osCommerce News
Recent posts
post item
osCommerce 4.05 release
September 21, 2022
osCommerce 4.05 has been released! Read more to find out how to upgrade to the latest version and what has changed ...
post item
Hybrid Ecommerce
August 16, 2022
osCommerce brings a new type of Ecommerce platform to the market - a so called Hybrid Ecommerce. So what is Hybrid Ecommerce? We see it to be the best of both worlds - an open source (and free) Ecommerce solution that is also hosted as if it was SaaS (or EaaS - Ecommerce as a Service). This means users (businesses and developers) do not need to worry about hosting requirements and at the same time have full access to the source code and can change or implement any custom features, integrations, etc. Of course, it is always possible to host osCommerce on your own server! It is just so much easier (and quite likely more cost effective!) to use osCommerce's own hosting solutions.  Hybrid Ecommerce from osCommerce Users can choose to have osCommerce installed for free on one of our servers to try osCommerce before use.  Once satisfied with its features, speed, robustness - they can choose to move to a paid osCommerce hosting account or to download and use osCommerce site on their own server. Move to an osCommerce-managed server is done automatically. Server environment is optimised for osCommerce, allowing it to give the best performance. It is also managed and upgraded with the latest server software. Most importantly, osCommerce installation can be automatically updated to the latest version of osCommerce (and Applications) as well. Any customisations, done right, will stay but all the standard modules and the core of osCommerce will be regularly updated, bringing fixes, changes, new features. Full FTP and mySQL access are offered to businesses and developers should they require such.   ...
post item
osCommerce 4.03 release
August 16, 2022
osCommerce 4.03 has been released. Read more about what's new in the latest version of popular open source free shopping cart! ...
post item
osCommerce 4.02 release
August 09, 2022
osCommerce 4.02 release, update notes, download instructions ...
post item
osCommerce 4.01 release
August 04, 2022
osCommerce 4.01 is available from https://www.oscommerce.com   Changes are available from osCommerce Wiki:  https://wiki.oscommerce.com/index.php?title=Change_Log We will continue working on fixing issues and adding features, osCommerce will be regularly developed and updated. ...
post item
osCommerce 4.0 Interview
August 03, 2022
What is osCommerce 4.0? How it was created and why? What is the team behind osCommerce? How was osCommerce released during the war in Ukraine?  All of this and more in the video interview, done by David Goodale of Merchant Accounts (Canada):     Visit Merchant Accounts Canada  for the full video and transcript ...
post item
osCommerce proudly developed in the UK and Ukraine
July 27, 2022
As many readers would know, osCommerce is headquartered from the UK but the majority of our team members are in Ukraine. Same as it was for Magento btw, and for many other amazing technological solutions. What many readers perhaps do not realize is that osCommerce continues to be developed while the war is raging in Ukraine.  For example, the final touches to version 4 were made in the evening, while air raid sirens were wailing in many locations in Ukraine where our colleagues are located. We would like to once again express our appreciation and applaud the strong spirit of our colleagues who managed to complete their task (be it with a delay) and release osCommerce 4.0! Those men and women who continue to work hard on adding more features, enabling the App Shop, fixing those teething problems that users of osCommerce report to us. We are working hard to release more features and solutions, and will be updating you in due course! ...
post item
osCommerce v4 release
July 25, 2022
osCommerce 4 released today ...
post item
osCommerce Roadmap
July 25, 2022
Read more about osCommerce Roadmap ...
post item
osCommerce is dead... Long live osCommerce!
July 25, 2022
How osCommerce started, became extremely popular, went into decline and almost died... And was re-born and is being launched today on the way to success! ...

Issue #33: December 16, 2003

By Harald Ponce de Leon

December 16, 2003

osCommerce 2.2 Milestone 1 SQL Injection Vulnerability
Forum Searching
Development Progress
E-Commerce Regulations

Discussions regarding this weekly report can be found here:


osCommerce 2.2 Milestone 1 SQL Injection Vulnerability

An SQL injection vulnerability exists in osCommerce 2.2 Milestone 1, due to variable types not being checked which has been addressed in the 2.2 Milestone 2 release.

The reported vulnerability exists during the customer account creation procedure, specifically in the create_account_process.php file, with the user submited country value being used rawly in SQL queries.

The functions involved in processing the vulnerable SQL queries are defined in includes/functions/general.php, and are called tep_get_zone_name() and tep_get_countries().

It is strongly recommended for stores running on 2.2 Milestone 1 to download the update package, to read the documentation within, and to apply the updates appropriately.

Although only two functions are vulnerable in this report, other functions could also be affected due to variable types not being checked. A replacement for the includes/functions/general.php file is provided in the update package to minimize further injection possibilities from occuring.

Although no further SQL injection reports are known, and as variable checking was implemented in 2.2 Milestone 2, Milestone 1 will remain in the risk zone, and is therefore recommended to update the remaining SQL queries appropriately or to upgrade to Milestone 2. Further information is available in the update package.

The update package can be downloaded here:


Forum Searching

The default searching algorithm for the forums has changed from an "or" based algorithm, to an "and" based algorithm.

This changes the results returned by returning posts containing all words searched for, instead of any words searched for.

Searches for "payment module" will now return posts containing both words, instead of either.

If the "or", or either, method is preferred, searching for "payment or module" is now required and will only return posts containing either words.

Development Progress

The following new classes have been implemented into CVS:

* osC_Customer
* osC_Session
* osC_Tax

All variables are now called in their respective scope, making the Catalog register_globals compatible, which includes using the new super global variables introduced in PHP 4.1.

Changes to the currencies class will be commited this week, which improves performance by querying the tax rate only when DISPLAY_PRICES_WITH_TAX is enabled.

The list of incompatibilities between Milestone 2 and Milestone 3 can be viewed on the Wiki site at the following address:


Discussions regarding the progress of Milestone 3 are held in the following forum thread:


E-Commerce Regulations

New parameters will be introduced to enable features legally needed in some countries, and to disable the same features where not needed.

The initial list of features that will be controlled via parameters can be seen on Workboard entry 69. The first feature of forcing the customer to accept the terms and conditions when proceeding through the checkout procedure has been implemented in CVS.

The second feature of forcing the customer to agree to the privacy notice when creating an account will be commited to CVS during the week.

Discussions regarding Workboard entry 69 are held in the following forum thread: