Jump to content

Recommended Posts

Hi there

Running 2.3.4.1 CE BS4 pretty much updated with latest changes from the Github as of the 31st may( dont think I have missed any), PHP 7.2.16 etc

Never used Product attributes before but been using them with a vengeance over the last few weeks and now have loads, like them they are helpful and create a off sales

all I thought was working well but just noticed something

Seems to have a issue when someone adds something to the cart, then comes back to it the link to get the the product again, if they added a attribute is something like

/product_info.php?products_id=36696{18}39

this is creating a 404

Now of course before i posted this I spent the last hour trying to find a fix, but although I can see I am not the only one who has has a issue with it I have yet to find a fix, by what everyone is saying its the curly braces, if i remove them from the url it does at least go to the right page but as product attribute has been around so long I am sure someone has a proper fix for it

Could someone point me in the right direction

Kindest regards  David

 


David

Share this post


Link to post
Share on other sites

After much more reading it appears the the curly braces are seen as a security issue in the URL which is why my server is not liking them

I have asked my host to confirm and awaiting a reply

If i delete the curly brace and just use a space it seems to work

the only link that i can find so far that is causing the problem is the Nav-bar  shopping cart

Bit concerned that it might also be somewhere else, it seems to be that the fix is to urlencode the URL 

just experimenting on how to do this at the moment, not getting far though, unfortunately working on live shop as my test one is down

 

this is the template file

<li class="nav-item dropdown nb-shopping-cart">
  <a class="nav-link dropdown-toggle" href="#" id="navDropdownCart" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
    <?php echo sprintf(MODULE_NAVBAR_SHOPPING_CART_CONTENTS, $cart->count_contents()); ?>
  </a>
        
  <div class="dropdown-menu<?php echo $menu_align; ?>" aria-labelledby="navDropdownCart">
    <?php 
    echo '<a class="dropdown-item" href="' . tep_href_link('shopping_cart.php') . '">' . sprintf(MODULE_NAVBAR_SHOPPING_CART_HAS_CONTENTS, $cart->count_contents(), $currencies->format($cart->show_total())) . '</a>';
    if ($cart->count_contents() > 0) {
      echo '<div class="dropdown-divider"></div>' . PHP_EOL;    
      $products = $cart->get_products();
      foreach ($products as $k => $v) {
        echo sprintf(MODULE_NAVBAR_SHOPPING_CART_PRODUCT, $v['id'], $v['quantity'], $v['name']);
      }        
      echo '<div class="dropdown-divider"></div>' . PHP_EOL;
      echo '<a class="dropdown-item" href="' . tep_href_link('checkout_shipping.php', '', 'SSL') . '">' . MODULE_NAVBAR_SHOPPING_CART_CHECKOUT . '</a>' . PHP_EOL;
    }
    ?>
  </div>
</li>

<?php

if i work it out i will post back here

 

regards


David

Share this post


Link to post
Share on other sites

by changing to 

echo sprintf(MODULE_NAVBAR_SHOPPING_CART_PRODUCT, $v['id'], $v['quantity'], $v['name']);

to 

echo sprintf(MODULE_NAVBAR_SHOPPING_CART_PRODUCT, urlencode($v['id']), $v['quantity'], $v['name']);

means the url is no longer broken

But i do not think it carries the attributes over as i think it should

the URL is now something like

product_info.php?products_id=36696%7B18%7D46

(36696{18}46)

better than a 404 but not perfect, tired now though was up early

David


David

Share this post


Link to post
Share on other sites

This topic is not new -- it has received considerable discussion over the years. If you search out the conversation (google it, don't use the built-in search), you might find some clues on how to move forward with this. I don't recall if there were any good solutions (or near-solutions) found.

Share this post


Link to post
Share on other sites

As @MrPhil mentioned, this has been an issue for a long time. When osC was first written, the use of curly braces was acceptable in URLs. At some point in time, the 'internet powers that be' decided that it was no longer acceptable.

As far as I know, this is a core issue in osC, and to resolve it would require major core structural changes. As such, no good solutions have been found.

M


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites

urlencode() of the string with {}'s apparently will work, but is ugly. No one has come up with a better way yet, such as using <>'s or ()'s instead. So long as the replacements don't have a special meaning to URLs, SQL, or PHP, and are not otherwise prohibited, they should work. You could even just write a {} -> () routine instead of urlencode(), but you'll still need to deal with () instead of {} on the receiving end. Core changes either way, but worth it.

Share this post


Link to post
Share on other sites

This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS

 
Get the latest Responsive osCommerce CE (community edition) here

Share this post


Link to post
Share on other sites
Posted (edited)

So did Phoenix finally fix this (replace { } by something else) or is it still broken? It is undesirable to urlencode the { }, as it looks tacky (although it does more or less work). Are there enough saved URLs out there to make preserving the use of { } the least evil choice, even though they're unlikely to work anyway (if not urlencoded)?

Edited by MrPhil

Share this post


Link to post
Share on other sites
Posted (edited)

So what is in $parameters? Is it { and } or something else? It appears that tep_output_string will only translate " to &quot; (whatever that does for a URL).

Edited by MrPhil
fix typo

Share this post


Link to post
Share on other sites

Same code as official oscommerce....

if (tep_not_null($parameters)) {
      $link .= $page . '?' . tep_output_string($parameters);
      $separator = '&';
    } else {
      $link .= $page;
      $separator = '?';
    }

 


 

Share this post


Link to post
Share on other sites

tep_output_string() appears to be cleanup for HTML display, not for correct URLs. I think it's been used incorrectly here for a long time.

Share this post


Link to post
Share on other sites

Try this. It works!

Quote

        echo '<li>' . sprintf(MODULE_NAVBAR_SHOPPING_CART_PRODUCT, current(explode("{", $v['id'])), $v['quantity'], $v['name']) . '</li>';

 

Share this post


Link to post
Share on other sites

Thanks Kgtee

I have used

echo sprintf(MODULE_NAVBAR_SHOPPING_CART_PRODUCT, current(explode("{", $v['id'])), $v['quantity'], $v['name']); 

It looks prettier as a URL than the URLencoded "{ and }" (%7B and %7D), unfortunately still does not carry the attribute though

Kindest regards


David

Share this post


Link to post
Share on other sites

@DAVID3733

I was thinking to eliminate the 404 error by removing the attributes entirely. Indeed your urlencode does just the same in removing the {.

The product href link in the NAV_BAR module has no purpose anyway other than re-directing the click to the product info page. 😁

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×