Jump to content

Archived

This topic is now archived and is closed to further replies.

Rachael w.

Insecure form on create_account and login.php help

Recommended Posts

I've been searching for hours trying to figure out why chrome returns an ssl insecure form problem with my create_account.php and login.php pages. 

 

I have this code for the form:

$loginboxcontent = tep_draw_form('login', tep_href_link(FILENAME_LOGIN, 'action=process', 'SSL'))

I've read to change the SSL in that line to $request_type, however when I do that I get an error on the page:

 

Error!

Unable to determine connection method on a link!

Known methods: NONSSL SSL

 

What else to I need to edit to get the $request_type to work correctly?

 

Thanks in advance for your help on this one!

 

Share this post


Link to post
Share on other sites

Were you having the problem before you changed 'SSL' to $request_type? It sounds like $request_type is not being properly set (to either SSL or NONSSL). I have seen problems where a server returns '1' instead of 'on' from getenv('HTTPS') (especially IIS) in application_top.php. You might try changing that test to see if it helps.

Share this post


Link to post
Share on other sites

The problem I had before I changed SSL to $request_type was only that chrome was showing an unsecure form. 

 

I tried changing to a "1" rather than "on" and it breaks my css on secure pages. 

Share this post


Link to post
Share on other sites

Tested it:

 

Insecure <form> call
Found on line # 314 in file: www.xxxxx.com/create_account.php

(Note: Chrome will show a security error for any secure page with an insecure <form> call on the page)

Share this post


Link to post
Share on other sites

yep - tested my own site (osc 2.3.4) and get exactly the same warning (but a different line):

 

 

Insecure <form> call.
Found on line # 177 in file: www.mysite.co.uk/create_account.php

(Note: Chrome will show a security error for any secure page with an insecure <form> call on the page)

Anyone running 2.3.4bs on an ssl care to try the test and see what result you get?

 

Anyone have any idea how to secure the form?


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Same error, in my case line 85.  Line 85 form is for myshop.com/advanced_search_result.php


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

@@Mort-lemur I'm not running that so I can't test it but you need to determine what is causing the failure for sure since it could be one of the forms included on the page. In Chrome, open the Tools-<JavaScript console and it will list such failures. Look at the forms on the page to find the one causing a problem (there may be more than one).

Share this post


Link to post
Share on other sites

@@Jack_mcs Thanks Jack,

 

Funny thing, I dont normally use chrome, so when I first went there I had the green padlock, then chrome updated itself and I got the warning triangle. Looks like the non secure part is the search box which is caled up on all pages be they ssl or non ssl.

 

Warning in chrome console is as follows:

 

 

The page at 'https://www.mysite.co.uk/create_account.php' was loaded over HTTPS, but is submitting data to an insecure location at 'http://www.mysite.co.uk/advanced_search_result.php': this content should also be submitted over HTTPS.

 

So I need to make the search form submit over https?

 

Many Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

ok sorted it,

 

In my case (Site modified and using MTS) i had the search box in the header

 

so in header.php I changed:

  $search = tep_draw_form('quick_find', tep_href_link(FILENAME_ADVANCED_SEARCH_RESULT, '', 'NONSSL', false), 'get') .

to

  $search = tep_draw_form('quick_find', tep_href_link(FILENAME_ADVANCED_SEARCH_RESULT, '', 'SSL', false), 'get') .

side effect of this is that al search results are now on HTTPS, but I can live with that if it means chrome users dont get the insecure warning.

 

any more elegant solutions invited,

 

Many Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

If you change the 'SSL' to $request_type, it should switch as needed. If the code for the search is in an infobox, you may have to add global $request_type; to it.

Share this post


Link to post
Share on other sites

@@multimixer Thanks George,

 

Added your code and all is working as it should.

 

Many Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Thanks all for bringing  this up and for the solution.  Exact coding above as per George may vary a bit depending on how the code calls the form but the concept seems to fix all.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

I apparently have old code which when I use $request_type rather than SSL the CSS won't load. Can anyone tell me the proper code in application_top I would need to get $request_type to work?

 

I tried this and it still did not work:

1. Add below:
$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';
this
$request_type = (eregi ($HTTP_HOST, HTTPS_SERVER)) ? 'SSL' : 'NONSSL';
in
includes/application_top.php

Share this post


Link to post
Share on other sites

In V 2.3.4 includes/application_top.php has this code

// set the type of request (secure or not)
  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

That's it.

 

What version are you using?


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites


// set the type of request (secure or not)

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 


// set php_self in the local scope

// 2.3.4 update

$req = parse_url($HTTP_SERVER_VARS['SCRIPT_NAME']);

$PHP_SELF = substr($req['path'], ($request_type == 'NONSSL') ? strlen(DIR_WS_HTTP_CATALOG) : strlen(DIR_WS_HTTPS_CATALOG));

}

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

 


// set the cookie domain

$cookie_domain = (($request_type == 'NONSSL') ? HTTP_COOKIE_DOMAIN : HTTPS_COOKIE_DOMAIN);

$cookie_path = (($request_type == 'NONSSL') ? HTTP_COOKIE_PATH : HTTPS_COOKIE_PATH);

 

 


-Dave

Share this post


Link to post
Share on other sites

I found that this may be the problem area:

  * ULTIMATE Seo Urls 5 PRO by FWR Media
  * function to return the base filename 
  */
  function usu5_base_filename() {
    // Probably won't get past SCRIPT_NAME unless this is reporting cgi location
    $base = new ArrayIterator( array( 'SCRIPT_NAME', 'PHP_SELF', 'REQUEST_URI', 'ORIG_PATH_INFO', 'HTTP_X_ORIGINAL_URL', 'HTTP_X_REWRITE_URL' ) );
    while ( $base->valid() ) {
      if ( array_key_exists(  $base->current(), $_SERVER ) && !empty(  $_SERVER[$base->current()] ) ) {
        if ( false !== strpos( $_SERVER[$base->current()], '.php' ) ) {
          preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$base->current()], $matches );
          if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                    && ( substr( $matches[0], -4, 4 ) == '.php' )
                                    && ( is_readable( $matches[0] ) ) ) {
            return $matches[0];
          } 
        } 
      }
      $base->next();
    }
    // Some odd server set ups return / for SCRIPT_NAME and PHP_SELF when accessed as mysite.com (no index.php) where they usually return /index.php
    if ( ( $_SERVER['SCRIPT_NAME'] == '/' ) || ( $_SERVER['PHP_SELF'] == '/' ) ) {
      return 'index.php';
    }
    // Return the standard RC3 code 
    return ( ( ( strlen( ini_get( 'cgi.fix_pathinfo' ) ) > 0) && ( (bool)ini_get( 'cgi.fix_pathinfo' ) == false ) ) || !isset( $_SERVER['SCRIPT_NAME'] ) ) ? basename( $_SERVER['PHP_SELF'] ) : basename( $_SERVER['SCRIPT_NAME'] );
  } // End function
// set php_self in the local scope
  $PHP_SELF = usu5_base_filename();
    
	if ($request_type == 'NONSSL') {
		define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
	} else {
		define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);
	}

	// include the list of project filenames
	require(DIR_WS_INCLUDES . 'filenames.php');
	// include the list of project database tables
	require(DIR_WS_INCLUDES . 'database_tables.php');
	// customization for the design layout
	define('BOX_WIDTH', 161);
	// how wide the boxes should be in pixels (default: 125)
	define('BOX_WIDTH_LEFT', 204);
	// include the database functions
	require(DIR_WS_FUNCTIONS . 'database.php');
	// make a connection to the database... now
	tep_db_connect() or die('Unable to connect to database server!');
	// set the application parameters
	$configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION);
	while ($configuration = tep_db_fetch_array($configuration_query)) {
		define($configuration['cfgKey'], $configuration['cfgValue']);
	}

Share this post


Link to post
Share on other sites

Maybe its this code?

  function osc_href_link($page = '', $parameters = '', $connection = 'NONSSL', $add_session_id = true, $search_engine_safe = true) {
    global $request_type, $session_started, $SID;

    if (!tep_not_null($page)) {
      die('</td></tr></table></td></tr></table><br><br><font color="#ff0000"><b>Error!</b></font><br><br><b>Unable to determine the page link!<br><br>');
    }

    if ($connection == 'NONSSL') {
      $link = HTTP_SERVER . DIR_WS_HTTP_CATALOG;
    } elseif ($connection == 'SSL') {
      if (ENABLE_SSL == true) {
        $link = HTTPS_SERVER . DIR_WS_HTTPS_CATALOG;
      } else {
        $link = HTTP_SERVER . DIR_WS_HTTP_CATALOG;
      }
    } else {
      die('</td></tr></table></td></tr></table><br><br><font color="#ff0000"><b>Error!</b></font><br><br><b>Unable to determine connection method on a link!<br><br>Known methods: NONSSL SSL</b><br><br>');
    }

Share this post


Link to post
Share on other sites

×