Guest Posted August 2, 2005 Share Posted August 2, 2005 Working on a new install, and I am slowly learning my way around, but haven't found a solution to this problem: When a customer receives their order e-mail from checkout_process.php, the following link is included in the e-mail: https://yourstore.com/catalog/account_history_info.php/order_id/1002 However, when I send an order update e-mail from admin in the orders.php page, the link looks like this: /catalog/account_history_info.php?order_id=1002 For some reason the initial website protion is being stripped off. Where does EMAIL_TEXT_INVOICE_URL pull that information from? Doesn't it come from the same database field in both pages? Any help would be greatly appreciated! Thanks, John Link to comment Share on other sites More sharing options...
moonstone Posted August 2, 2005 Share Posted August 2, 2005 Fyi, EMAIL_TEXT_INVOICE_URL is defined in catalog/includes/languages/english/checkout_process.php. Unfortunately, it's just the text "Detailed Invoice" and I don't think it's what you're looking for. I noticed you are using https. Try looking in catalog/includes/configure.php, around lines 14-15: define('HTTP_SERVER', 'http://www.domain.com'); // eg, http://localhost - should not be empty for productive servers define('HTTPS_SERVER', 'https://www.domain.com'); // eg, https://localhost - should not be empty for productive servers Make sure that the entry for HTTPS_SERVER is set to the correct url. And do the same for the one for admin in catalog/admin/includes/configure.php Hope that helps... :blush: Link to comment Share on other sites More sharing options...
Guest Posted August 3, 2005 Share Posted August 3, 2005 Fyi, EMAIL_TEXT_INVOICE_URL is defined in catalog/includes/languages/english/checkout_process.php. Unfortunately, it's just the text "Detailed Invoice" and I don't think it's what you're looking for. I noticed you are using https. Try looking in catalog/includes/configure.php, around lines 14-15: define('HTTP_SERVER', 'http://www.domain.com'); // eg, http://localhost - should not be empty for productive servers define('HTTPS_SERVER', 'https://www.domain.com'); // eg, https://localhost - should not be empty for productive servers Make sure that the entry for HTTPS_SERVER is set to the correct url. And do the same for the one for admin in catalog/admin/includes/configure.php Hope that helps... :blush: <{POST_SNAPBACK}> Thanks very much! That seems to have corrected it. I was wondering about those fields in the configure files. Perhaps you can elaborate a little more on these defines. The admin/configure.php file lists the following: define('HTTP_SERVER', 'http://www.mystore.com'); // eg, http://localhost or - https://localhost should not be NULL for productive servers define('HTTP_CATALOG_SERVER', 'http://www.mystore.com'); define('HTTPS_CATALOG_SERVER', 'https://www.mystore.com'); Why is there no HTTPS_SERVER in the admin/configure? Should there be? I assume that all three of the above should be filled in. Also, at the bottom, there are the defines for the database: // define our database connection define('DB_SERVER', ''); define('DB_SERVER_USERNAME', 'mysql'); define('DB_SERVER_PASSWORD', ''); define('DB_DATABASE', 'osCommerce'); define('USE_PCONNECT', 'false'); define('STORE_SESSIONS', ''); Do these need to be populated also? Things seem to be working just fine, I am able to connect to the database. However upon closer inspection, I notice the USERNAME and PASSWORD fields. I would assume by this that I should have password protected my database, correct? I apologize for these seemingly simple questions, but I certianly appreciate everyone's help on these forums. :thumbsup: Link to comment Share on other sites More sharing options...
♥Vger Posted August 3, 2005 Share Posted August 3, 2005 DB_SERVER is usually (but not always) 'localhost' STORE_SESSIONS should be 'mysql' DB_SERVER_PASSWORD should have your password - but if it's working without a password then that's a serious security flaw - unless this is a local install on your home computer (in which case its normal). Vger Link to comment Share on other sites More sharing options...
Guest Posted August 3, 2005 Share Posted August 3, 2005 DB_SERVER is usually (but not always) 'localhost' STORE_SESSIONS should be 'mysql' DB_SERVER_PASSWORD should have your password - but if it's working without a password then that's a serious security flaw - unless this is a local install on your home computer (in which case its normal). Vger <{POST_SNAPBACK}> :o :'( Thanks for the information, I am even more puzzled now. I am in the process of setting up the store on the webserver, and have the username and password blank in the DB_SERVER fields, both in /catalog/ and /admin/ and I am able to connect just fine to the database. Yet when I go to access the database through PHPmyAdmin, I must enter my username and password. How is osCommerce getting into the database without this information? I agree with you that this is a serious security flaw, and I want to make sure I am doing everything possible to stay safe. Is there a way I can test if there is a flaw here (sorry, I am quite computer literate :blush: , but this is my first attempt at osC and PHP and am still learning) to see if I am vulnerable? Your help is definitely appreciated. John Link to comment Share on other sites More sharing options...
moonstone Posted August 3, 2005 Share Posted August 3, 2005 I just checked my configure.php in admin, and sure enough there isn't a HTTPS_SERVER. I'm guessing that since the admin directory is already .htaccess password protected, there is no need for a secure connection to do administration. If anyone can shed more light on this, please do. With reference to the following from your configure.php: // define our database connection define('DB_SERVER', ''); define('DB_SERVER_USERNAME', 'mysql'); define('DB_SERVER_PASSWORD', ''); define('DB_DATABASE', 'osCommerce'); define('USE_PCONNECT', 'false'); define('STORE_SESSIONS', ''); I'm pretty sure for your databases, you have a user by the name of "mysql" that does not have a password. This will explain why osCommerce can access your database without a password. As you already know, it's a security flaw. You can confirm this in phpMyAdmin. Simply click on Preivileges on the welcome page. This will list all authorized users to your databases. If "mysql" really exist as a user, you can either remove that user or edit the entry and insert a password. Remember to change the DB_SERVER_USERNAME and DB_SERVER_PASSWORD in both configure.php files to reflect the correct user. As mentioned by Vger, STORE_SESSIONS should be set to 'mysql' if you wish to have the sessions info stored in your database. Leaving it empty will default to storing the sessions info on files in the specified directory. As for DB_SERVER, you may also wish to set it to 'localhost'. I guess in your case, it defaulted to localhost since you left it blank. Hope this clarify things up a bit... ;) Link to comment Share on other sites More sharing options...
Guest Posted August 3, 2005 Share Posted August 3, 2005 I just checked my configure.php in admin, and sure enough there isn't a HTTPS_SERVER. I'm guessing that since the admin directory is already .htaccess password protected, there is no need for a secure connection to do administration. If anyone can shed more light on this, please do. With reference to the following from your configure.php: I'm pretty sure for your databases, you have a user by the name of "mysql" that does not have a password. This will explain why osCommerce can access your database without a password. As you already know, it's a security flaw. You can confirm this in phpMyAdmin. Simply click on Preivileges on the welcome page. This will list all authorized users to your databases. If "mysql" really exist as a user, you can either remove that user or edit the entry and insert a password. Remember to change the DB_SERVER_USERNAME and DB_SERVER_PASSWORD in both configure.php files to reflect the correct user. As mentioned by Vger, STORE_SESSIONS should be set to 'mysql' if you wish to have the sessions info stored in your database. Leaving it empty will default to storing the sessions info on files in the specified directory. As for DB_SERVER, you may also wish to set it to 'localhost'. I guess in your case, it defaulted to localhost since you left it blank. Hope this clarify things up a bit... ;) <{POST_SNAPBACK}> Hmmmm...I am afraid that although things are clearing up, I am still unsure whether I am secured or not! :o When I check the welcome page in phpMyAdmin, under the "Create new database" link, it says "No Priveliges", yet I have access to read/write. Does this just refer to the ability to create a new database from here? When I go through my host control panel to set up databases, there are no other users listed such as "mysql" for my store's database. What it does say after the database name is "(Locked by osCommerce)", and does not allow me to edit a user name or password for the database. I can add additional users with various rights though, for this database. Is there something that my host (websitesource.com) may be doing to secure the database so that only osCommerce can see it without a password? With the DB_SERVER being blank, could it be that since the database and store reside on the same server that it defaults to localhost as you mention? I checked the database, and my sessions table is logging the sessions, so that seems to be working OK. Sorry for all the questions, and if there is a manual that explains all this that I should look instead, I can do that. I just haven't been able to find anything yet that explains this in detail. Link to comment Share on other sites More sharing options...
Guest Posted August 5, 2005 Share Posted August 5, 2005 <snip>Is there something that my host (websitesource.com) may be doing to secure the database so that only osCommerce can see it without a password? With the DB_SERVER being blank, could it be that since the database and store reside on the same server that it defaults to localhost as you mention? I checked the database, and my sessions table is logging the sessions, so that seems to be working OK. <snip> <{POST_SNAPBACK}> Well, I just got a reply back from my hosting company about this subject (securing the SQL database), and here is what they wrote: With your installation of OsCommerce there are two configuration files. The one that contains the correct mysql configuration is "catalog/includes/local/configure.php". The mysql server is secure, and as you will see, OsCommerce is using your authentication information to get access to the databse; as this is the only way that mysql will let anyone access that database. I was previously unaware of this configure file under includes/local, but when I checked it, the correct DB_SERVER, USERNAME, and PASSWORD were populated. I feel much better now that osCommerce is using my username and password, but I wonder why the 2 different configure files? Anyway, thanks to all for helping me figure this out! Hopefully the information above might be useful to someone else as well. John Link to comment Share on other sites More sharing options...
primadude Posted September 7, 2005 Share Posted September 7, 2005 This thread helped me resolve my problem. I am developing my first osCommerce store and my two configure.php files were different. The e-mail URL was correct at customer order but not correct from e-mail originated from the admin console orders status change page. Anyway, I just wanted to say thanks... Joe Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.