Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Support Thread for Supertracker Contribution


equilla

Recommended Posts

Have you done this bit?

 

Step 3.

Edit /catalog/includes/application_top.php and add the following code before the last ?> in the file:

 

//Do the superstats business	
 require(DIR_WS_CLASSES . 'supertracker.php');
$tracker = new supertracker;
$tracker->update();

 

I might of originally forgotten to add that bit as well (or I just dreamed that :-" )

 

Oh yes, I have done that bit. I actually just went through the install process once again. Still not inserting rows... very odd. It has to be something stupid on my part, as this does not seem to be a very common problem. Hmmmmm.... :huh:

Link to comment
Share on other sites

Hello, Thanks to createvideo for posting the security fix. However i can't drop and overwrite my general.php as its already edited by other contributions ( and don't have the coding skills to work out the sections that need changed? ) Could someone post a stage by stage edit for the two files ?

 

Thanks Alex

Link to comment
Share on other sites

Hello, Thanks to createvideo for posting the security fix. However i can't drop and overwrite my general.php as its already edited by other contributions ( and don't have the coding skills to work out the sections that need changed? ) Could someone post a stage by stage edit for the two files ?

 

Thanks Alex

 

no problem Alex, meaning to do this when I found time. I started on PHP/SQL not long ago and found the PHP/SQL Bible from Wiley books to be very helpful for newbs.

 

 

Step 1: Open /includes/functions/general.php

 

Add the following clean_url funciton at the top of the file after your first comments sections.

 

// rev14 - createvideo: security - add URL string cleaning
// add or remove characters as needed to enchance security
function clean_url($url) {
//  $string = ereg_replace(' +', ' ', trim($url));
 $string = $url; 
 return preg_replace('/[\;\<\>\'\"\:\;\|\(\)$^]/', '', $string);
 }

 

STEP 2: open /includes/classes/supertracker.php

 

Find:

 $current_page=$_SERVER['PHP_SELF'];

Replace with:

 //rev14 - security fix - clean incput
	// $current_page=$_SERVER['PHP_SELF'];
	$current_page= clean_url($_SERVER['PHP_SELF']);
	//

 

Find:

 $refer_data = $_SERVER['HTTP_REFERER'];

 

Replace with:

 //rev14 - security fix
	 //	 $refer_data = $_SERVER['HTTP_REFERER'];
	 $refer_data = clean_url($_SERVER['HTTP_REFERER']);

 

Find:

 $ip = $_SERVER['REMOTE_ADDR'];
			  $current_page=$_SERVER['PHP_SELF'];
			  $time_arrived = date('Y-m-d H:i:s');
			  $landing_page = $_SERVER['REQUEST_URI'];

 

Replace with:

//rev14 - securuity fix
	 //	 $ip = $_SERVER['REMOTE_ADDR'];
	 $ip = clean_url($_SERVER['REMOTE_ADDR']);
	 //rev14 - $current_page=$_SERVER['PHP_SELF'];
	  $current_page= clean_url($_SERVER['PHP_SELF']);

	 $time_arrived = date('Y-m-d H:i:s');
	 //rev14 - $landing_page = $_SERVER['REQUEST_URI'];
	 $landing_page = clean_url($_SERVER['REQUEST_URI']);

 

 

That's all for cleaning the supertracker variables before they are passed to the database. In general, you should always santize your input data before sending to the database. Harold has taken care of several similar security holes in the latest OSC release, make sure you've made these updates also.

BR, createvideo

Link to comment
Share on other sites

Hello,

 

When I try to make the change required in /catalog/includes/application_top.php, I get the following error on my store:

 

1054 - Unknown column 'sesskey' in 'where clause'

 

select * from supertracker where sesskey = 'ffa498607177bf0bf2e36c7b4a7802e9'

 

[TEP STOP]

 

Please help. Thanks!

Link to comment
Share on other sites

Hello,

I've got one problem with this contribution. I can't delete (all or a part of) the database, a SQL syntax error shows up:

 

1064 - You have an error in your SQL syntax near 'ORDER by tracking_id ASC LIMIT 200' at line 1

DELETE from supertracker ORDER by tracking_id ASC LIMIT 200

[TEP STOP]

 

 

Besides this problem, it's still a very good contribution.

Thanks!

Link to comment
Share on other sites

Found an SQL Injection risk with Supertracker, to see if you are at risk, pull up a product page:

 

/index/product_info.php/ ... some_product_name

 

Now insert a some roque characters into the product name. ie.

som'e"produc(t<)name

 

Hit return, if you see a SQL error message, then your site can be hacked from here.

 

I added my copy of /includes/functions/general.php and /includes/classes/supertracker.php to the contribution section for anyone interested in using or improving.

 

Please do a compare & merge ONLY with my files; as most people here, I have 10,000 customizations on my site and with only 100 documented :)

 

The SECURITY FIX revisions are NOTED with REV 14 - createvideo

 

Hi createvideo,

 

can you just confirm which version of Supertracker you found this issue with? Reason I ask is that code to mitigate the risk of SQL injection was introduced in version 3.1a - the parameters that get used in db transactions are treated immediately before the queries.

 

Certainly, on my installs I haven't been able to pull off your suggested method of attacking through this script.

 

Many thanks,

 

 

 

 

Mark

Link to comment
Share on other sites

  • 2 weeks later...
Hi createvideo,

 

can you just confirm which version of Supertracker you found this issue with? Reason I ask is that code to mitigate the risk of SQL injection was introduced in version 3.1a - the parameters that get used in db transactions are treated immediately before the queries.

 

Certainly, on my installs I haven't been able to pull off your suggested method of attacking through this script.

 

Many thanks,

Mark

 

Mark, my files are likely pre-3.1a, but I didn't see anything in the newer release notes addressing this issue, so I didn't check the latest releases. I'll find time this week to look at the latest release, but as you stated, as long as data is cleaned before making the sql call, it should be ok.

 

I found the issue when running a large number of automated combinations against my site, and my fix seemed adequate to block them all.

 

Best wishes, David

Link to comment
Share on other sites

I have a question about deleting oldest data.

 

I only want to delete stuff related to product and catagories viewed.

 

I want to KEEP data concerning referrers, search keywords, and products viewed report.

 

Is there anyway to delete some things and keep others?

Link to comment
Share on other sites

I am getting the following error. I uploaded the files few times, still getting the same error. Can someone help me? thanks,

 

Fatal error: error traversing database - perhaps it is corrupt? in /home/xxxx/public_html/includes/geoip.inc on line 416

Link to comment
Share on other sites

Thanks to this great contrib! It really helps to find out about where the visiters came from and what pages did they went through.

 

I'd like to suggest one more feature:

 

Add filters for specific files: I recently added RSS feed for my product list in my store. Now I have hundreds of records in database everyday which only fetched the rss file by the feed readers. I would really like to keep these activities from being logged into database.

 

And I agree with Moonlight, a better 'delete' feature would help, too.

 

Anyway, great job! Way to go, Mark!

Edited by AlexStudio

Super Download Shop, PayPal Express Checkout IPN, Selling Downloads, Visual Validation (preventing robotic flood), phpBB2 Integration

 

Yes, I'm willing to help, but please ask in the right place. Think twice before trying to PM me, it might be ignored.

Link to comment
Share on other sites

  • 3 weeks later...

Hello,

 

i have a problem, all ist ok til i set in the following lines in the application_top.php:

//Do the superstats business

require(DIR_WS_CLASSES . 'supertracker.php');

$tracker = new supertracker;

$tracker->update();

 

and there is the problem the line:

$tracker->update();

 

because when i activate that on the webserver, my site has gone and all is white - wenn i make:

// $tracker->update();

the site is back again, but it did not take the things to the database.

 

Anyone a Idea?

 

Greetings from Germany

Link to comment
Share on other sites

Hi there,

 

I am one of the unlucky shared SSL Users. On top, i have a dynamic IP like most germans have.

 

This great contrib works excellent, but i can't get any usefull PPC-informations because auf shared SSL and dynamic IP.

 

If a customers comes to my site from a ppc-link i get a working referrer as well as an informative referrer_query_string with "ref=" and "keyw=". So far so good.

 

Now the customers wants to order. He goes to the shopping cart and ...

 

I get a new ID due to shared SSL and supertracker creates a new referrer named "www.mypage.shopping_cart.php" with the referrer_query_string "osCsid...." without "ref" or "keyw".

 

Is there any solution for this problem?

Thanks for any help!

 

 

I tried to find a solution myself. SQL statement looked like:

same shopping cart amount, almost same time, completed_purchase = true, one referrer = www.mypage.shopping_cart.php ==> didn't work the way i want!

Link to comment
Share on other sites

I just installed this contribtion with the latest security updates and all, but I'm getting the following error:

 

1054 - Unknown column 'sesskey' in 'where clause'

 

select * from supertracker where sesskey = '152fb5cb02f20fe2eb922119a1f24c1d'

 

[TEP STOP]

Link to comment
Share on other sites

I just installed this contribtion with the latest security updates and all, but I'm getting the following error:

 

1054 - Unknown column 'sesskey' in 'where clause'

 

select * from supertracker where sesskey = '152fb5cb02f20fe2eb922119a1f24c1d'

 

[TEP STOP]

 

Hi,

 

ah yes, it seems we have a configuration control problem here. The supertracker class was rewritten in one of the earlier versions and no longer needed the sesskey field in the database, so it was removed.

 

Unfortunately, the security update posted by createvideo was based on an earlier version of supertracker, and so is trying to use this field.

 

As a temporary fix you could add the sesskey field to the database, but I think we need to organise a new release that fixes this issue properly.

 

Mark

Link to comment
Share on other sites

well, I uninstalled that version and installed 3.2b and I'm getting this error:

 

Fatal error: Cannot instantiate non-existent class: supertracker in /home/theda17/public_html/shop/includes/application_top.php on line 513

 

 

Any ideas?

Link to comment
Share on other sites

well, I uninstalled that version and installed 3.2b and I'm getting this error:

 

Fatal error: Cannot instantiate non-existent class: supertracker in /home/theda17/public_html/shop/includes/application_top.php on line 513

Any ideas?

 

Hi Again,

 

the 2 most obvious causes are that either this line :

 

require(DIR_WS_CLASSES . 'supertracker.php');

 

is missing from application_top.php (it should be directly above this line):

 

$tracker = new supertracker;

 

which must be your line 513.

 

or, the supertracker.php file is missing from your shop/includes/classes folder.

 

I would usually expect other error messages about not being able to find the supertracker class file though, so it is possible that there is a problem with the class file itself. If the above things I have mentioned are definitely in place, try re-uploading the supertracker class file and see if that solves the problem.

 

Regards,

 

 

 

Mark

Link to comment
Share on other sites

Okay, I can't seem to find an answer on this thread to exclude my entry page outside of the catalog. I made it a php with application_top.php, however, because it's outside the catalog directory, it isn't working.

 

Isn't there someway to include the entry page in the stats rather than have it be a referrer??? I must have it because I have an adult store. :'(

 

webbydeb

Link to comment
Share on other sites

<snip about adding tracking on your own html pages>

 

include (DIR_WS_INCLUDES . 'application_top.php');

 

</snip>

Hi

I can get this to work if I have the html (which is set in .htaccess to parse php) in the catalog folder but I can't get it to work outside of the catalog folder. I have my main entry page in the root which then links to my catalog.

 

Is there a way of getting stats for non-osc pages?

 

Ta

 

Martin

 

Error I get is:

 

Warning: main(includes/configure.php): failed to open stream: No such file or directory in /usr/home/abc/www/catalog/includes/application_top.php on line 29

 

Fatal error: main(): Failed opening required 'includes/configure.php' (include_path='.:/usr/local/lib/php') in /usr/home/abc/www/catalog/includes/application_top.php on line 29

This is exactly my issue. Any ideas???? Please????

Link to comment
Share on other sites

Someone has got to have an idea on this. The supertracker is great, but most of my 'referrals' are coming from my front page outside of the catalog folder. Unless I can figure this out, it really isn't beneficial to use for me.

 

Anybody????

Link to comment
Share on other sites

I seem to have a conflict with the contrib Access with Level Account (v. 2.2a) for the Admin Area of osCommerce (MS2). When selecting any reports from the admin page I am redirected to my admin login sereen. The contrib Access with Level Account appends a varible osCAdminID=long_session_string to every admin page request. But the supertracker.php uses <option value="supertracker.php?report=refer"> and so on, so when the session dosn't see this osCAdminID varible I am kicked back to my login screen. I assume this is what is happening, but I am completly at a loss as how to fix it...Any ideas?

Link to comment
Share on other sites

I seem to have a conflict with the contrib Access with Level Account (v. 2.2a) for the Admin Area of osCommerce (MS2). When selecting any reports from the admin page I am redirected to my admin login sereen. The contrib Access with Level Account appends a varible osCAdminID=long_session_string to every admin page request. But the supertracker.php uses <option value="supertracker.php?report=refer"> and so on, so when the session dosn't see this osCAdminID varible I am kicked back to my login screen. I assume this is what is happening, but I am completly at a loss as how to fix it...Any ideas?

 

I fixed it by editing the following code in catalog/admin/supertracker.php after line 125 :

Replace:

<option value=""><?php echo TABLE_TEXT_MENU_TEXTE; ?></option>

<option value="supertracker.php?report=refer"><?php echo TEXT_TOP_REFERRERS; ?></option>

<option value="supertracker.php?report=success_refer"><?php echo TEXT_TOP_SALES;?></option>

<option value="supertracker.php?special=geo"><?php echo TEXT_VISITORS;?></option>								

<option value="supertracker.php?special=keywords"><?php echo TEXT_SEARCH_KEYWORDS;?></option>

<option value="supertracker.php?special=keywords_last24"><?php echo TEXT_SEARCH_KEYWORDS_24;?></option>			
<option value="supertracker.php?special=keywords_last72"><?php echo TEXT_SEARCH_KEYWORDS_3;?></option>			
<option value="supertracker.php?special=keywords_lastweek"><?php echo TEXT_SEARCH_KEYWORDS_7;?></option>		<option value="supertracker.php?special=keywords_lastmonth"><?php echo TEXT_SEARCH_KEYWORDS_30;?></option>		<option value="supertracker.php?report=exit"><?php echo TEXT_TOP_EXIT_PAGES;?></option>

<option value="supertracker.php?report=exit_added"><?php echo TEXT_TOP_EXIT_PAGES_NO_SALE;?></option>

<option value="supertracker.php?report=ave_clicks"><?php echo TEXT_AVERAGE_CLICKS;?></option>						<option value="supertracker.php?report=ave_time"><?php echo TEXT_AVERAGE_TIME_SPENT;?></option>					<option value="supertracker.php?special=prod_coverage"><?php echo TEXT_PRODUCTS_VIEWED_REPORT;?></option>	 <!-- modifed by azer//-->	

<option value="supertracker.php?special=last_ten"><?php echo TEXT_LAST_TEN_VISITORS;?></option>

<?php if (SUPERTRACKER_USE_PPC) {?>						

<option value="supertracker.php?special=ppc_summary"><?php echo TEXT_PPC_REFERRAL;?></option>

 

With This:

 

	
<div class="supertracker_text">	
<?php echo TABLE_TEXT_MENU_DESC_TEXTE; ?> <form name="report_select"><select name="report_selector" onchange="page_redirect(this)">							
<option value=""><?php echo TABLE_TEXT_MENU_TEXTE; ?></option>
<?php //Begin compatibility with Admin Level Access
?>
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&report=refer' ?>"><?php echo TEXT_TOP_REFERRERS; ?></option>
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&report=success_refer' ?>">
<?php echo TEXT_TOP_SALES;?></option>
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=geo' ?>"><?php echo TEXT_VISITORS;?></option>								
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=keywords' ?>"><?php echo TEXT_SEARCH_KEYWORDS;?></option>							
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=keywords_last24' ?>"><?php echo TEXT_SEARCH_KEYWORDS_24;?></option>										
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=keywords_last72' ?>"><?php echo TEXT_SEARCH_KEYWORDS_3;?></option>										
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=keywords_lastweek' ?>"><?php echo TEXT_SEARCH_KEYWORDS_7;?></option>										
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=keywords_lastmonth' ?>"><?php echo TEXT_SEARCH_KEYWORDS_30;?></option>													
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&report=exit' ?>"><?php echo TEXT_TOP_EXIT_PAGES;?></option>
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&report=exit_added' ?>"><?php echo TEXT_TOP_EXIT_PAGES_NO_SALE;?></option>
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&report=ave_clicks' ?>"><?php echo TEXT_AVERAGE_CLICKS;?></option>								
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&report=ave_time' ?>"><?php echo TEXT_AVERAGE_TIME_SPENT;?></option>
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=prod_coverage' ?>"><?php echo TEXT_PRODUCTS_VIEWED_REPORT;?></option>	 <!-- modifed by azer//-->	
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=last_ten' ?>"><?php echo TEXT_LAST_TEN_VISITORS;?></option>
<?php if (SUPERTRACKER_USE_PPC) {?>													
<option value="<?php echo $PHP_SELF . '?osCAdminID=' . $osCAdminID . '&special=ppc_summary' ?>"><?php echo TEXT_PPC_REFERRAL;?></option>
<?php //End compatibility with Admin Level Access
?>

Link to comment
Share on other sites

oops,

Don't copy this part!!!

	
<div class="supertracker_text">	
<?php echo TABLE_TEXT_MENU_DESC_TEXTE; ?> <form name="report_select"><select name="report_selector" onchange="page_redirect(this)">							
<option value=""><?php echo TABLE_TEXT_MENU_TEXTE; ?></option>

 

Start coping after the comment!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...