osCommerce News
Recent posts
post item
"Buy Now, Pay Later" with new PayPal for new osCommerce
December 13, 2022
Upgrade PayPal module and osCommerce to offer Buy Now, Pay Later feature to customers. Click here to learn more... ...
post item
osCommerce 4.08 release and Connecting to the App Shop
December 09, 2022
osCommerce 4.08 release notes, including how to connect to the App Shop if you were not able to do it before ...
post item
osCommerce 4.07 release
October 26, 2022
osCommerce 4.07 release notes  ...
post item
FREE osCommerce Design Webinar
October 18, 2022
osCommerce is looking to have a Webinar to demonstrate how to modify existing and create new designs. All interested parties, businesses, designers, and developers, are welcome to indicate their interest to participate by commenting on this post in our Forums: https://forums.oscommerce.com/topic/497631-webinar-oscommerce-design/ See you online soon! ...
post item
osCommerce Apps - free until 1/1/23
October 13, 2022
While the osCommerce team are working hard on adding apps to the App Shop, we have decided to make ALL available osCommerce-made applications free in the App Shop until the 1st of January 2023.  You're welcome to download any app via the App shop, and use it to build your own osCommerce site or such for your client. Your feedback is highly appreciated.  With best wishes, osCommerce team ...
post item
osCommerce 4.05 release
September 21, 2022
osCommerce 4.05 has been released! Read more to find out how to upgrade to the latest version and what has changed ...
post item
Hybrid Ecommerce
August 16, 2022
osCommerce brings a new type of Ecommerce platform to the market - a so called Hybrid Ecommerce. So what is Hybrid Ecommerce? We see it to be the best of both worlds - an open source (and free) Ecommerce solution that is also hosted as if it was SaaS (or EaaS - Ecommerce as a Service). This means users (businesses and developers) do not need to worry about hosting requirements and at the same time have full access to the source code and can change or implement any custom features, integrations, etc. Of course, it is always possible to host osCommerce on your own server! It is just so much easier (and quite likely more cost effective!) to use osCommerce's own hosting solutions.  Hybrid Ecommerce from osCommerce Users can choose to have osCommerce installed for free on one of our servers to try osCommerce before use.  Once satisfied with its features, speed, robustness - they can choose to move to a paid osCommerce hosting account or to download and use osCommerce site on their own server. Move to an osCommerce-managed server is done automatically. Server environment is optimised for osCommerce, allowing it to give the best performance. It is also managed and upgraded with the latest server software. Most importantly, osCommerce installation can be automatically updated to the latest version of osCommerce (and Applications) as well. Any customisations, done right, will stay but all the standard modules and the core of osCommerce will be regularly updated, bringing fixes, changes, new features. Full FTP and mySQL access are offered to businesses and developers should they require such.   ...
post item
osCommerce 4.03 release
August 16, 2022
osCommerce 4.03 has been released. Read more about what's new in the latest version of popular open source free shopping cart! ...
post item
osCommerce 4.02 release
August 09, 2022
osCommerce 4.02 release, update notes, download instructions ...
post item
osCommerce 4.01 release
August 04, 2022
osCommerce 4.01 is available from https://www.oscommerce.com   Changes are available from osCommerce Wiki:  https://wiki.oscommerce.com/index.php?title=Change_Log We will continue working on fixing issues and adding features, osCommerce will be regularly developed and updated. ...

Issue #33: December 16, 2003

By Harald Ponce de Leon

December 16, 2003

osCommerce 2.2 Milestone 1 SQL Injection Vulnerability
Forum Searching
Development Progress
E-Commerce Regulations

Discussions regarding this weekly report can be found here:


osCommerce 2.2 Milestone 1 SQL Injection Vulnerability

An SQL injection vulnerability exists in osCommerce 2.2 Milestone 1, due to variable types not being checked which has been addressed in the 2.2 Milestone 2 release.

The reported vulnerability exists during the customer account creation procedure, specifically in the create_account_process.php file, with the user submited country value being used rawly in SQL queries.

The functions involved in processing the vulnerable SQL queries are defined in includes/functions/general.php, and are called tep_get_zone_name() and tep_get_countries().

It is strongly recommended for stores running on 2.2 Milestone 1 to download the update package, to read the documentation within, and to apply the updates appropriately.

Although only two functions are vulnerable in this report, other functions could also be affected due to variable types not being checked. A replacement for the includes/functions/general.php file is provided in the update package to minimize further injection possibilities from occuring.

Although no further SQL injection reports are known, and as variable checking was implemented in 2.2 Milestone 2, Milestone 1 will remain in the risk zone, and is therefore recommended to update the remaining SQL queries appropriately or to upgrade to Milestone 2. Further information is available in the update package.

The update package can be downloaded here:


Forum Searching

The default searching algorithm for the forums has changed from an "or" based algorithm, to an "and" based algorithm.

This changes the results returned by returning posts containing all words searched for, instead of any words searched for.

Searches for "payment module" will now return posts containing both words, instead of either.

If the "or", or either, method is preferred, searching for "payment or module" is now required and will only return posts containing either words.

Development Progress

The following new classes have been implemented into CVS:

* osC_Customer
* osC_Session
* osC_Tax

All variables are now called in their respective scope, making the Catalog register_globals compatible, which includes using the new super global variables introduced in PHP 4.1.

Changes to the currencies class will be commited this week, which improves performance by querying the tax rate only when DISPLAY_PRICES_WITH_TAX is enabled.

The list of incompatibilities between Milestone 2 and Milestone 3 can be viewed on the Wiki site at the following address:


Discussions regarding the progress of Milestone 3 are held in the following forum thread:


E-Commerce Regulations

New parameters will be introduced to enable features legally needed in some countries, and to disable the same features where not needed.

The initial list of features that will be controlled via parameters can be seen on Workboard entry 69. The first feature of forcing the customer to accept the terms and conditions when proceeding through the checkout procedure has been implemented in CVS.

The second feature of forcing the customer to agree to the privacy notice when creating an account will be commited to CVS during the week.

Discussions regarding Workboard entry 69 are held in the following forum thread: