osCommerce Watch

There are plenty of ways to create problems with an osCommerce store by not understanding implications of a particular setting. Some problems will only appear in an intermittent way, making it harder to diagnose and fix. Hopefully this helps someone avoid tweaking settings that can cause problems, and will help others solve problems with their store.

In the Configuration section of the osCommerce admin area are a group of settings related to "Sessions". An easy way to break certain user's access to your site is to set "Check IP Address" to "True".

Certain ISPs (including one major US ISP), may change the IP address of their customer over the course of a session. In particular their IP address may change when they visit a page on your site requiring SSL to view. Enabling the check on IP will effectively log them out.

This setting can create problems with users being logged out in a seemingly random way, or having problems with their shopping cart contents disappearing, or being unable to log in to the store. These are all potential symptoms of lost sessions.

Some of the other settings here can cause predictable problems if enabled. Make sure you or your developer understand what they are for before enabling. Setting everything to "true" does not necessarily create a more secure store.

Download at osCommerce Contributions Site

The redirect.php file supplied with osCommerce is designed to provide redirection to offsite links. It also allows someone to redirect via an osCommerce install to another website or file on the web. While this might not seem too problematic, this could be used by a malicious user to obscure the source of a file when a link is clicked.

This modification was written in response to the actions of a spammer using our osCommerce installation's "redirect.php" to allow his emails to avoid commom spam blacklists. Our domain was flagged by Spamcop as a result of the spammer's actions.

The modified redirect.php checks that the url that has been passed to the script is one you have entered as a product url.

If a user attempts to redirect to a url that is not in the products_description table, the user will be redirected to the catalog homepage.

Since finding the issue I have found a couple of sites on the web publicising the issue.

Download Safer redirect.php from the Attitude site

Require someone to install this contribution? Attitude offers paid assistance with osCommerce contribution installation.

I also recommend checking out this contribution:

Contact Us Spam Issue Fixes

This patches some known ways that spammers can abuse the contact form code.

Update: it seems the redirect issue has been identified in the osCommerce bug tracking system.

Many thanks to attitudenz for his work
There was already a patch which was provided by hpdl(Harold)
Link: http://www.oscommerce.com/community/bugs,2970

Hamed also posts a version of redirect.php with Harold's patch.

Two brief stories.

A while back a storeowner called me up. The developer who had helped them setup their shop was unable to fix the issue they were having. I managed to diagnose the problem and point them to what was required to fix it. In the process it required I look in the admin area of their site. To my suprise there was nothing restricting access to their admin area. What is more it seemed that it had been that way for months of trading. The store owner had no answer for why their site, which proclaimed security and privacy, was so insecure and open.

A couple of months before this I was setting up an osCommerce site for a new customer. They emailed me on completion to say they had realised one of their competitors was using osCommerce. They told me they tried the default address for the admin area of their competitors site and they had immediate, open access to their competitor's online store. I believe they informed their competitor of their situation. Nice guy!

osCommerce is a well known and frequently deployed ecommerce solution. There are enough people - nice and nasty - who know the likely places to look for your admin area. Ensure you protect your customers' information, your private business data and your reputation.

One of the services Attitude offers is osCommerce Support. Some problems that seem to crop up with regularity and that are easy to fix are listed below. Perhaps this might help you in diagnosing or even fixing problem with your site.

• Changes to configure.php - before changing configure.php back up your current version - it is very easy to break every page in your site with a typo in this file.


• "headers already sent" errors with osCommerce are often related to changes to the language files or included application files. Make sure there is no whitespace before the opening and closing php tags.

Well there is a couple to kick off. I will add to this list over time.

I get reasonably frequent emails from people having problems installing osCommerce.

Here are some ways to get help if you need it:

1. Look at documentation that comes with osCommerce and is available on the osCommerce site or on osCDox. See the post about osCommerce links for links to the various places to find documentation or FAQs.
   
2. Search the osCommerce forums. If there is a specific error you are getting search for the error message.
   
3. Try posting your question or problem in the osCommerce Forums. You will get the best response if you have done some research first and are as clear as possible in describing the problem. If there is a specific error message you should copy that into your post.
   
4. If all else fails we offer paid support: osCommerce Support or osCommerce Installation. There are other companies out there offering support. Try a Google search or even post in the forums that you are willing to pay to get the problem solved.

The response the standard osCommerce AuthorizeNet SIM module delivers on an error from AuthorizeNet is cryptic given the range of errors that can occur.

The information AuthorizeNet is returning is quite specific and can quite often narrow down what the problem is. A full list of the codes and additional information is available in the SIM implementation guide (look for Response Reason Codes & Response Reason Text).

This modification to the AuthorizeNet module will email you exactly what AuthorizeNet returned when an error occurs.

It actually serves as a nice alert system, as it will seemlessly alert you whenever there is an AuthorizeNet related error. So you might want to leave it in even after debugging.

The instructions to install the modification are available here ...

osCommerce AuthorizeNet Module Debug Code - tested with osCommerce 2.2 MS2

Having problems getting shipping to work correctly?

Besides the settings in admin -> modules -> shipping -> yourmodule - make sure you are aware of the settings in admin -> configuration -> shipping/packaging and in particular the package tare weight and larger packages percentage increase.

This has been a source of confusion for a couple of shops I have dealt with in the last week.