Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Serios error in admin search could delete entire catalog

Guest

By Guest
in General Support

Recommended Posts

Guest

Guest

Posted
Posted

One of my staff was happily going about deleting old products from our system. He searched for a product, hit the delete button, confirmed and... ... ... Nothing. Literally. Nothing. No products, categories, absolutly nothing. Hit refresh etc. etc. Nothing.

 

Fortunately, we backed up the db days before so it was not too much trouble to fix. scary none the less.

 

Here's what happens. DO NOT TRY THIS OUT!!!!!

 

Ordinarily, when the delete button is clicked, the pID and cID $_GET variables are used in the SQL query to delete a product. The problem occurs when a user tries to delete a product directly after they've searched for it. without clicking on anything else. You'll notice that if you seach for a product in OSC admin, the first product in the list will automatically become selected after the seach however if you look in the address bar, you'll notice the URL is missing the cID and pID $_GET variables.

 

ie this is what your url will look like DIRECTLY after typing in a search term in this case "apple"

www.yoursitename/admin/categories.php?search=apple

 

and this is what it should look like :

www.yoursitename.com/admin/categories.php?cPath=65&pID=524

 

When the user clicks delete in this case, the SQL query reads delete * from categories where categories_id =

 

and delete * from products where products_id =

 

see the problem?

 

Now I can't remember if I installed a contrib which came into play here. (I don't think I did) I've got a feeling this is a bug in OSC.

 

here's my crude, rude yet effective fix. This does not fix the URL, just prevents the delete button from working if the URL does not contain enough info for the delete to work correctly.

 

in admin/categories.php

 

find :

 

} elseif (isset($pInfo) && is_object($pInfo)) {

 

Replace with : 

} elseif (isset($pInfo) && is_object($pInfo) && !empty($_GET['pID']) || !empty($_GET['pID'])) {

 

Done. All fixed. Nasty, yet effective, and better than loosing your entire catalog.

 

:D

Link to comment
Share on other sites
Guest

Guest

Posted
Posted
One of my staff was happily going about deleting old products from our system. He searched for a product, hit the delete button, confirmed and... ... ... Nothing. Literally. Nothing. No products, categories, absolutly nothing. Hit refresh etc. etc. Nothing.

 

Fortunately, we backed up the db days before so it was not too much trouble to fix. scary none the less.

 

Here's what happens. DO NOT TRY THIS OUT!!!!!

 

Ordinarily, when the delete button is clicked, the pID and cID $_GET variables are used in the SQL query to delete a product. The problem occurs when a user tries to delete a product directly after they've searched for it. without clicking on anything else. You'll notice that if you seach for a product in OSC admin, the first product in the list will automatically become selected after the seach however if you look in the address bar, you'll notice the URL is missing the cID and pID $_GET variables.

 

ie this is what your url will look like DIRECTLY after typing in a search term in this case "apple"

www.yoursitename/admin/categories.php?search=apple

 

and this is what it should look like :

www.yoursitename.com/admin/categories.php?cPath=65&pID=524

 

When the user clicks delete in this case, the SQL query reads delete * from categories where categories_id =

 

and delete * from products where products_id =

 

see the problem?

 

Now I can't remember if I installed a contrib which came into play here. (I don't think I did) I've got a feeling this is a bug in OSC.

 

here's my crude, rude yet effective fix. This does not fix the URL, just prevents the delete button from working if the URL does not contain enough info for the delete to work correctly.

 

in admin/categories.php

 

find :

 

} elseif (isset($pInfo) && is_object($pInfo)) {

 

Replace with : 

} elseif (isset($pInfo) && is_object($pInfo) && !empty($_GET['pID']) || !empty($_GET['pID'])) {

 

Done. All fixed. Nasty, yet effective, and better than loosing your entire catalog.

 

:D

 

Just a quick correction there : the $_GET variables do not pass to the $product_id variable or the $category_id. And yes I could actually FIX the problem by changing the way the variables retries their data (ie $_GET as apposed to HTTP_POST_VARS however this would involve testing, something im not game to do on my own system.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...