Jump to content
Sign in to follow this  
spooks

Anti-hacker Account Mods, Secure your account pages

Recommended Posts

ooops, bug #2

during checkout, if I try to EDIT an existing address, below City and the city entry field, all I see is

 

State/Province:

 

without and entry field nor the country being displayed. Same for ship-to and bill-to edit address pages.


-Dave

Share this post


Link to post
Share on other sites

ooops, bug #2

during checkout, if I try to EDIT an existing address, below City and the city entry field, all I see is

 

State/Province:

 

without and entry field nor the country being displayed. Same for ship-to and bill-to edit address pages.

 

 

You havent uploaded the new files in the latest package or done the edits for the module?

 

ship-to and bill-to edit address havent been done yet, so will be as the original osc package

 

 

the image is just a test left over, but you should have 'pixel_trans.gif', its a standard osc file!!


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Looks like I have this module intalled: Easy Address Change 0.9

Which makes changes to checkout_shipping_address.php and checkout_payment_address.php

http://addons.oscommerce.com/info/3720/v,22

 

Something I have changed during the install of anti-hacker has Easy Address Change stopping as soon as it reaches State/Province.

 

What happenned to "code box" for posting a long snippet? I will try to sort it.


-Dave

Share this post


Link to post
Share on other sites

Looks like I have this module intalled: Easy Address Change 0.9

Which makes changes to checkout_shipping_address.php and checkout_payment_address.php

http://addons.oscommerce.com/info/3720/v,22

 

Something I have changed during the install of anti-hacker has Easy Address Change stopping as soon as it reaches State/Province.

 

 

Sorted.

 

I took the changes you made in address_book_process.php and applied the same to address_edit_process and billing_address_edit_process.php.

 

All works fine.

Edited by Roaddoctor

-Dave

Share this post


Link to post
Share on other sites

HEy,

 

Hey man I respect that you for doing that upgrade. Very very nice of you and i'm very thankful for the clean simple update.

 

Thanks

AE

Edited by aelalfy1989

Thank you in advance,

AE

Share this post


Link to post
Share on other sites

Do note that the little fix posted above only applies if you have Easy Address Change 0.9 installed and it only fixes the EDITING of existing addresses... ie address_edit_process.php and billing_address_edit_process.php.

 

I would like to post a request for Sam to see about adding anti hacker to the files:

Checkout_shipping_address.php and checkout_payment_address.php. This would button up the last bits of common user input fields... when time allows.

 

Thanks Sam

 

David


-Dave

Share this post


Link to post
Share on other sites

Hey

 

Can you give me a hand

 

I installed your lastest update. Which works great. But I'm having a few problems

 

1) screenshot5.jpg

 

It seems that when I go my account and click "View or change my account information." it takes me to the page in the image above but even if I don't change anything and click ok. It gives me the error above.

 

2) when i go back to my account area and click " View or change entries in my address book." then click add new address, the state is a text box not a drop down. why?

 

Please let me know what I'm doing wrong.

 

Thanks

AE


Thank you in advance,

AE

Share this post


Link to post
Share on other sites

Hey

 

Can you give me a hand

 

I installed your lastest update. Which works great. But I'm having a few problems

 

1) screenshot5.jpg

 

It seems that when I go my account and click "View or change my account information." it takes me to the page in the image above but even if I don't change anything and click ok. It gives me the error above.

 

2) when i go back to my account area and click " View or change entries in my address book." then click add new address, the state is a text box not a drop down. why?

 

Please let me know what I'm doing wrong.

 

Thanks

AE

 

Sorry the image didn't show up

screenshot5.jpg

Edited by aelalfy1989

Thank you in advance,

AE

Share this post


Link to post
Share on other sites

 

 

1 check your install, have u added

 

$_POST['dob'] = $_POST['dob_ind'].'/'.$_POST['dob_inm'].'/'.$_POST['dob_in'];

 

etc

 

2. not been done yet, so will be as the original osc package


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

1 check your install, have u added

 

$_POST['dob'] = $_POST['dob_ind'].'/'.$_POST['dob_inm'].'/'.$_POST['dob_in'];

 

etc

 

2. not been done yet, so will be as the original osc package

 

 

Hi,

 

1) The whole file was replaced I thought it worked so I edited some cosmetic work nothing to do with anything really.

 

Here is the code:

 

<?php
/*
 $Id: account_edit.php,v 2 2010/01/16 23:03:52 spooks Exp $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2010 osCommerce

 Released under the GNU General Public License
*/
// anti-hacker account	
 require('includes/functions/account_secure.php');
clean_post ();
$_POST['dob'] = $_POST['dob_ind'].'/'.$_POST['dob_inm'].'/'.$_POST['dob_in'];
// EOF anti-hacker account	
 require('includes/application_top.php');

 if (!tep_session_is_registered('customer_id')) {
   $navigation->set_snapshot();
   tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));
 }

// needs to be included earlier to set the success message in the messageStack
 require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_ACCOUNT_EDIT);

 if (isset($_POST['action']) && ($_POST['action'] == 'process')) {
   if (ACCOUNT_GENDER == 'true') $gender = tep_db_prepare_input($_POST['gender']);
   $firstname = tep_db_prepare_input($_POST['firstname']);
   $lastname = tep_db_prepare_input($_POST['lastname']);
   if (ACCOUNT_DOB == 'true') $dob = tep_db_prepare_input($_POST['dob']);
   $email_address = tep_db_prepare_input($_POST['email_address']);
   $telephone = tep_db_prepare_input($_POST['telephone']);
   $fax = tep_db_prepare_input($_POST['fax']);

   $error = false;

   if (ACCOUNT_GENDER == 'true') {
     if ( ($gender != 'm') && ($gender != 'f') ) {
       $error = true;

       $messageStack->add('account_edit', ENTRY_GENDER_ERROR);
     }
   }

   if (strlen($firstname) < ENTRY_FIRST_NAME_MIN_LENGTH) {
     $error = true;

     $messageStack->add('account_edit', ENTRY_FIRST_NAME_ERROR);
   }

   if (strlen($lastname) < ENTRY_LAST_NAME_MIN_LENGTH) {
     $error = true;

     $messageStack->add('account_edit', ENTRY_LAST_NAME_ERROR);
   }

   if (ACCOUNT_DOB == 'true') {
     if (!checkdate(substr(tep_date_raw($dob), 4, 2), substr(tep_date_raw($dob), 6, 2), substr(tep_date_raw($dob), 0, 4))) {
       $error = true;

       $messageStack->add('account_edit', ENTRY_DATE_OF_BIRTH_ERROR);
     }
   }

   if (strlen($email_address) < ENTRY_EMAIL_ADDRESS_MIN_LENGTH) {
     $error = true;

     $messageStack->add('account_edit', ENTRY_EMAIL_ADDRESS_ERROR);
   }

   if (!tep_validate_email($email_address)) {
     $error = true;

     $messageStack->add('account_edit', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
   }

   $check_email_query = tep_db_query("select count(*) as total from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "' and customers_id != '" . (int)$customer_id . "'");
   $check_email = tep_db_fetch_array($check_email_query);
   if ($check_email['total'] > 0) {
     $error = true;

     $messageStack->add('account_edit', ENTRY_EMAIL_ADDRESS_ERROR_EXISTS);
   }
// anti-hacker account
	$telephone = ValidatePhone($telephone);
	if ($telephone === NULL) {
       $error = true;
       $messageStack->add('account_edit', ENTRY_PHONE_ERROR);
	} else {
		$_POST['telephone'] = $telephone;	
	}
	$fax = ValidatePhone($fax);
	if ($fax === NULL) {
       $error = true;
       $messageStack->add('account_edit', ENTRY_FAX_ERROR);
	} else {	
		$_POST['fax'] = $fax;	
	}		
// EOF anti-hacker account	
   if (strlen($telephone) < ENTRY_TELEPHONE_MIN_LENGTH) {
     $error = true;

     $messageStack->add('account_edit', ENTRY_TELEPHONE_NUMBER_ERROR);
   }

   if ($error == false) {
     $sql_data_array = array('customers_firstname' => $firstname,
                             'customers_lastname' => $lastname,
                             'customers_email_address' => $email_address,
                             'customers_telephone' => $telephone,
                             'customers_fax' => $fax);

     if (ACCOUNT_GENDER == 'true') $sql_data_array['customers_gender'] = $gender;
     if (ACCOUNT_DOB == 'true') $sql_data_array['customers_dob'] = tep_date_raw($dob);

     tep_db_perform(TABLE_CUSTOMERS, $sql_data_array, 'update', "customers_id = '" . (int)$customer_id . "'");

     tep_db_query("update " . TABLE_CUSTOMERS_INFO . " set customers_info_date_account_last_modified = now() where customers_info_id = '" . (int)$customer_id . "'");

     $sql_data_array = array('entry_firstname' => $firstname,
                             'entry_lastname' => $lastname);

     tep_db_perform(TABLE_ADDRESS_BOOK, $sql_data_array, 'update', "customers_id = '" . (int)$customer_id . "' and address_book_id = '" . (int)$customer_default_address_id . "'");

// reset the session variables
     $customer_first_name = $firstname;

		$messageStack->add_session('account', '', 'none');
     $messageStack->add_session('account', SUCCESS_ACCOUNT_UPDATED, 'success');

     tep_redirect(tep_href_link(FILENAME_ACCOUNT, '', 'SSL'));
   }
 }

 $account_query = tep_db_query("select customers_gender, customers_firstname, customers_lastname, customers_dob, customers_email_address, customers_telephone, customers_fax from " . TABLE_CUSTOMERS . " where customers_id = '" . (int)$customer_id . "'");
 $account = tep_db_fetch_array($account_query);

 $breadcrumb->add(NAVBAR_TITLE_1, tep_href_link(FILENAME_ACCOUNT, '', 'SSL'));
 $breadcrumb->add(NAVBAR_TITLE_2);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<title><?php echo TITLE; ?></title>
<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">
<link rel="stylesheet" type="text/css" href="stylesheet.css">
<?php require('includes/form_check.js.php'); ?>
</head>
<body>
<!-- header //-->
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<!-- header_eof //-->
<!-- body //-->
<table border="0" width="100%" cellspacing="0" cellpadding="0">
 <tr>
   <td width="100%" class="col_center">
 <!-- breadcrumb //-->
   <div id="breadcrumb_wrap">
<ul id="breadcrumb">
       <li><a href="http://www.bestmacdiscounts.com" title="Home"><img src="images/home.png" alt="Home" class="home" /></a></li>
       <li><?php echo $breadcrumb->trail('   ')?></li>
</ul>
<div>
 <div id="ddtabs1" class="basictab">
<ul>
<li><!-- BEGIN ProvideSupport.com Text Chat Link Code -->
<div id="scdiKA" style="display:inline"></div><div id="sddiKA" style="display:none"></div><script type="text/javascript">var sediKA=document.createElement("script");sediKA.type="text/javascript";var sediKAs=(location.protocol.indexOf("https")==0?"https":"http")+"://image.providesupport.com/js/aelalfy1989/safe-textlink.js?ps_h=diKA&ps_t="+new Date().getTime()+"&online-link-html=Live%20Help&offline-link-html=Live%20Help";setTimeout("sediKA.src=sediKAs;document.getElementById('sddiKA').appendChild(sediKA)",1)</script><noscript><div style="display:inline"><a href="http://www.providesupport.com?messenger=aelalfy1989">Online Chat</a></div></noscript>
<!-- END ProvideSupport.com Text Chat Link Code --></li>
<li><a href="<?php echo tep_href_link('account.php')?>">Account</a></li>
<li><a href="<?php echo tep_href_link('shopping_cart.php')?>">Cart <?php echo $cart->count_contents()?><img src="images/cart.png" width="22" height="16" style="vertical-align:middle; border:0px;" /></a></li>
</ul>
</div>
</div>
</div>
</tr>
<!-- body_text //-->
<tr>
<? tep_draw_heading_top_4();?>
<!-- body_text //-->
   <td width="100%" valign="top"><?php echo tep_draw_form('account_edit', tep_href_link(FILENAME_ACCOUNT_EDIT, '', 'SSL'), 'post', 'onSubmit="return check_form(account_edit);"') . tep_draw_hidden_field('action', 'process'); ?><table border="0" summary="" width="100%" cellspacing="0" cellpadding="0">
     <tr>
       <td><table border="0" summary="" width="100%" cellspacing="0" cellpadding="0">
         <tr>
           <td class="pageHeading"><?php echo HEADING_TITLE; ?></td>
         </tr>
       </table></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
<?php
 if ($messageStack->size('account_edit') > 0) {
?>
     <tr>
       <td><?php echo $messageStack->output('account_edit'); ?></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
<?php
 }
?>
     <tr>
       <td><table border="0" summary="" width="100%" cellspacing="0" cellpadding="2">
         <tr>
           <td><table border="0" summary="" width="100%" cellspacing="0" cellpadding="2">
             <tr>
               <td class="main"><b><?php echo MY_ACCOUNT_TITLE; ?></b></td>
               <td class="inputRequirement" align="right"><?php echo FORM_REQUIRED_INFORMATION; ?></td>
             </tr>
           </table></td>
         </tr>
         <tr>
           <td><table border="0" summary="" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
             <tr class="infoBoxContents">
               <td><table border="0" summary="" cellspacing="2" cellpadding="2">
<?php
 if (ACCOUNT_GENDER == 'true') {
   if (isset($gender)) {
     $male = ($gender == 'm') ? true : false;
   } else {
     $male = ($account['customers_gender'] == 'm') ? true : false;
   }
   $female = !$male;
?>
                 <tr>
                   <td class="main"><?php echo ENTRY_GENDER; ?></td>
                   <td class="main"><?php echo tep_draw_radio_field('gender', 'm', $male) . '  ' . MALE . '  ' . tep_draw_radio_field('gender', 'f', $female) . '  ' . FEMALE . ' ' . (tep_not_null(ENTRY_GENDER_TEXT) ? '<span class="inputRequirement">' . ENTRY_GENDER_TEXT . '</span>': ''); ?></td>
                 </tr>
<?php
 }
?>
                 <tr>
                   <td class="main"><?php echo ENTRY_FIRST_NAME; ?></td>
                   <td class="main"><?php echo tep_draw_input_field('firstname', $account['customers_firstname']) . ' ' . (tep_not_null(ENTRY_FIRST_NAME_TEXT) ? '<span class="inputRequirement">' . ENTRY_FIRST_NAME_TEXT . '</span>': ''); ?></td>
                 </tr>
                 <tr>
                   <td class="main"><?php echo ENTRY_LAST_NAME; ?></td>
                   <td class="main"><?php echo tep_draw_input_field('lastname', $account['customers_lastname']) . ' ' . (tep_not_null(ENTRY_LAST_NAME_TEXT) ? '<span class="inputRequirement">' . ENTRY_LAST_NAME_TEXT . '</span>': ''); ?></td>
                 </tr>
<?php
 if (ACCOUNT_DOB == 'true') {
// anti-hacker account
$day = substr($account['customers_dob'], 8, 2);
$month = substr($account['customers_dob'], 5, 2);
$year = substr($account['customers_dob'], 0, 4);
$day = isset($_POST['dob_ind']) ? $_POST['dob_ind'] : $day;
$month = isset($_POST['dob_inm']) ? $_POST['dob_inm'] : $month;
$year = isset($_POST['dob_in']) ? $_POST['dob_in'] : $year;
?>
             <tr>
               <td class="main"><?php echo ENTRY_DATE_OF_BIRTH; ?></td>
               <td class="main"><?php echo tep_pull_down_date('dob_in', $day, $month, $year, true) . ' ' . (tep_not_null(ENTRY_DATE_OF_BIRTH_TEXT) ? '<span class="inputRequirement">' . ENTRY_DATE_OF_BIRTH_TEXT . '</span>': ''); ?></td>

                 </tr>
<?php
 // EOF anti-hacker account
 }
?>
                 <tr>
                   <td class="main"><?php echo ENTRY_EMAIL_ADDRESS; ?></td>
                   <td class="main"><?php echo tep_draw_input_field('email_address', $account['customers_email_address']) . ' ' . (tep_not_null(ENTRY_EMAIL_ADDRESS_TEXT) ? '<span class="inputRequirement">' . ENTRY_EMAIL_ADDRESS_TEXT . '</span>': ''); ?></td>
                 </tr>
                 <tr>
                   <td class="main"><?php echo ENTRY_TELEPHONE_NUMBER; ?></td>
                   <td class="main"><?php echo tep_draw_input_field('telephone', $account['customers_telephone']) . ' ' . (tep_not_null(ENTRY_TELEPHONE_NUMBER_TEXT) ? '<span class="inputRequirement">' . ENTRY_TELEPHONE_NUMBER_TEXT . '</span>': ''); ?></td>
                 </tr>
                 <tr>
                   <td class="main"><?php echo ENTRY_FAX_NUMBER; ?></td>
                   <td class="main"><?php echo tep_draw_input_field('fax', $account['customers_fax']) . ' ' . (tep_not_null(ENTRY_FAX_NUMBER_TEXT) ? '<span class="inputRequirement">' . ENTRY_FAX_NUMBER_TEXT . '</span>': ''); ?></td>
                 </tr>
               </table></td>
             </tr>
           </table></td>
         </tr>
       </table></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
     <tr>
       <td><table border="0" summary="" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
         <tr class="infoBoxContents">
           <td><table border="0" summary="" width="100%" cellspacing="0" cellpadding="2">
             <tr>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
               <td><?php echo '<a href="' . tep_href_link(FILENAME_ACCOUNT, '', 'SSL') . '">' . tep_image_button('button_back.gif', IMAGE_BUTTON_BACK) . '</a>'; ?></td>
               <td align="right"><?php echo tep_image_submit('button_continue.gif', IMAGE_BUTTON_CONTINUE); ?></td>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
             </tr>
           </table></td>
         </tr>
       </table></td>
     </tr>
   </table></form></td>
<!-- body_text_eof //-->
<? tep_draw_heading_bottom_4();?>
 </tr>
<!-- footer //-->
<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>
<!-- footer_eof //-->
</table>
<!-- body_eof //-->
<br>
</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

 

2) surprised its not done because isn't the file been edited by you? sorry I'm not following. You did it for the edit an account, did you maybe forget to do it for the new account? just wondering.

 

One new problem I noticed. In all the files you edited, it seems that in the country drop down it allows you to select "please select" option and if you do, it puts the old text field state. why?

 

Thanks alot for your help and this contribution

AE


Thank you in advance,

AE

Share this post


Link to post
Share on other sites

 

 

If yr using the supplied file, most likely an issue with tep_date_raw if that processes the date wrong it will cause your issue

 

that function appears in english.php, see install file for edits with it.

 

 

 

edit, just took at look at your site, you have dbase errors!!

 

You have modified the country table!! Canada must have a country id of 38 (USA is 223) thats why the date format is showing wrong!!

 

Also why the post code check dont work!! wink.gif

 

PS I think canada has more than 1 state!! huh.gif

 

 

If you make your site non-standard you can't expect things to work unless you modify any add-ons you install to comply to your site!!blink.gif

Edited by spooks

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Any suggestions for adding this to a site with Country State Selector and Super Contact Us contributions added on?

I'm finding a lot of code from the already installed contributions has edited code that this contribution wants to edit. I'm hoping someone has already been through doing this :blush:


~Tracy
 

Share this post


Link to post
Share on other sites

Any suggestions for adding this to a site with Country State Selector and Super Contact Us contributions added on?

I'm finding a lot of code from the already installed contributions has edited code that this contribution wants to edit. I'm hoping someone has already been through doing this blush.gif

 

 

this already has the functionality of Country State Selector, so no compatiblity issue, use this ignore Country State Selector .

 

part of what Super Contact Us gives is also alread in this, what do u need that is'nt?


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

If yr using the supplied file, most likely an issue with tep_date_raw if that processes the date wrong it will cause your issue

 

that function appears in english.php, see install file for edits with it.

 

 

 

edit, just took at look at your site, you have dbase errors!!

 

You have modified the country table!! Canada must have a country id of 38 (USA is 223) thats why the date format is showing wrong!!

 

Also why the post code check dont work!! wink.gif

 

PS I think canada has more than 1 state!! huh.gif

 

 

If you make your site non-standard you can't expect things to work unless you modify any add-ons you install to comply to your site!!blink.gif

 

 

Hi,

 

What does the above mentioned have to do with the state thing I discussed. I'm saying that when I change my country from the default country to "please select", it makes the state into a text field why?

 

Thanks


Thank you in advance,

AE

Share this post


Link to post
Share on other sites

Hi

 

Just wanted to update. That I fixed the error I mentioned about the date of birth when you click ok in the my account summary area. But I'm a little confussed. In my account_book_proccess.php in my edit account area, I get this problem with my state as soon as I enter that page. I can change it and works. but why does it give me that state "4306" in that text box? see below. Oh don't mind the way that page looks. Its just cosmetic look. because I copied it from your files. So no worries, ill change it, can you tell me why this error is happening.

 

screenshot10.jpg

 

Thanks

AE


Thank you in advance,

AE

Share this post


Link to post
Share on other sites

Uploaded new version 1.3

 

  1. Expanded support to new address creation in account edit and checkout process.
  2. Expanded Contact Us with details based on ideas in Super Contact Us add-on, but orders id is taken from dBase & provided as drop down
  3. Made Contact Us Multilingual.
  4. Created a global post code check function to improve code efficiency.

Changed files:

 

account_secure.php, account_edit.php, address_book_process.php, create_account.php,

modules/address_book_details.php, contact_us.php

 

Added files:

 

modules/checkout_new_address.php, checkout_shipping_address.php, checkout_payment_address.php, languages/english/contact_us.php.

 

UPGRADING

 

If your upgading from any previous version, replace all the changed files listed in the Version History or modify your existing by comparing with the new versions.

 

 

Enjoy biggrin.gif

 

Edited by spooks

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

attempting to modify my already modified files has been interesting - since I now know to ignore the Country/State Selector code I can adjust that - I will have to look and see if there are confusing areas on Contact Us to add this into ;)

 

this already has the functionality of Country State Selector, so no compatiblity issue, use this ignore Country State Selector .

 

part of what Super Contact Us gives is also alread in this, what do u need that is'nt?


~Tracy
 

Share this post


Link to post
Share on other sites

Hi Sam,

got a slight address issue:

FLAT 1/2

is cleaned to

FLAT 12

 

which is (maybe) a wee problem for the postman and for my payment gateway address verifiacation. I'm still on V1.1 . And sometimes people like to use a C/O My Friends Name/ Business in the address. :(


I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Share this post


Link to post
Share on other sites

Hi Sam,

got a slight address issue:

FLAT 1/2

is cleaned to

FLAT 12

 

which is (maybe) a wee problem for the postman and for my payment gateway address verifiacation. I'm still on V1.1 . And sometimes people like to use a C/O My Friends Name/ Business in the address. sad.gif

 

 

To allow / change:

 

return preg_replace("/[^\p{L}\p{M}\w\r@ :{}_.-]/i", "", urldecode($vars)); 

to

 

 

 

 

return preg_replace("/[^\p{L}\p{M}\w\r\/@ :{}_.-]/i", "", urldecode($vars)); 

 

 


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Uploaded new version 1.4

 

This now provides a option to Remove password input requirement: This is based on an idea proposed at ClubOsc and provides a more secure form of PWA (Purchase Without Account), and makes the personal details input a seamless part of the checkout.

 

Alterations in this version:

 

  1. Added option to remove password input requirement, a save details option is provided in its place, see notes. If used visitor will return to checkout immediatly form is complete.
  2. Created new address input module, all fields will be in the order defined by the address format for the country entered, an option to revert to the default order is provided.
  3. Modified all account pages to use the new single address module.
  4. Created new word validation function: Limit to set number of words, words are limited to 40 characters long.
  5. Added extra input validation to name fields, restricted input to one word, first letter will be Capitalised. Word limit can be altered.
  6. Added extra input validation to address, suburb & city fields, restricted input to three words, first letter will be Capitalised. Word limit can be altered.
  7. Created new address and name validation modules to be used by all account pages, ensures consistancy & means only one place to modify instead of 5!! Also makes install easier.
  8. Improved dob validation.

 

Changed files:

  • account_secure.php, account_edit.php, address_book_process.php, create_account.php,
  • modules/address_book_details.php, modules/checkout_new_address.php, checkout_shipping_address.php

Added files:

 

  • modules/validate_address_fields.php, modules/validate_name_fields.php, modules/address_fields.php, languages/english/create_account.php, checkout_shipping.php.

UPGRADING:

If your upgading from any previous version, replace all the changed files listed in the Version History or modify your existing by comparing with the new versions.

 

 

Keep your site & Data Secure wink.gif

Edited by spooks

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Hi Sam,

 

Well in early McAfee Secure testing I got these two database vulnerabilities.

 

Potentially Exploitable Database Error Message
MySQL Database Error Disclosure Vulnerability

 

I'm not quite sure about the suggested fix from McAfee, but are these something that this add-on would be appropriate for?

 

Thanks,

 

Nick

 

During our analysis of your web application, we detected database specific errors. By causing a system to output errors such as these, it is often possible to determine the database version and inject database command syntax that would allow us to extract data.

 

The extent of the damage that can be caused by this vulnerability varies greatly depending on environment and configuration. While input validation via the web application may cause a database to "throw" an error, the database configuration will also play an important role in determining how much it can be altered. A remote attacker may be able to gain access to very sensitive information, or gain administrative access (total control of the entire database functionality). For example, certain configurations of SQL server will allow one to create user accounts with the ability to take control of the Windows server that hosts the database.

 

THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA.

 

The following is an acceptable solution however it is not optimal.

Implement content parsing on data input fields including URL parameters.

 

Remove the following characters from any user or dynamic database input: (examples in VBScript)

# ' (escape the single quote) input = replace( input, "'", "''" )

# " (double quote) input = replace( input, """", "" )

# ) (close parenthesis) input = replace( input, ")", "" )

# ( (open parenthesis) input = replace( input, "(", "" )

# ; (semi-colon) input = replace( input, ";", "" )

# - (dash) input = replace( input, "-", "" )

# | (pipe) input = replace( input, "|", "" )

 

On text input it is recommended to append quotes around the user supplied input.

 

Another solution is to turn off Database Error Messages from being displayed back to the user. This is also not optimal and can lead to Blind SQL Injection. Blind SQL Injection is still targeted by attackers and drive-by worms.

Share this post


Link to post
Share on other sites

 

I'm not quite sure about the suggested fix from McAfee, but are these something that this add-on would be appropriate for?

 

 

 

Yes, this would remove all the offending chars except the dash, which on its own is harmless.

 

Install it and re-test, I`d be interested to hear your results. smile.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Yes, this would remove all the offending chars except the dash, which on its own is harmless.

 

Install it and re-test, I`d be interested to hear your results. smile.gif

 

 

I will certainly test it out today and let you know. Out of curiousity, is you anti-hacker account mod

redundant with security pro or does it complement it? I only ask because I'm just now becoming aware of some

of the security holes in osC (luckily before my site is live!) and want to install the right mods and test them

in the right order. Thanks again Sam.

Share this post


Link to post
Share on other sites

is you anti-hacker account mod redundant with security pro or does it complement it?

 

 

This compliments security pro, you should always install that too, this processes the post vars, whereas security pro sanitises the query string, ie each is sanitising different things. smile.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Hi Sam

 

I uninstalled ‘Clean post vars’ in application top and decided to install this contribution instead.

 

I am installing this in stages and so far only installed ‘contact us’

 

'Contact us' is working fine, however I would like to make another file to use as a ‘Ask a Question’

 

I have duplicated your ‘contact us’ code and replace all instances of FILENAME_CONTACT_US with FILENAME_ASK_A_QUESTION however I still cannot get this to work. After filling in the form and clicking ‘continue’ It is redirecting to my 404 page

 

What am I missing? I hope you can help.

 

Regards

 

Ken

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×