osCommerce News
Recent posts
post item
Managing Cities
December 04, 2023
Managing Cities ...
post item
Managing Geo Zones
December 01, 2023
Managing Geo Zones ...
post item
Managing Counties and States
November 30, 2023
Managing Counties and States ...
post item
Managing Countries
November 29, 2023
Managing Countries ...
post item
Managing Filters
November 28, 2023
Managing Filters ...
post item
Managing Cache Control
November 27, 2023
Managing Cache Control ...
post item
Managing Cross Sell Type
November 24, 2023
Managing Cross Sell Type ...
post item
Managing Stock Delivery Terms
November 23, 2023
Managing Stock Delivery Terms ...
post item
Managing Notify Me when in Stock
November 22, 2023
Managing Notify Me when in Stock  ...
post item
Managing Stock Indication
November 21, 2023
Managing Stock Indication ...









osCommerce 4.x

shopping cart



New PayPal Module (Latest API 2.0)

osCommerce 2.2

osCommerce 2.3

Shopping cart customizations


PayPal Express

APM (Alternative Payment Method)

Standard Variant

Advanced Variant



Front End

Install osCommerce for Me

Let me install myself

Multiple sales channels

Single active sales channel

Installation on your own server

Assigning theme to sales channel

Deleting sales channel


App Shop

Adding Free Module

Admin Area

Adding Paid Module

Installing Module

Opayo Pi Module

Development Mode

Email Verification Before Registration

Managing Languages

Managing phpMussel

Managing Orders

oscommerce.com account

Creating Manual Orders

Managing Customers

Managing Customer Groups

Managing Brands

Managing Categories

Managing Filters on Categories

Managing Products

Managing Stock

Assigning Products and Categories to Front Ends

Assigning and Moving Products to Categories

Managing Default Sort Order on Product Listing and Category

Managing Cross-Sell and UPSell

Managing Reviews

Managing Attributes

Managing Product Groups

Managing Properties

Managing Suppliers

Managing Warehouses

Managing Sales Statistics and Purchase Report

Managing Stocktaking Costs

Managing Deleted Orders

Managing Coupons

Managing Virtual Gift Cards

Managing Sales Price

Managing Giveaways

Managing Featured Products

Managing SEO

Managing Meta Tags

Managing XML Sitemap

Settings of E-commerce Tracking for Google Tag Manager

Setting up GA4

Managing Pages

Managing Menus

Assigning Theme to Sales Channels

Deleting Sales Channels

Managing Translations

Managing Email Templates

Managing Catalog Pages

Managing Shipping Modules

Managing Payment Modules

Managing Order Structure

Managing Socials

Managing Extensions

Managing Managers

Managing Access Levels

Managing Back End Menu

Managing Configuration

Mail Sending via SMTP

Setting up SMTP

Status Groups

Order Statuses

Comment Templates

Stock Indication

Notify Me when in Stock

Stock Delivery Terms

Cross Sell Type

Cache Control


Managing Countries

Managing Counties and States

Geo Zones

Managing Cities

city settings

Issue #25: March 17, 2003

By Harald Ponce de Leon

March 17, 2003

Security And Privacy Proposal
Filenames And Database Tables Definitions
Cross Site Scripting Vulnerabilities
Tax Implementation Update
New Wiki Documentation Site
Contributions Added/Updated In The Last 3 Days

Security And Privacy Proposal

The Security And Privacy Proposal discussed on the Developers forum has been realized and is now in CVS.

The implementation introduces a new Sessions configuration group with three parameters:


It is recommended to change the location of where the file based sessions are being stored as /tmp is generally accessible to all users on the server.


When enabled, sessions are only started when a set cookie is readable.

As cookies are depended on, this option will only successfully work when HTTP and HTTPS servers have the same top level domain, for example:

https://www.server.com and https://ssl.server.com will work, whereas

https://www.server.com and https://www.ssl.com/server/ will not work.


When enabled, the SSL_SESSION_ID automatically generated on secure HTTPS requests is stored in the session and verified on subsequent secure HTTPS requests. If the value has changed the customer must log in again to continue their actions.

Ross Lapkoff and Marcel van Lieshout are looking for workarounds on the SESSION_FORCE_COOKIE_USE option for it to be able to work on servers that use shared SSL certificates.

The discussions of the proposal can be read at:


The updated proposal is available at the new Wiki documentation site at:


Filenames And Database Tables Definitions

During the implementation of the Security And Privacy Proposal, the application_top.php file on the Catalog went through a clean-up process.

Part of the process moved the filename and database table definitions to their own files.

This will ease the merging of the Catalog and Administration Tool files when it occurs for Milestone 4.

Cross Site Scripting Vulnerabilities

Daniel Alcántara de la Hoz alerted the team of 2 cross site scripting vulnerabilities existing in catalog/includes/header.php.

These and other vulnerabilities have been fixed, and can be seen with the Bug Reporter by viewing all Cross Site Scripting reports.

As these vulnerabilities exist on the developing Milestone releases, no point release of Milestone 1 will be made available.

Point releases will be made available when vulnerabilities are found on stable project releases.

The Cross Site Scripting bug reports can be seen here:

https://www.oscommerce.com/community/bugs/action,search/type,Cross Site Scripting

Tax Implementation Updates

The tax implementation has been updated again as tax rates that were meant to be compounded were not compounding at all.

Updates were also made on the tep_round() function as PHPs native number_format() and round() functions produced different results when float and string values were parsed.

A bug report at PHP was opened due to this issue but turned out to be a float/mathematical issue instead of a PHP issue.

The updated tep_round() function now produces the expected results but may again be updated soon to increase its performance.

The PHP bug report can be seen here:


An updated proposal for the tax implementation can be read at the new Wiki documentation site at:


New Wiki Documentation Site

A new Wiki documentation site has been setup to start a public effort in writing documentation for the project.

Melinda Odom from oscdox fame has contributed a lot of help related documentation, Ian Wilson has started off the programming documentation, and Harald Ponce de Leon has started off the proposals section.

If you're interested in participating in the effort, or have questions to the Wiki site in general, get in touch at the Wiki forum channel provided at:


The Wiki documentation site can be reached at:


Live Shops List

Recent Live Shop entries are still pending to be activated which will be done during the week.

Contributions Added/Updated In The Last 3 Days

SVFlix Bank Transfer
Low Stock Report
MS1 to L5 db upgrade
french-zone france metropolitaine
Product Attributes - Option Type Feature
Gift Certificates - Generic
Protx Form Payment Module
PaySystems Module
Add Shopping Cart Info to Your Header
Big Images
Customer specific discount percentage
ot_commission 1.0
Bluepay Web Link Gateway
Ship 2 Pay v1.0 (MS1)
PDF data_sheet maker 1.1
Banner Picture Hack in Banner Manager
Infoboxes outside OSC
Card Zapper
Conditions, Privacy & Shipping with MySQL v1.0


You can further discuss it on our Forum