Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Upgrading from 2.3.1 to 2.3.4


Guest

Recommended Posts

I found that there is problem with character { and } ...if I replace with their URI %7B = { and %7D = } 

then it works....but how can I put it on button's action?

ok just found it ...in shopping_card.php  I changed line:

 

<a class="icon-trash-2 custom_color" href="' . tep_href_link(FILENAME_SHOPPING_CART, 'products_id=' . $products[$i]['id'] . '&action=remove_product') . '"></a>

 

to

 

<a class="icon-trash-2 custom_color" href="' . tep_href_link(FILENAME_SHOPPING_CART, 'products_id=' . urlencode($products[$i]['id']) . '&action=remove_product') . '"></a>

 

 

just used  urlencode() php function ....

 

 

thank you anyway all of you

Link to comment
Share on other sites

  • Replies 74
  • Created
  • Last Reply

As I suspected, it was the { } braces. Encoding them as hex escapes is a workaround, but it's ugly. Whoever maintains that code is going to have to choose other characters to mark attributes, but so far all I've heard is denial that there's any problem.

Link to comment
Share on other sites

As I suspected, it was the { } braces. Encoding them as hex escapes is a workaround, but it's ugly. Whoever maintains that code is going to have to choose other characters to mark attributes, but so far all I've heard is denial that there's any problem.

yes thats right this was the problem ... maybe osc developers have to consider to fix in future..

Link to comment
Share on other sites

rofl - sorry for the typo!! I'm glad @@MrPhil was around to say what I meant to say....

Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Link to comment
Share on other sites

@@MrPhil

 

..., but so far all I've heard is denial that there's any problem.

That method of handling attributes has been in oscommerce since the beginning. It's not invalid code, as far as I know. It is just that a host has determined it is a security problem. It seems silly to me to change code so that it works with a particular host but that is what that fix is doing. Maybe it will be determined that it truly is a security error and other hosts will adapt it though I doubt it. I think the host in question got hacked at some point and they decided to go to extreme measures to try to stop it from happening again. With that said, I think Harold did say he would look into it as a change for the next version or maybe a bug fix.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Well, that method of handling product attributes may have been around since the Stone Age, but now it is no longer working on an increasing number of servers. If hosts decide that it (use of curly braces in a Query String) is a security vulnerability, it means that osC must change to keep up with the times.

Link to comment
Share on other sites

But I wonder if a number of hosts are concerned about it? If I recall correctly, two people mentioned having this problem and they were both using the same host.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

If hosts decide that it (use of curly braces in a Query String) is a security vulnerability, it means that osC must change to keep up with the times.

 

Actually, the host is stripping unencoded curly braces from the query string. So we encode them. Harald has said it'll be fixed. No biggie

Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Link to comment
Share on other sites

But I wonder if a number of hosts are concerned about it? If I recall correctly, two people mentioned having this problem and they were both using the same host.

I see at least a half dozen threads mentioning this problem with braces, but I haven't checked to see how many users are affected. I suspect that if one or two hosts are doing this as a security measure now, that you can count on more doing it in the future.

 

 

Actually, the host is stripping unencoded curly braces from the query string. So we encode them. Harald has said it'll be fixed. No biggie

If by "encode" you mean using %7B etc. in Query Strings, that's the wrong approach. It looks hideous, and at some point in the future it might break again (as encoded braces are also stripped). It would be better to replace braces with some other syntax that is promised not to be messed with.

Link to comment
Share on other sites

@@MrPhil If it is more than one host I would agree. I'm only aware of this being mentioned twice and both were using the same host. If the op sees this thread it would be interesting to know if he is using that host though I don't recall which host that was.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

I have a strange question also..

 

I have upgrade-transfer a 2.3.1 to 2.3.4 version and now it is working well .. except on mobile view the icons on the first page are "chinesse", but when you visit the product_info.php page then every icon goes correct...

 

it seems like a configure.php problem ...but it is really strange... do you have any sujestions?

 

if you wanna see visit ONLY from mobile phone this first page www.sportndog.gr and see the basket on top left ..

Link to comment
Share on other sites

It's not "Chinese", it's a box ("tofu") with 4 hex digits in it. It means that the font you're using doesn't include that particular Unicode character. I see it in a number of places on my laptop (Win 7, Firefox browser) where it's probably intended to have a (cell) telephone icon, as well as in links to social media. You might try playing with the fonts specified to find something that 1) includes all those icons, and 2) is available on a wide variety of browsers (Windows, Mac, mobile, etc.). Is the product_info page specifying different fonts than your home page (which doesn't show the icons)? That might give you a place to start looking. Incidentally, on a product_info page, the social media icons are cut in half.

 

By the way, when you say "2.3.4", are you talking about the "regular" 2.3.4? It appears that you have some sort of mobile device support, but I can't tell for sure if you're using 2.3.4BS (rather than an add-on to 2.3.4). If not, sooner or later you'll need to upgrade to osC 2.3.4BS Edge (the current version). 2.3.4 is getting rather long of tooth. You may want to consider jumping to Edge, which means a reinstall and recustomization of your store, but the data can be migrated to the new one. Edge is up to date, including PHP 5.6 support and is mobile-friendly out of the box.

Link to comment
Share on other sites

If by "encode" you mean using %7B etc. in Query Strings, that's the wrong approach. It looks hideous, and at some point in the future it might break again (as encoded braces are also stripped). It would be better to replace braces with some other syntax that is promised not to be messed with.

@@MrPhil I agree it looks hideous. I don't see how you can choose another query-string syntax that's any less likely to be messed with; it's already a character pair that's not mandated to be encoded (unless in the url itself), and the host (hosts?) are mandating it themselves. They're doing so because it's a way that they can prevent some XSS attacks on users of insecure applications on their servers, and breaking properly-written, secure applications in the process. Quite possibly they are doing the same for other shapes of brackets too. Unless you know better, I don't think you can run client or server script that's written using encoded characters in the syntax, so they've no reason to strip them later.

 

That doesn't mean I'm against changing it to something prettier - have you any ideas?

Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Link to comment
Share on other sites

Unfortunately, I have no idea what things will be disallowed in the future. Maybe if you look around at web development discussions (including XSS attack methods), you'll find some information on what's likely to cause trouble in the future. Otherwise, it's just a guess, and osC may have to be updated again at some point. Are these Query Strings ever bookmarked, or can they be changed at will?

Link to comment
Share on other sites

It's not "Chinese", it's a box ("tofu") with 4 hex digits in it. It means that the font you're using doesn't include that particular Unicode character. I see it in a number of places on my laptop (Win 7, Firefox browser) where it's probably intended to have a (cell) telephone icon, as well as in links to social media. You might try playing with the fonts specified to find something that 1) includes all those icons, and 2) is available on a wide variety of browsers (Windows, Mac, mobile, etc.). Is the product_info page specifying different fonts than your home page (which doesn't show the icons)? That might give you a place to start looking. Incidentally, on a product_info page, the social media icons are cut in half.

 

By the way, when you say "2.3.4", are you talking about the "regular" 2.3.4? It appears that you have some sort of mobile device support, but I can't tell for sure if you're using 2.3.4BS (rather than an add-on to 2.3.4). If not, sooner or later you'll need to upgrade to osC 2.3.4BS Edge (the current version). 2.3.4 is getting rather long of tooth. You may want to consider jumping to Edge, which means a reinstall and recustomization of your store, but the data can be migrated to the new one. Edge is up to date, including PHP 5.6 support and is mobile-friendly out of the box.

thank you for your answer..

 

about your first paragraph I will try to check the embeded google fonts that the theme I m using has...my theme the oscommerce megastore ..google it if you whant..

 

about the  version... yes I m BS version but I did not know that from 2.3.4 BS to 2.3.4 edge whould be so hard...this means that I have to start from the beggining?? I remind you, if you shaw my first question, that I came from 2.3.1 and I try hard with mySql etc to transfer all data customers, orders etc to a new DB for the 2.3.4BS version... is it whorth it?

Link to comment
Share on other sites

 

about the  version... yes I m BS version but I did not know that from 2.3.4 BS to 2.3.4 edge whould be so hard...this means that I have to start from the beggining?? I remind you, if you shaw my first question, that I came from 2.3.1 and I try hard with mySql etc to transfer all data customers, orders etc to a new DB for the 2.3.4BS version... is it whorth it?

 

The new version, though not yet completed, will be based on a template system. Even though that's a big change, if you have stuck to proper coding standards and used modules wherever possible it will be far easier to upgrade a 2.3.4BS site to 2.4 so no need to worry too much yet.

osCommerce user since 2003! :thumbsup:

Link to comment
Share on other sites

So, did you install the 2.3.4BS Gold? Or did you upgrade to regular 2.3.4 and install some sort of responsive (perhaps BS-based) add-on? They are not the same thing! If you're at Gold, no need to panic about having to go to Edge. You will probably want to just wait until 2.4 comes out. On the other hand, if you did not install either Gold or Edge versions of 2.3.4BS, you may want to consider installing Edge and migrating your data to that -- it will be a lot easier to get to 2.4 from there, when it comes out.

Link to comment
Share on other sites

So, did you install the 2.3.4BS Gold? Or did you upgrade to regular 2.3.4 and install some sort of responsive (perhaps BS-based) add-on? They are not the same thing! If you're at Gold, no need to panic about having to go to Edge. You will probably want to just wait until 2.4 comes out. On the other hand, if you did not install either Gold or Edge versions of 2.3.4BS, you may want to consider installing Edge and migrating your data to that -- it will be a lot easier to get to 2.4 from there, when it comes out.

 

I don't remember, on the Version Check sais osCommerce Online Merchant v2.3.4

if so, I guess I m having truble?

Link to comment
Share on other sites

I don't remember, on the Version Check sais osCommerce Online Merchant v2.3.4

if so, I guess I m having truble?

 

It looks to me that you've installed a commercial theme on top of standard osc 2.3.4

The theme uses bootstrap under the covers but it's not going to be compatible with the addons developed for 2.3.4BS. Nor will it be easy to get it onto 2.4

 

I think if you go live with that store, you will get stuck there. You will have much less pain if you change direction right now:

- start by choosing a template that you like from one of the developers / partners etc ON HERE and not off on themeforest, envato marketplace or wherever else. There's no list for you to look at but you can post to the Commercial Support Enquiries forum and ask there.

- make sure it's a template based on 2.3.4BS Gold or Edge so it will be easy to go to 2.4

- if you've already got a 2.3.4 version of your data, it's no big deal to get that side of it further. If your live data is still at a much earlier version, get your new template provider or another developer to advise on making it easy to redo the migration when your new store goes live. You can ask for quotes in the Commercial Support Enquiries forum too.

- as far as possible resist the temptation to change code in php files unless they are modules - and in which case make your own module. You now have a great deal of control over the appearance of your store in admin and by adding rules to user.css

Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Link to comment
Share on other sites

It looks to me that you've installed a commercial theme on top of standard osc 2.3.4

The theme uses bootstrap under the covers but it's not going to be compatible with the addons developed for 2.3.4BS. Nor will it be easy to get it onto 2.4

 

I think if you go live with that store, you will get stuck there. You will have much less pain if you change direction right now:

- start by choosing a template that you like from one of the developers / partners etc ON HERE and not off on themeforest, envato marketplace or wherever else. There's no list for you to look at but you can post to the Commercial Support Enquiries forum and ask there.

- make sure it's a template based on 2.3.4BS Gold or Edge so it will be easy to go to 2.4

- if you've already got a 2.3.4 version of your data, it's no big deal to get that side of it further. If your live data is still at a much earlier version, get your new template provider or another developer to advise on making it easy to redo the migration when your new store goes live. You can ask for quotes in the Commercial Support Enquiries forum too.

- as far as possible resist the temptation to change code in php files unless they are modules - and in which case make your own module. You now have a great deal of control over the appearance of your store in admin and by adding rules to user.css

the site I m working is not mine, is one of my customer's and it is allready paid...so if it is so big deal I will not spend more time for it...maybe in the future..anyway thank you for your time and advices..

chears

Link to comment
Share on other sites

  • 4 weeks later...

It looks to me that you've installed a commercial theme on top of standard osc 2.3.4

The theme uses bootstrap under the covers but it's not going to be compatible with the addons developed for 2.3.4BS. Nor will it be easy to get it onto 2.4

 

I think if you go live with that store, you will get stuck there. You will have much less pain if you change direction right now:

- start by choosing a template that you like from one of the developers / partners etc ON HERE and not off on themeforest, envato marketplace or wherever else. There's no list for you to look at but you can post to the Commercial Support Enquiries forum and ask there.

- make sure it's a template based on 2.3.4BS Gold or Edge so it will be easy to go to 2.4

- if you've already got a 2.3.4 version of your data, it's no big deal to get that side of it further. If your live data is still at a much earlier version, get your new template provider or another developer to advise on making it easy to redo the migration when your new store goes live. You can ask for quotes in the Commercial Support Enquiries forum too.

- as far as possible resist the temptation to change code in php files unless they are modules - and in which case make your own module. You now have a great deal of control over the appearance of your store in admin and by adding rules to user.css

 

I had a php upgrade from 5.3 to 5.5 on my server and for some strange reason only on first page the product images are not appear, on their possision the default missing image took position. please take a look ...it is so strange www.sportndog.gr

..do you have any ideas from where to start searching?

Link to comment
Share on other sites

I had a php upgrade from 5.3 to 5.5 on my server and for some strange reason only on first page the product images are not appear, on their possision the default missing image took position. please take a look ...it is so strange www.sportndog.gr

..do you have any ideas from where to start searching?

temporary I made this change on the megastore_theme/megastore_slider_bestsellers.php file wich has the code for the first page blocks:

 

FROM:

  <a href="<?php echo tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $best_viewed["products_id"]) ;?>">
                                    <?php
                                    if(file_exists($realpath)) {
                                        echo tep_image(DIR_WS_IMAGES . $best_viewed['products_image'], $best_viewed['products_name'], SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT);
                                    } else { ?>
                                        <img src="<?php echo DC_IMAGES.'empty.gif'; ?>" alt="">
                                    <?php } ?>
                                </a>

I CHANGED TO :

<a href="<?php echo tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $best_viewed["products_id"]) ;?>">
                                    <?php
                                    if(file_exists($realpath)) {
                                        echo tep_image(DIR_WS_IMAGES . $best_viewed['products_image'], $best_viewed['products_name'], SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT);
                                    } else {
                                        echo tep_image(DIR_WS_IMAGES . $best_viewed['products_image'], $best_viewed['products_name'], SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT);
                                 } ?>
                                </a>
of course this is temporary ... if anyone else find why with new php 5.5 version there is problem to find the product image please let me know!
 
Thank you 
 
 
Link to comment
Share on other sites

 

temporary I made this change on the megastore_theme/megastore_slider_bestsellers.php file wich has the code for the first page blocks:

 

FROM:

  <a href="<?php echo tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $best_viewed["products_id"]) ;?>">
                                    <?php
                                    if(file_exists($realpath)) {
                                        echo tep_image(DIR_WS_IMAGES . $best_viewed['products_image'], $best_viewed['products_name'], SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT);
                                    } else { ?>
                                        <img src="<?php echo DC_IMAGES.'empty.gif'; ?>" alt="">
                                    <?php } ?>
                                </a>

I CHANGED TO :

<a href="<?php echo tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $best_viewed["products_id"]) ;?>">
                                    <?php
                                    if(file_exists($realpath)) {
                                        echo tep_image(DIR_WS_IMAGES . $best_viewed['products_image'], $best_viewed['products_name'], SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT);
                                    } else {
                                        echo tep_image(DIR_WS_IMAGES . $best_viewed['products_image'], $best_viewed['products_name'], SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT);
                                 } ?>
                                </a>
of course this is temporary ... if anyone else find why with new php 5.5 version there is problem to find the product image please let me know!
 
Thank you

 

@@danil0 Your temporary fix tells us that there is no problem finding the product image. The problem lies with the code setting a variable called $realpath. If you find the code where that happens, maybe we can work out what's wrong. If there are other places testing the variable, maybe they don't work too.

 

On the other hand, if it's not used elsewhere you can forget it and rewrite the original code as

                                    if(file_exists(DIR_WS_IMAGES . $best_viewed['products_image'])) {
                                        echo tep_image(DIR_WS_IMAGES . $best_viewed['products_image'], $best_viewed['products_name'], SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT);

Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Link to comment
Share on other sites

  • 4 weeks later...

Hello again, I have a new question about this matter.. I noticed that the icons of this theme I'm using looks like Chinese when I am typing the domain without WWW in front... should I use . HTaccess file for forwarding? or do you thing that there is another solution more simple?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...