Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

OsCommerce critical bug found - fix it now!


Advance

Recommended Posts

Recently we have found the bug related to products price in Oscommerce MS 2.2 and its earlier versions.

 

Bug allows to buy any product with zero price. Bug is reproduced at live Oscommerce demo (http://demo.oscommerce.com/).

 

Please check out http://demo.oscommerce.com/?currency=usd and look at the prices which became zero. This things allows customers to purchase products with zero price instead of the set for this product.

 

The bug is critical for those store owners who sell digital (downloadable) products, becuase customers will be able to download a product buy paying a zero amount of money.

 

You can check out your store. Simply add ?currency=usd to any store URL.

Link to comment
Share on other sites

I have tested this on my site...

 

In the catalog all the product prices do reset to 0. However if you select a product and proceed to checkout the correct pricing is displayed....not 0. I tried to reset the prices to 0 again on the checkout screen using the url you provided and nothing happened. I proceeded to checkout as normal.

 

In my case this didnt affect anything. Have you tested to see if you can do a completed checkout and pay $0? rather than just it displaying $0 on the catalog screens?

Link to comment
Share on other sites

Hi,

 

Regarding this post

 

I have tested this on my site...

 

In the catalog all the product prices do reset to 0. However if you select a product and proceed to checkout the correct pricing is displayed....not 0. I tried to reset the prices to 0 again on the checkout screen using the url you provided and nothing happened. I proceeded to checkout as normal.

 

In my case this didnt affect anything. Have you tested to see if you can do a completed checkout and pay $0? rather than just it displaying $0 on the catalog screens?

 

Sorry, but you are not quite right. Try this:

 

http://demo.oscommerce.com/product_info.ph...mp;currency=usd

 

and then, add to cart, proceed to checkout.

Note, you WILL BE ABLE to download this. The product price is still zero during ALL the checkout process.

 

Please note also this is not a flood post, this bug really exists, cause we know number of stores have this problem recently - by paying

0.01 (0.01 paypal fee for price zero) with paypal and downloading a product which costs about $500...

 

Best bug fixing,

 

Advance

Link to comment
Share on other sites

Downloads should not be used unless you install Downloads Controller. This has been known about for years. You specificaly should not sell downloads if you use Pay Pal as your payment processor - unless you install Downloads Controller.

 

Vger

Link to comment
Share on other sites

Hi

 

Thanks for replies

 

I wonder how Downloads controller could prevent such things. The order is simply completed and verified by paypal in this case.

So paypal confirms that order is valid, and the status is autoswitched to smth like shipped or processing etc.

Could you give me a detailed thing on how downloads controller could prevent this?

 

Downloads should not be used unless you install Downloads Controller. This has been known about for years. You specificaly should not sell downloads if you use Pay Pal as your payment processor - unless you install Downloads Controller.

 

Vger

Link to comment
Share on other sites

Downloads should not be used unless you install Downloads Controller. This has been known about for years. You specificaly should not sell downloads if you use Pay Pal as your payment processor - unless you install Downloads Controller.

 

Vger

For clarity...

This bug has nothing to do with "PayPal" or "downloads" specifically, but rather a bug in the osC installation script in the database phase of the osc installation. Since this has been known for years, it should have been fixed with the latest 060817 release but was not, since evidently the bug is still there.

 

The fix was referenced to above but not mentioned in detail so here you go...

 

Price goes to zero fix:

 

The appropriate fix for this is on the database side, this is a MySQL feature. The column should have been created with the BINARY attribute. You can modify the column using the following statement:

 

alter table currencies modify code char(3) binary not null default '';

Run this in the SQL tab in phpMyAdmin interface for your osc database.

 

After that then MySQL will only do a binary comparison. See below...

 

http://dev.mysql.com/doc/mysql/en/case-sensitivity.html

 

So..in any future osC release, the creation of the database currency table should be modified so that it is binary.

 

Hope this has helped you out.

Bill Kellum

 

Sounds Good Productions

STS Tutorials & more: STSv4.6, STS Add-ons (STS Power Pack), STS V4 Forum STS Forum FREE TEMPLATE

Link to comment
Share on other sites

What I was referring to is the situation during checkout where you can go as far as checkout_confirmation, then change the address to checkout_success.php in the address bar, hit the Enter key and go straight to checkout_success with the order being recorded and any download being released.

 

Using Downloads Controller means that the download is not automatically released - you have to release it from your osCommerce admin panel.

 

Vger

Link to comment
Share on other sites

What I was referring to is the situation during checkout where you can go as far as checkout_confirmation, then change the address to checkout_success.php in the address bar, hit the Enter key and go straight to checkout_success with the order being recorded and any download being released.

 

Using Downloads Controller means that the download is not automatically released - you have to release it from your osCommerce admin panel.

 

Vger

Vger, you are absolutely correct regarding the above. The original poster was referring to the situation where a user can dubiously add "?currency=usd" or "?currency=eur" and it will change all of the prices in your shop, whether they be downloadable goods or physical products, to the price of "0". This change is global, for the destructive hacker as well as for anyone else who visits your store unitl you, the administrator corrects it.

 

By making the SQL changes above, this will bring your prices back to where it should be as well as correct the upper/lower case scenario with the currency table so that the problem will not be duplicated.

Bill Kellum

 

Sounds Good Productions

STS Tutorials & more: STSv4.6, STS Add-ons (STS Power Pack), STS V4 Forum STS Forum FREE TEMPLATE

Link to comment
Share on other sites

Recently we have found the bug related to products price in Oscommerce MS 2.2 and its earlier versions.

 

Bug allows to buy any product with zero price. Bug is reproduced at live Oscommerce demo .............................

 

Although I have set UK pounds as the default currency, my site always starts up in US dollars.

If I delete US dollars, then the site starts at 0 for everything!

 

Does this bug have anything to do with that?

Link to comment
Share on other sites

Although I have set UK pounds as the default currency, my site always starts up in US dollars.

If I delete US dollars, then the site starts at 0 for everything!

 

Does this bug have anything to do with that?

 

No. When you set a new default currency, you need to set the value to 1.00 then hit Update Currencies. Then check in includes/languages/english.php that the default is what you want - GBP

 

define('LANGUAGE_CURRENCY', 'GBP');

 

 

Just for anyone that installs multiple instances of osC, you can update oscommerce.sql to include the fix.

 

Find this:

 

DROP TABLE IF EXISTS currencies;
CREATE TABLE currencies (
 currencies_id int NOT NULL auto_increment,
 title varchar(32) NOT NULL,
 code char(3) NOT NULL,
 symbol_left varchar(12),
 symbol_right varchar(12),
 decimal_point char(1),
 thousands_point char(1),
 decimal_places char(1),
 value float(13,8),
 last_updated datetime NULL,
 PRIMARY KEY (currencies_id)
);

 

And change to this:

 

DROP TABLE IF EXISTS currencies;
CREATE TABLE currencies (
 currencies_id int NOT NULL auto_increment,
 title varchar(32) NOT NULL,
 code char(3) COLLATE latin1_bin NOT NULL,
 symbol_left varchar(12),
 symbol_right varchar(12),
 decimal_point char(1),
 thousands_point char(1),
 decimal_places char(1),
 value float(13,8),
 last_updated datetime NULL,
 PRIMARY KEY (currencies_id)
);

 

Which is obviously good for the latin1 CHARACTER SET

 

You can do the same to a backup, if you don't want to go into phpmyadmin. BUT KEEP AN UNEDITED COPY OF THE BACKUP......Just incase! ;)

Link to comment
Share on other sites

No. When you set a new default currency, you need to set the value to 1.00 then hit Update Currencies. Then check in includes/languages/english.php that the default is what you want - GBP

 

define('LANGUAGE_CURRENCY', 'GBP');

 

Thank you for that. More settings that I hadn't found! I'm still very new to all of this!

 

Although I changed the default currency to GBP and set the value to 1.00 – it didn’t change in includes/languages/english.php – so I had to do it manually. However, fixing the bug (before changing english.php) appeared to correct the problem.

Link to comment
Share on other sites

Hi,

 

Regarding this post

Sorry, but you are not quite right. Try this:

 

http://demo.oscommerce.com/product_info.ph...mp;currency=usd

 

and then, add to cart, proceed to checkout.

Note, you WILL BE ABLE to download this. The product price is still zero during ALL the checkout process.

 

Please note also this is not a flood post, this bug really exists, cause we know number of stores have this problem recently - by paying

0.01 (0.01 paypal fee for price zero) with paypal and downloading a product which costs about $500...

 

Best bug fixing,

 

Advance

Thank you for posting this problem and the fix. I have used your fix until an official bug fix is done.

Link to comment
Share on other sites

Hi All..

 

The official fix for this can be found here:

 

http://svn.oscommerce.com/fisheye/changelo...mmerce/?cs=1585

 

This will be included soon in the next 2.2 update release.

 

On a side note, the profile of the original poster (Advance) has been banned as it is a duplicate account of Anatolij (the first replier in this thread). The banning of that account has nothing to do with this bug report.

:heart:, osCommerce

Link to comment
Share on other sites

Hi All..

 

The official fix for this can be found here:

 

http://svn.oscommerce.com/fisheye/changelo...mmerce/?cs=1585

 

This will be included soon in the next 2.2 update release.

 

On a side note, the profile of the original poster (Advance) has been banned as it is a duplicate account of Anatolij (the first replier in this thread). The banning of that account has nothing to do with this bug report.

Thanks Harold!

Bill Kellum

 

Sounds Good Productions

STS Tutorials & more: STSv4.6, STS Add-ons (STS Power Pack), STS V4 Forum STS Forum FREE TEMPLATE

Link to comment
Share on other sites

I do prefer a coding solution to one which introduces a Character Set Collation into a field in that table - which would inevitably trip people up who have a different character set collation.

 

Thank you for the fix.

 

Vger

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...