Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.


  • Content count

  • Joined

  • Last visited

Profile Information

  • Real Name
    Eric Borgh
  1. borghe

    Seo Url Question

    Well, I implemented it on my production site. I needed to alter a few extra files due to the heavily modified nature of my site, but all in all from the normal stock osc distribution I only modified: /include/functions/html_output.php in here I just changed tep_href_link(). I put in a db call to pull out products_name, manufacturers_name, and categories_name (I only have one category per item). I then construct a key/value pair using manufacturer-or-category/products_name and add that the the url being built. This actually allows the option of this working perfectly well with SEF turned off also. /product_info.php here I just check to see if the correct format of URL is being referenced. If not I use a 301 redirect and have location determined by just using tep_href_link on $_GET['products_id']. This modification is primarily for any back-links coming in using the old URL format. They'll still work, just 301 redirect you to the new format. It's as simple as that. If anyone has any questions I would be more than happy to answer. I also put in the ability to add keywords to the url as well as an auto-versioning system when you change those keywords. This ensures that the most updated version of the URL is always the customer's final destination. Total programming time in this was under 4 hours solid, which honestly is less time than it probably would have taken to implement the contribution I wanted to use given my store's screwy way of building product names and using categories. you can see it in action here: http://www.badgercomics.com/
  2. borghe

    Seo Url Question

    so I looked at the seo/sef link in your post and quite frankly most of the really nice options would be extremely difficult to implement. by way of comparison, I put together my test case over just a few hours Friday night. I have items showing just fine, but I have a couple of questions about SEO/SEF in general and wondering if anyone could answer them. First, I realize you have to 302 your pages and I think I've figured out a way to do that (I check to see if I need to generate SEO links. I just use that same method to check and generate and NOT it to generate the 302). However, how quickly does google handle 302's in the directory? Do I include the old links to the 302's in my sitemap for google or do I just include the new links and let google catch the 302s on the old pages? This one is common to seemingly most of the SEO implementations (including even amazon and many others). Does google or others catch what is basically a BS SEO move? I mean even looking at amazon, most of the implementations in here, etc, the URLs are quite tacked on and you can tell where the meat of the URL is and where the fluff is. Is there any thoughts of google coming down on this in the future? Kind of related, is google even going to reindex my new URLs (with the 302s and sitemap) when it is essentially the same as the old URL with just the relevant item data in the URL? To understand what I'm talking about, my test site is here: http://test-11.badgercomics.com/
  3. borghe

    Seo Url Question

    So my store is a heavily modified osc install. The backend has been reworked dramatically to accomodate for our products. Thus the problem is that there is no SEO solution out there (aside from a mod_rewrite) that we will simply be able to drop in without tremendous work. So here's my question. Has anyone just tried modifying tep_href_link() to simply "add-on" product name information as a query string using the builtin simple SEO capabilities? keep product_id in the SEO query string (i.e. catalog/product_info.php/this_is_my_product/xx/products_id/1234). It seems like it would be simple enough and would need virtually no extra coding except for tep_href_link() calls to generate product_info.php links. My titles are good, my pages have as much info as the distributor and publishers provide, so at this point I am just looking at that last push with truly SEO urls. Any thoughts are appreciated.
  4. borghe

    Fesex Ship Manager API for ShipRequest

    I am working on a private contribution that creates labels with DHL's ShipIT API and works somewhat the same way it sounds like. If you are supposed to be getting a pdf back and it is base64 encoded, simply grab the relevant data, put it into base64_decode(data), then say header('Content-Type: application/pdf'), then echo it out: header('Content-Type: application/pdf'); echo base64_decode(data); make sure you are doing this without outputting anything to the screen (no <html> or <?xml>, etc) and don't output anything after. the only thing the server should be sending back is the header and the echo.
  5. oh, I wanted to comment on this post also.. in the before_process() function, simply add x_delim_char => ',', somewhere in the passed data. this will override whatever you actually have set on auth.net actually IMHO this should be set by default in the module. that way customers with existing auth.net accounts using a non-comme delimiter don't have to worry about the module not working out of the box as the module will automatically set comma as the delimiter.
  6. so, as I've been working on credit card storage and using some of this module as a basis for my work (I need to authorize the card the first time to verify the cvv value being as I'm not allowed to store it), I noticed a glaring, well not glaring, but somewhat significant flaw in this module. Everything is fine except for the process_button function, where you write as a hidden form field the entire credit card number. Technically you should not be writing the cvv value either as a hidden form field (which you are) or as a plain text display to the customer. Unfortunately my personal fix involves a custom mcrypt-based encryption class, but to outline essentially what can be done to get around this is: in confirmation() remove the cvv display. in process_button(): I am concatenating the card number and cvv value and delimiting them with a | I then 3des encrypt this (using my mycrypt-based class), base64 encode that (so it won't have problems in the html) and write that to the hidden cc_num input field. in before_process(): base64 decode $_POST['cc_num'] decrypt the field and list ($cc_num,$cc_cvv) explode('|',$decoded_cc_num) and I now have a cc_number (and cvv if applicable), all the while never having them in plain text. I only bring this up relating mainly to either someone leaving the checkout confirmation screen on their computer unattended, in which even when their session timed-out someone could still view source and grab the credit card number, or if the page is cached and if they could view source on the cached page and grab it from there. anyway, this post really explains how to do it, you just need to figure out the encryption part. I created my own mcrypt class but if you do a search for mcrypt you will find a few already made classes out there that can handle the encrypting. sure a static in the source isn't the utmost in security either, but at least a lot more secure than the plain text credit card number in the html source itself.
  7. borghe

    is my credit card data "safe enough"?

    I have already looked at the visa pci self assessment. to answer questions fro section 3: 3.1 Is sensitive cardholder data securely disposed of when no longer needed? Yes. All data will be removed immediately when a customer chooses to terminate their subscription status. 3.2 Is it prohibited to store the full contents of any track from the magnetic stripe (on the back of the card, in a chip, etc.) in the database, log files, or point-of-sale products? Not doing any card present transactions so not a problem. 3.3 Is it prohibited to store the card-validation code (three-digit value printed on the signature panel of a card) in the database, log files, or point-of-sale products? Yes. It will never be stored, even temorarily. 3.4 Are all but the last four digits of the account number masked when displaying cardholder data? Yes, the full number will never be displayed, either to me or the customer. 3.5 Are account numbers (in databases, logs, files, backup media, etc.) stored securely? for example, by means of encryption or truncation? As I said in the first post, numbers will be fully 3DES encrypted with the initialization vector not being stored on the network. 3.6 Are account numbers sanitized before being logged in the audit log? No account numbers are being logged. Furthermore the each key for each card number is also now being randomly generated as a 128byte string using random ascii chars 31-255 giving 1.325083269986333e+474 possibilities and again, not being stored with the initialization vector, and neither being stored on the shared hosting service. so the only thing being stored on the shared service is the actual 3DES encrypted card data itself. as I said before, the bottom line is that I WILL have to store the card data, either online or offline. Offline presents a whole new host of problems, such as how to get the card number from the customer to myself securely, and of course again creates an even bigger single point of failure. any other thoughts?
  8. uggh.. so I NEED to store credit card details in certain instances in the database. I could store them offline on, say, my workstation at home, but it would be a tremendous pain to go back and forth to "link" the details with the "online" users when it came time to charging them in these particular instances. besides that, I can actually setup an automated method to charge them (long story, not part of the default oscommerce setup. this is seperate charging done on a particular and exclusive basis). So anywho, I wrote my own method of storing the encrypted credit card. essentially what I'm doing (and I'm not worried about mentioning this being that the lock and key are never stored in the same place) is tripledes encrypting the modified credit card string. I am then adding the basic customer viewable info (last 4 digits and date) and then base64 encoding that. so the customer will have easy access to the last 4 and date to know what card they have on file. now the trick to this is that the initialization vector is being emailed to me base64 encoded. so the only way to decrypt the string is to get ahold of the initialization vector which won't be located anywhere near the actual encrypted string (physically and theoretically). so when I want to charge the customer, I can create a simple ssl encrypted page that will lookup the customer_id I pass, take the base64 encoded initialization vector I received in the email as input, add like a dollar amount field to charge against the customers card in realtime over auth.net, and all is good. the only chance a hacker would ever have in "breaking" the system as far as I see is either sniffing the original email as it is sent or breaking into my box and getting it off of there (which of course it is also encrypted on). if anyone sees a problem with this I would LOVE for you to point it out. I am going to go live with this pending any unknown dangers and would certainly love the input.
  9. sorry. I thought you meant offering photos for download. yes, if you are offering them for sale printed, then imagemagic is certainly able to handle things. just have both filename encryption and watermarking turned on. they will still have unlimited access to the watermarked pictures (unless you have inventory browsing turned off for unregistered users) but at least they won't have any access to the non-watermarked pics.
  10. borghe

    Official PayPal IPN Support Thread

    thank you steve. this is EXACTLY what I was looking for. so I could do something like: on VALIDATED/Completed: process the order fully, clear their SQL shopping cart completely, apply their voucher credit and discount code. on VALIDATED/Pending: keep everything as is BUT STILL apply their voucher credit and discount code immediately. on VALIDATED/Rejected: keep everything as is AND refund their voucher credit and reset their discount code status for the discount. this should stop any sort of exploits from occurring with customers not coming back to the site. then customers who do come back to the site I'll just rework before_process() in the paypal module so that it tidys up all tep_session variables so they match with the current session SQL data, and generates the email and the "congratulations" screens. sound good? and thanks again for the answer.
  11. trax - that is what "encrypted" filenames are for under admin. HOWEVER, it should be noted that as far as I can tell imagemagic is NOT a suitable replacement for a real download management package. it is basing everything off of an image that is free and in the clear. you can turn on filename encryption and even modify the package so it leaves filename encryption on and watermarking off for logged in users, however there is no real way to "distribute" the file with image magic. if I were you I would leave watermarking turned on at all times (as well as filename encryption if protecting the pictures is required). I would then have the picture stored in two different places. One place where image magic can find it for display, and another place where a real downloadable content manager will be able to package up a non-watermarked copy for download by customers. this is IMHO the only way to truly protect your content as you are describing. to further protect things I would have your originals that image magic is using in kind of a dense directory structure and/or have different names than their downloadable counterparts. if they had the same names and, say, were all located in /images/ some unscrupulous person could just download a few pictures, get your naming structure under order, and then just try to bulk download using sequencing from /images/.
  12. borghe

    Official PayPal IPN Support Thread

    any thoughts by anyone on moving the before_process() inventory reduction/order management/etc stuff to the ipn.php file as opposed to the paypal_ipn.php file? Would really like some input on this. at the very least, does anyone have practical information on the typical time it takes paypal to send out the ipn notification? are a few seconds typical? a few minutes? is it possible for it to go to hours and/or days in some instances? things I am wondering most about are people that use a bank account linked to paypal where paypal holds the funds. does the ipn still go through immediately? paypal is definitely something I want to offer, but this is a pretty big hole involving gift vouchers and coupon codes with a per customer limit. any thoughts?
  13. hmm.. not sure what file you are talking about? checkout_process.php is unfortunately never called in what I'm referring to. paypal ipn has the checkout button post a form directly to paypal. checkout_process.php is only called if/when the customer comes back to your site from paypal. ideally the customer will come back, but all it takes is for someone to realize that they don't have to return for the credit to never be applied. and I was double checking and the same is also true for coupon codes being cashed in. if you have a coupon code that has a per customer limit, if they don't return back to the site they can just use the coupon code over and over. sticking everything in ipn.php seems like the way to go, however I have to first find out exactly how instant IPN is, or more specifically what is the worst case common scenario.
  14. borghe

    Official PayPal IPN Support Thread

    one question here. I posted it in the CCGV thread (because that IS where it belongs) but I'll post it here as well because it directly affects the paypal IPN mod (no other mod). Essentially if a person uses the remainder of a gift voucher when they checkout at paypal, but then doesn't return to the site afterwards (for checkout process), the voucher is never deducted from their total. does anyone have a fix around this already? I have a few ideas (basically moving apply_credit() to ipn.php and passing some variables in the custom variable of the IPN API) but don't want to reinvent the wheel if I don't have to.
  15. Ok, I came across one more minor bug. Again I've searched but haven't found anything. rather than spending another 8 hours on this (which I'll have to do without an answer anyway) I figured I would shoot it off in here. Currently with paypal available, a person with a gift voucher balance can avoid getting their balance reduced by not returning to the site. the order goes through just fine, but as is the case with paypal IPN not reducing inventory or anything, the voucher balance is not reduced either. is there an answer already out there for this? now technically I am thinking that I can just remove the apply_credit() call from before_process() and instead just stick it in the ipn.php file itself... I mean if someone uses a voucher and still goes out to paypal they used up their voucher balance. I can stick a variable in "custom" when I send the customer to paypal and when I get the response back just reduce their voucher balance by that much.. so "otgv35.68" will reduce their account balance by 35.68. the only problem I have with this is if their is a noticeable lag between them finishing their order on paypal and when paypal responds with the IPN (granted it would have to be at least a few minutes) this would allow the person time to see the voucher balance in their account and try spending it again before paypal's IPN response was received. uggh.. I don't know. any thoughts on this are welcome.