osCommerce News
Recent posts
post item
osCommerce 4.05 release
September 21, 2022
osCommerce 4.05 has been released! Read more to find out how to upgrade to the latest version and what has changed ...
post item
Hybrid Ecommerce
August 16, 2022
osCommerce brings a new type of Ecommerce platform to the market - a so called Hybrid Ecommerce. So what is Hybrid Ecommerce? We see it to be the best of both worlds - an open source (and free) Ecommerce solution that is also hosted as if it was SaaS (or EaaS - Ecommerce as a Service). This means users (businesses and developers) do not need to worry about hosting requirements and at the same time have full access to the source code and can change or implement any custom features, integrations, etc. Of course, it is always possible to host osCommerce on your own server! It is just so much easier (and quite likely more cost effective!) to use osCommerce's own hosting solutions.  Hybrid Ecommerce from osCommerce Users can choose to have osCommerce installed for free on one of our servers to try osCommerce before use.  Once satisfied with its features, speed, robustness - they can choose to move to a paid osCommerce hosting account or to download and use osCommerce site on their own server. Move to an osCommerce-managed server is done automatically. Server environment is optimised for osCommerce, allowing it to give the best performance. It is also managed and upgraded with the latest server software. Most importantly, osCommerce installation can be automatically updated to the latest version of osCommerce (and Applications) as well. Any customisations, done right, will stay but all the standard modules and the core of osCommerce will be regularly updated, bringing fixes, changes, new features. Full FTP and mySQL access are offered to businesses and developers should they require such.   ...
post item
osCommerce 4.03 release
August 16, 2022
osCommerce 4.03 has been released. Read more about what's new in the latest version of popular open source free shopping cart! ...
post item
osCommerce 4.02 release
August 09, 2022
osCommerce 4.02 release, update notes, download instructions ...
post item
osCommerce 4.01 release
August 04, 2022
osCommerce 4.01 is available from https://www.oscommerce.com   Changes are available from osCommerce Wiki:  https://wiki.oscommerce.com/index.php?title=Change_Log We will continue working on fixing issues and adding features, osCommerce will be regularly developed and updated. ...
post item
osCommerce 4.0 Interview
August 03, 2022
What is osCommerce 4.0? How it was created and why? What is the team behind osCommerce? How was osCommerce released during the war in Ukraine?  All of this and more in the video interview, done by David Goodale of Merchant Accounts (Canada):     Visit Merchant Accounts Canada  for the full video and transcript ...
post item
osCommerce proudly developed in the UK and Ukraine
July 27, 2022
As many readers would know, osCommerce is headquartered from the UK but the majority of our team members are in Ukraine. Same as it was for Magento btw, and for many other amazing technological solutions. What many readers perhaps do not realize is that osCommerce continues to be developed while the war is raging in Ukraine.  For example, the final touches to version 4 were made in the evening, while air raid sirens were wailing in many locations in Ukraine where our colleagues are located. We would like to once again express our appreciation and applaud the strong spirit of our colleagues who managed to complete their task (be it with a delay) and release osCommerce 4.0! Those men and women who continue to work hard on adding more features, enabling the App Shop, fixing those teething problems that users of osCommerce report to us. We are working hard to release more features and solutions, and will be updating you in due course! ...
post item
osCommerce v4 release
July 25, 2022
osCommerce 4 released today ...
post item
osCommerce Roadmap
July 25, 2022
Read more about osCommerce Roadmap ...
post item
osCommerce is dead... Long live osCommerce!
July 25, 2022
How osCommerce started, became extremely popular, went into decline and almost died... And was re-born and is being launched today on the way to success! ...

Issue #25: March 17, 2003

By Harald Ponce de Leon

March 17, 2003

Security And Privacy Proposal
Filenames And Database Tables Definitions
Cross Site Scripting Vulnerabilities
Tax Implementation Update
New Wiki Documentation Site
Contributions Added/Updated In The Last 3 Days

Security And Privacy Proposal

The Security And Privacy Proposal discussed on the Developers forum has been realized and is now in CVS.

The implementation introduces a new Sessions configuration group with three parameters:


It is recommended to change the location of where the file based sessions are being stored as /tmp is generally accessible to all users on the server.


When enabled, sessions are only started when a set cookie is readable.

As cookies are depended on, this option will only successfully work when HTTP and HTTPS servers have the same top level domain, for example:

https://www.server.com and https://ssl.server.com will work, whereas

https://www.server.com and https://www.ssl.com/server/ will not work.


When enabled, the SSL_SESSION_ID automatically generated on secure HTTPS requests is stored in the session and verified on subsequent secure HTTPS requests. If the value has changed the customer must log in again to continue their actions.

Ross Lapkoff and Marcel van Lieshout are looking for workarounds on the SESSION_FORCE_COOKIE_USE option for it to be able to work on servers that use shared SSL certificates.

The discussions of the proposal can be read at:


The updated proposal is available at the new Wiki documentation site at:


Filenames And Database Tables Definitions

During the implementation of the Security And Privacy Proposal, the application_top.php file on the Catalog went through a clean-up process.

Part of the process moved the filename and database table definitions to their own files.

This will ease the merging of the Catalog and Administration Tool files when it occurs for Milestone 4.

Cross Site Scripting Vulnerabilities

Daniel Alcántara de la Hoz alerted the team of 2 cross site scripting vulnerabilities existing in catalog/includes/header.php.

These and other vulnerabilities have been fixed, and can be seen with the Bug Reporter by viewing all Cross Site Scripting reports.

As these vulnerabilities exist on the developing Milestone releases, no point release of Milestone 1 will be made available.

Point releases will be made available when vulnerabilities are found on stable project releases.

The Cross Site Scripting bug reports can be seen here:

https://www.oscommerce.com/community/bugs/action,search/type,Cross Site Scripting

Tax Implementation Updates

The tax implementation has been updated again as tax rates that were meant to be compounded were not compounding at all.

Updates were also made on the tep_round() function as PHPs native number_format() and round() functions produced different results when float and string values were parsed.

A bug report at PHP was opened due to this issue but turned out to be a float/mathematical issue instead of a PHP issue.

The updated tep_round() function now produces the expected results but may again be updated soon to increase its performance.

The PHP bug report can be seen here:


An updated proposal for the tax implementation can be read at the new Wiki documentation site at:


New Wiki Documentation Site

A new Wiki documentation site has been setup to start a public effort in writing documentation for the project.

Melinda Odom from oscdox fame has contributed a lot of help related documentation, Ian Wilson has started off the programming documentation, and Harald Ponce de Leon has started off the proposals section.

If you're interested in participating in the effort, or have questions to the Wiki site in general, get in touch at the Wiki forum channel provided at:


The Wiki documentation site can be reached at:


Live Shops List

Recent Live Shop entries are still pending to be activated which will be done during the week.

Contributions Added/Updated In The Last 3 Days

SVFlix Bank Transfer
Low Stock Report
MS1 to L5 db upgrade
french-zone france metropolitaine
Product Attributes - Option Type Feature
Gift Certificates - Generic
Protx Form Payment Module
PaySystems Module
Add Shopping Cart Info to Your Header
Big Images
Customer specific discount percentage
ot_commission 1.0
Bluepay Web Link Gateway
Ship 2 Pay v1.0 (MS1)
PDF data_sheet maker 1.1
Banner Picture Hack in Banner Manager
Infoboxes outside OSC
Card Zapper
Conditions, Privacy & Shipping with MySQL v1.0