public_html/shop/includes/application_top.php on line 513

 

 

Any ideas?

Share this post


Link to post
Share on other sites
well, I uninstalled that version and installed 3.2b and I'm getting this error:

 

Fatal error: Cannot instantiate non-existent class: supertracker in /home/theda17/public_html/shop/includes/application_top.php on line 513

Any ideas?

 

Hi Again,

 

the 2 most obvious causes are that either this line :

 

require(DIR_WS_CLASSES . 'supertracker.php');

 

is missing from application_top.php (it should be directly above this line):

 

$tracker = new supertracker;

 

which must be your line 513.

 

or, the supertracker.php file is missing from your shop/includes/classes folder.

 

I would usually expect other error messages about not being able to find the supertracker class file though, so it is possible that there is a problem with the class file itself. If the above things I have mentioned are definitely in place, try re-uploading the supertracker class file and see if that solves the problem.

 

Regards,

 

 

 

Mark

Share this post


Link to post
Share on other sites

Okay, I can't seem to find an answer on this thread to exclude my entry page outside of the catalog. I made it a php with application_top.php, however, because it's outside the catalog directory, it isn't working.

 

Isn't there someway to include the entry page in the stats rather than have it be a referrer??? I must have it because I have an adult store. :'(

 

webbydeb


Debora

Breaking code.... one website at a time.

Vibrators: like cute little puppies without the puppy breath. Who can't like a vibrator?

Life Tip: Taking yourself too seriously? Put on a penis hat and look in the mirror every 5 minutes. That should fix it.

"Finally found the ball gag for those damn voices. Now to pull out the whip...." - Me

Member of the CODE BREAKERS CLUB - WE RULE!

Share this post


Link to post
Share on other sites
<snip about adding tracking on your own html pages>

 

include (DIR_WS_INCLUDES . 'application_top.php');

 

</snip>

Hi

I can get this to work if I have the html (which is set in .htaccess to parse php) in the catalog folder but I can't get it to work outside of the catalog folder. I have my main entry page in the root which then links to my catalog.

 

Is there a way of getting stats for non-osc pages?

 

Ta

 

Martin

 

Error I get is:

 

Warning: main(includes/configure.php): failed to open stream: No such file or directory in /usr/home/abc/www/catalog/includes/application_top.php on line 29

 

Fatal error: main(): Failed opening required 'includes/configure.php' (include_path='.:/usr/local/lib/php') in /usr/home/abc/www/catalog/includes/application_top.php on line 29

This is exactly my issue. Any ideas???? Please????


Debora

Breaking code.... one website at a time.

Vibrators: like cute little puppies without the puppy breath. Who can't like a vibrator?

Life Tip: Taking yourself too seriously? Put on a penis hat and look in the mirror every 5 minutes. That should fix it.

"Finally found the ball gag for those damn voices. Now to pull out the whip...." - Me

Member of the CODE BREAKERS CLUB - WE RULE!

Share this post


Link to post
Share on other sites

Someone has got to have an idea on this. The supertracker is great, but most of my 'referrals' are coming from my front page outside of the catalog folder. Unless I can figure this out, it really isn't beneficial to use for me.

 

Anybody????


Debora

Breaking code.... one website at a time.

Vibrators: like cute little puppies without the puppy breath. Who can't like a vibrator?

Life Tip: Taking yourself too seriously? Put on a penis hat and look in the mirror every 5 minutes. That should fix it.

"Finally found the ball gag for those damn voices. Now to pull out the whip...." - Me

Member of the CODE BREAKERS CLUB - WE RULE!

Share this post


Link to post
Share on other sites

I seem to have a conflict with the contrib Access with Level Account (v. 2.2a) for the Admin Area of osCommerce (MS2). When selecting any reports from the admin page I am redirected to my admin login sereen. The contrib Access with Level Account appends a varible osCAdminID=long_session_string to every admin page request. But the supertracker.php uses <option value="supertracker.php?report=refer"> and so on, so when the session dosn't see this osCAdminID varible I am kicked back to my login screen. I assume this is what is happening, but I am completly at a loss as how to fix it...Any ideas?

Share this post


Link to post
Share on other sites
I seem to have a conflict with the contrib Access with Level Account (v. 2.2a) for the Admin Area of osCommerce (MS2). When selecting any reports from the admin page I am redirected to my admin login sereen. The contrib Access with Level Account appends a varible osCAdminID=long_session_string to every admin page request. But the supertracker.php uses <option value="supertracker.php?report=refer"> and so on, so when the session dosn't see this osCAdminID varible I am kicked back to my login screen. I assume this is what is happening, but I am completly at a loss as how to fix it...Any ideas?

 

I fixed it by editing the following code in catalog/admin/supertracker.php after line 125 :

Replace:

<option value=""><?php echo TABLE_TEXT_MENU_TEXTE; ?></option>

<option value="supertracker.php?report=refer"><?php echo TEXT_TOP_REFERRERS; ?></option>

<option value="supertracker.php?report=success_refer"><?php echo TEXT_TOP_SALES;?></option>

<option value="supertracker.php?special=geo"><?php echo TEXT_VISITORS;?></option>								

<option value="supertracker.php?special=keywords"><?php echo TEXT_SEARCH_KEYWORDS;?></option>

<option value="supertracker.php?special=keywords_last24"><?php echo TEXT_SEARCH_KEYWORDS_24;?></option>			
<option value="supertracker.php?special=keywords_last72"><?php echo TEXT_SEARCH_KEYWORDS_3;?></option>			
<option value="supertracker.php?special=keywords_lastweek"><?php echo TEXT_SEARCH_KEYWORDS_7;?></option>		<option value="supertracker.php?special=keywords_lastmonth"><?php echo TEXT_SEARCH_KEYWORDS_30;?></option>		<option value="supertracker.php?report=exit"><?php echo TEXT_TOP_EXIT_PAGES;?></option>

<option value="supertracker.php?report=exit_added"><?php echo TEXT_TOP_EXIT_PAGES_NO_SALE;?></option>

<option value="supertracker.php?report=ave_clicks"><?php echo TEXT_AVERAGE_CLICKS;?></option>						<option value="supertracker.php?report=ave_time"><?php echo TEXT_AVERAGE_TIME_SPENT;?></option>					<option value="supertracker.php?special=prod_coverage"><?php echo TEXT_PRODUCTS_VIEWED_REPORT;?></option>	 <!-- modifed by azer//-->	

<option value="supertracker.php?special=last_ten"><?php echo TEXT_LAST_TEN_VISITORS;?></option>

<?php if (SUPERTRACKER_USE_PPC) {?>						

<option value="supertracker.php?special=ppc_summary"><?php echo TEXT_PPC_REFERRAL;?></option>

 

With This:

 

	
<div class="supertracker_text">	
<?php echo TABLE_TEXT_MENU_DESC_TEXTE; ?> <form name="report_select"><select name="report_selector" onchange="page_redirect(this)">							
<option value=""><?php echo TABLE_TEXT_MENU_TEXTE; ?></option>
<?php //Begin compatibility with Admin Level Access
?>
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&report=refer' ?>"><?php echo TEXT_TOP_REFERRERS; ?></option>
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&report=success_refer' ?>">
<?php echo TEXT_TOP_SALES;?></option>
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=geo' ?>"><?php echo TEXT_VISITORS;?></option>								
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=keywords' ?>"><?php echo TEXT_SEARCH_KEYWORDS;?></option>							
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=keywords_last24' ?>"><?php echo TEXT_SEARCH_KEYWORDS_24;?></option>										
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=keywords_last72' ?>"><?php echo TEXT_SEARCH_KEYWORDS_3;?></option>										
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=keywords_lastweek' ?>"><?php echo TEXT_SEARCH_KEYWORDS_7;?></option>										
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=keywords_lastmonth' ?>"><?php echo TEXT_SEARCH_KEYWORDS_30;?></option>													
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&report=exit' ?>"><?php echo TEXT_TOP_EXIT_PAGES;?></option>
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&report=exit_added' ?>"><?php echo TEXT_TOP_EXIT_PAGES_NO_SALE;?></option>
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&report=ave_clicks' ?>"><?php echo TEXT_AVERAGE_CLICKS;?></option>								
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&report=ave_time' ?>"><?php echo TEXT_AVERAGE_TIME_SPENT;?></option>
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=prod_coverage' ?>"><?php echo TEXT_PRODUCTS_VIEWED_REPORT;?></option>	 <!-- modifed by azer//-->	
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=last_ten' ?>"><?php echo TEXT_LAST_TEN_VISITORS;?></option>
<?php if (SUPERTRACKER_USE_PPC) {?>													
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=ppc_summary' ?>"><?php echo TEXT_PPC_REFERRAL;?></option>
<?php //End compatibility with Admin Level Access
?>

Share this post


Link to post
Share on other sites

oops,

Don't copy this part!!!

	
<div class="supertracker_text">	
<?php echo TABLE_TEXT_MENU_DESC_TEXTE; ?> <form name="report_select"><select name="report_selector" onchange="page_redirect(this)">							
<option value=""><?php echo TABLE_TEXT_MENU_TEXTE; ?></option>

 

Start coping after the comment!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×