osCommerce News
Recent posts
post item
"Buy Now, Pay Later" with new PayPal for new osCommerce
December 13, 2022
Upgrade PayPal module and osCommerce to offer Buy Now, Pay Later feature to customers. Click here to learn more... ...
post item
osCommerce 4.08 release and Connecting to the App Shop
December 09, 2022
osCommerce 4.08 release notes, including how to connect to the App Shop if you were not able to do it before ...
post item
osCommerce 4.07 release
October 26, 2022
osCommerce 4.07 release notes  ...
post item
FREE osCommerce Design Webinar
October 18, 2022
osCommerce is looking to have a Webinar to demonstrate how to modify existing and create new designs. All interested parties, businesses, designers, and developers, are welcome to indicate their interest to participate by commenting on this post in our Forums: https://forums.oscommerce.com/topic/497631-webinar-oscommerce-design/ See you online soon! ...
post item
osCommerce Apps - free until 1/1/23
October 13, 2022
While the osCommerce team are working hard on adding apps to the App Shop, we have decided to make ALL available osCommerce-made applications free in the App Shop until the 1st of January 2023.  You're welcome to download any app via the App shop, and use it to build your own osCommerce site or such for your client. Your feedback is highly appreciated.  With best wishes, osCommerce team ...
post item
osCommerce 4.05 release
September 21, 2022
osCommerce 4.05 has been released! Read more to find out how to upgrade to the latest version and what has changed ...
post item
Hybrid Ecommerce
August 16, 2022
osCommerce brings a new type of Ecommerce platform to the market - a so called Hybrid Ecommerce. So what is Hybrid Ecommerce? We see it to be the best of both worlds - an open source (and free) Ecommerce solution that is also hosted as if it was SaaS (or EaaS - Ecommerce as a Service). This means users (businesses and developers) do not need to worry about hosting requirements and at the same time have full access to the source code and can change or implement any custom features, integrations, etc. Of course, it is always possible to host osCommerce on your own server! It is just so much easier (and quite likely more cost effective!) to use osCommerce's own hosting solutions.  Hybrid Ecommerce from osCommerce Users can choose to have osCommerce installed for free on one of our servers to try osCommerce before use.  Once satisfied with its features, speed, robustness - they can choose to move to a paid osCommerce hosting account or to download and use osCommerce site on their own server. Move to an osCommerce-managed server is done automatically. Server environment is optimised for osCommerce, allowing it to give the best performance. It is also managed and upgraded with the latest server software. Most importantly, osCommerce installation can be automatically updated to the latest version of osCommerce (and Applications) as well. Any customisations, done right, will stay but all the standard modules and the core of osCommerce will be regularly updated, bringing fixes, changes, new features. Full FTP and mySQL access are offered to businesses and developers should they require such.   ...
post item
osCommerce 4.03 release
August 16, 2022
osCommerce 4.03 has been released. Read more about what's new in the latest version of popular open source free shopping cart! ...
post item
osCommerce 4.02 release
August 09, 2022
osCommerce 4.02 release, update notes, download instructions ...
post item
osCommerce 4.01 release
August 04, 2022
osCommerce 4.01 is available from https://www.oscommerce.com   Changes are available from osCommerce Wiki:  https://wiki.oscommerce.com/index.php?title=Change_Log We will continue working on fixing issues and adding features, osCommerce will be regularly developed and updated. ...

Issue #25: March 17, 2003

By Harald Ponce de Leon

March 17, 2003

Security And Privacy Proposal
Filenames And Database Tables Definitions
Cross Site Scripting Vulnerabilities
Tax Implementation Update
New Wiki Documentation Site
Contributions Added/Updated In The Last 3 Days

Security And Privacy Proposal

The Security And Privacy Proposal discussed on the Developers forum has been realized and is now in CVS.

The implementation introduces a new Sessions configuration group with three parameters:


It is recommended to change the location of where the file based sessions are being stored as /tmp is generally accessible to all users on the server.


When enabled, sessions are only started when a set cookie is readable.

As cookies are depended on, this option will only successfully work when HTTP and HTTPS servers have the same top level domain, for example:

https://www.server.com and https://ssl.server.com will work, whereas

https://www.server.com and https://www.ssl.com/server/ will not work.


When enabled, the SSL_SESSION_ID automatically generated on secure HTTPS requests is stored in the session and verified on subsequent secure HTTPS requests. If the value has changed the customer must log in again to continue their actions.

Ross Lapkoff and Marcel van Lieshout are looking for workarounds on the SESSION_FORCE_COOKIE_USE option for it to be able to work on servers that use shared SSL certificates.

The discussions of the proposal can be read at:


The updated proposal is available at the new Wiki documentation site at:


Filenames And Database Tables Definitions

During the implementation of the Security And Privacy Proposal, the application_top.php file on the Catalog went through a clean-up process.

Part of the process moved the filename and database table definitions to their own files.

This will ease the merging of the Catalog and Administration Tool files when it occurs for Milestone 4.

Cross Site Scripting Vulnerabilities

Daniel Alcántara de la Hoz alerted the team of 2 cross site scripting vulnerabilities existing in catalog/includes/header.php.

These and other vulnerabilities have been fixed, and can be seen with the Bug Reporter by viewing all Cross Site Scripting reports.

As these vulnerabilities exist on the developing Milestone releases, no point release of Milestone 1 will be made available.

Point releases will be made available when vulnerabilities are found on stable project releases.

The Cross Site Scripting bug reports can be seen here:

https://www.oscommerce.com/community/bugs/action,search/type,Cross Site Scripting

Tax Implementation Updates

The tax implementation has been updated again as tax rates that were meant to be compounded were not compounding at all.

Updates were also made on the tep_round() function as PHPs native number_format() and round() functions produced different results when float and string values were parsed.

A bug report at PHP was opened due to this issue but turned out to be a float/mathematical issue instead of a PHP issue.

The updated tep_round() function now produces the expected results but may again be updated soon to increase its performance.

The PHP bug report can be seen here:


An updated proposal for the tax implementation can be read at the new Wiki documentation site at:


New Wiki Documentation Site

A new Wiki documentation site has been setup to start a public effort in writing documentation for the project.

Melinda Odom from oscdox fame has contributed a lot of help related documentation, Ian Wilson has started off the programming documentation, and Harald Ponce de Leon has started off the proposals section.

If you're interested in participating in the effort, or have questions to the Wiki site in general, get in touch at the Wiki forum channel provided at:


The Wiki documentation site can be reached at:


Live Shops List

Recent Live Shop entries are still pending to be activated which will be done during the week.

Contributions Added/Updated In The Last 3 Days

SVFlix Bank Transfer
Low Stock Report
MS1 to L5 db upgrade
french-zone france metropolitaine
Product Attributes - Option Type Feature
Gift Certificates - Generic
Protx Form Payment Module
PaySystems Module
Add Shopping Cart Info to Your Header
Big Images
Customer specific discount percentage
ot_commission 1.0
Bluepay Web Link Gateway
Ship 2 Pay v1.0 (MS1)
PDF data_sheet maker 1.1
Banner Picture Hack in Banner Manager
Infoboxes outside OSC
Card Zapper
Conditions, Privacy & Shipping with MySQL v1.0