Friday, June 18th 2010


The dangers of $REQUEST_URI ….
posted @ 3:09 am in [ osCommerce -PHP -Technology -Web Design ]

One of the recent reasons we were failing PCI compliance with some of our sites is because our forms that submit to themselves, namely those with code in the top and html in the bottom, use the PHP $REQUEST_URI to use their own URL as the action for the form to POST back to.

Now… the reason this is dangerous is because it includes all the query string parameters too so if you add code after the query string it includes it in the page = BAD

So…. how do we fix it?

The trick is to use the parse_url() function in PHP to ONLY grab the main path of the page itself rather than all the query strings.

So if we use

action="<?php echo parse_url($REQUEST_URI, PHP_URL_PATH);?>"

then we fix the security loop hole above and happy days 🙂

Additional: If we want to get the complete URL just without the query string we can tokenize the string using strtok as follows:

action="<php echo strtok($_SERVER['REQUEST_URI'],'?');?>"




Friday, December 11th 2009


UKFast – Installing cPanel on fresh CentOS x_64
posted @ 10:28 am in [ Apache -Hosting -osCommerce -PHP -Technology -Web2.0 ]

We’re just starting to move one of our clients Merc (http://www.merc.com/) onto a new webserver as their site has been doing so well that it need a faster, more optimised server to cope with the traffic and went with a new Cloud CentOS x_64 server from UK Fast for a very reasonable £70.00 odd per month.

The server seems lightening quick which is great, but didn’t come with a nice install of Plesk or cPanel or similar so we decided to install cPanel.

It’s actually really easy to do – just follow this really helpful guide here from Network Data Center in the US and you are up and running with a full blown cPanel in a couple of hours.

Job done! 🙂

References:
https://helpdesk.ndchost.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=25




Tuesday, January 27th 2009


HSBC XML API for OSCommerce based systems
posted @ 2:24 pm in [ osCommerce -PHP -Technology -Web Design ]

We recently developed an XML API for connecting to the HSBC bank in the UK for OSCommerce based systems which is free for everyone to download, update and even improve. I forgot to post a link to it so here it is and it should help everyone who wants to use them get up to speed pretty quickly

Download: http://addons.oscommerce.com/info/5585

Support Forum: http://forums.oscommerce.com/index.php?showtopic=284821




Thursday, August 14th 2008


HSBC Module for OSCommerce with XML API
posted @ 9:11 am in [ osCommerce -PHP -Technology -Web Design ]

I’ve been meaning to write about this one for a while since we did it, but we’ve written a fully XML API compliant OSCOmmerce payment module for the HSBC bank in the UK.

It is based quite heavily around the Protx Direct XML module which uses very similar techniques to POST data to the payment servers in XML, and then to decode the XML response in PHP for the OSCommerce system.

I’d like to improve the features when we have more time and allow refunding and voiding _directly_ from the OSCommerce administrator interface, rather than as current where you have to login the the HSBC interface separately to do this, but that’s all about time which is a precious commodity at the moment 🙂

The module can be downloaded from here and the support forum is here




Tuesday, April 10th 2007


Running osCommerce on PHP 5.2.1
posted @ 8:03 am in [ Apache -osCommerce -PHP -Technology ]

We use a lot of osCommerce in our client projects as it is one of the most advanced Open Source e-commerce systems available on the market today, and best of all we can share the code with our clients without them having to pay costly licensing contracts or even worse, cough cough, being tied in to a 3 year monthly fee contract like some other vend(or/a)s do in our market.

So, with a recent upgrade to PHP 5.2.1 on one of our development servers, osCommerce ms2.2, the best core release of the platform, refused to play ball having largely been tested and developed for PHP 4. Not to fear though, with a bit of research and a few tweaks we were able to get it up running.

1. Running your PHP as a Module rather than a CGI on Windows

In order to allow PHP local variables to be set, rather than just global ones, you have to run your PHP within Apache as a Module and for mySQL to work download and install the extra libmysql.dll from the mySQL homepages.

As we are now running PHP as a Module, rather than a CGI, it no longer automatically includes the working directory the executable is in (normally c:\program files\php-5.2.1\ or similar) so simply placing this file in that directory, as we used to do, works. You need to either add this directory to the PATH environment in Windows, or copy the libmysql.dll to the Windows/System32/ directory or similar.

Then modify your httpd.conf to include the following

#BEGIN PHP INSTALLER EDITS – REMOVE ONLY ON UNINSTALL
PHPIniDir “C:\\Program Files\\php-5.2.1\\”
LoadModule php5_module “C:\\Program Files\\php-5.2.1\\php5apache2_2.dll”
#END PHP INSTALLER EDITS – REMOVE ONLY ON UNINSTALL

For the php.ini uncomment the mySQL module needed (remember you need to download the extra Module DLLS for PHP 5.2.1 for this to work and path the Module directory correctly)

extension=php_mysql.dll

and

; Directory in which the loadable extensions (modules) reside.
extension_dir =”C:\Program Files\php-5.2.1\ext”

2. Modifying the local environment variables for PHP

In your working directory, create a new .htaccess file and assign the following PHP parameters within it

php_value register_globals on
php_value register_long_arrays on

3. Restart everything

Restart Apache to pick up the new PHP configuration, and then run a quick phpinfo(); in a test PHP file to check that the local values for the two variables above are set.

And.. you should have a running osCommerce MS2.2 on PHP 5.2.1 and Apache 2