Fresh Start Posted February 8, 2011 Share Posted February 8, 2011 Install Security Pro, test your payment system. Any problems you can add the payment system file to the file excludes as per the instructions. FWR Media, Many thanks, will do! Sorry to be a pain!! Quote Kind regards, Peter... Link to comment Share on other sites More sharing options...
Fresh Start Posted February 8, 2011 Share Posted February 8, 2011 Install Security Pro, test your payment system. Any problems you can add the payment system file to the file excludes as per the instructions. Hello again, Just uploaded to 'includes/modules', although not currently ready to test payment system yet. Checking the KISS document, I note this; catalog/includes/application_top.php Find ... if ($request_type == 'NONSSL') { Add immediately ABOVE ... // Security Pro by FWR Media include_once DIR_WS_MODULES . 'fwr_media_security_pro.php'; $security_pro = new Fwr_Media_Security_Pro; // If you need to exclude a file from cleansing then you can add it like below //$security_pro->addExclusion( 'some_file.php' ); $security_pro->cleanse( $PHP_SELF ); // End - Security Pro by FWR Media That's it .. all installed! Have found this line of code, but did not see any mention of FWR in the application_top.php file (should I)? Do I have to activate the Security Plus code using another method (thought it was automatic)? Thought I had followed the install advice corectly - have I? Sorry about the confusion here :'( Quote Kind regards, Peter... Link to comment Share on other sites More sharing options...
pdcelec Posted February 8, 2011 Share Posted February 8, 2011 Hello again, Just uploaded to 'includes/modules', although not currently ready to test payment system yet. Checking the KISS document, I note this; catalog/includes/application_top.php Find ... if ($request_type == 'NONSSL') { Add immediately ABOVE ... // Security Pro by FWR Media include_once DIR_WS_MODULES . 'fwr_media_security_pro.php'; $security_pro = new Fwr_Media_Security_Pro; // If you need to exclude a file from cleansing then you can add it like below //$security_pro->addExclusion( 'some_file.php' ); $security_pro->cleanse( $PHP_SELF ); // End - Security Pro by FWR Media That's it .. all installed! Have found this line of code, but did not see any mention of FWR in the application_top.php file (should I)? Do I have to activate the Security Plus code using another method (thought it was automatic)? Thought I had followed the install advice corectly - have I? Sorry about the confusion here :'( This is how it will be after you have added it // Security Pro by FWR Media include_once DIR_WS_MODULES . 'fwr_media_security_pro.php'; $security_pro = new Fwr_Media_Security_Pro; // If you need to exclude a file from cleansing then you can add it like below //$security_pro->addExclusion( 'some_file.php' ); $security_pro->cleanse( $PHP_SELF ); // End - Security Pro by FWR Media if ($request_type == 'NONSSL') { Quote Link to comment Share on other sites More sharing options...
Fresh Start Posted February 8, 2011 Share Posted February 8, 2011 Peter; Add this: // Security Pro by FWR Media include_once DIR_WS_MODULES . 'fwr_media_security_pro.php'; $security_pro = new Fwr_Media_Security_Pro; // If you need to exclude a file from cleansing then you can add it like below //$security_pro->addExclusion( 'some_file.php' ); $security_pro->cleanse( $PHP_SELF ); // End - Security Pro by FWR Media ABOVE this existing line of code: if ($request_type == 'NONSSL') { Hello Burt, Many thanks for this and thanks to all for your patience. Have added the code, will test out asap - fingers crossed! Quote Kind regards, Peter... Link to comment Share on other sites More sharing options...
Fresh Start Posted February 9, 2011 Share Posted February 9, 2011 Hello Burt, Many thanks for this and thanks to all for your patience. Have added the code, will test out asap - fingers crossed! Hello Burt / all, Update. Tested two test sites this morning. Purchased items / refunded monies / appeared to be redirected to correct pages - fingers crossed, but up to now, things appear to still be working correctly. I did notice something prior to beginning the tests, but that may not be associated with the installation of Security Plus? Initially, found it difficult to access the site (s) and in one case did not need to enter my password to access the admin section (which I had renamed and password protected). These issues have since disappeared? Strange? Anyway, I shall stop talking and get on with the next security 'patch' installation. Many thanks guys. Quote Kind regards, Peter... Link to comment Share on other sites More sharing options...
s0nny61 Posted February 13, 2011 Share Posted February 13, 2011 I installed Security Pro 2.0 ( r7 ) and everything seems to be working fine except now the link (For more information, please visit this products "webpage".) on the products pages. When clicked it takes you to index.htm, does not go to the url I entered. I uninstalled Security Pro 2.0 ( r7 ) and all that link works again. Any ideas? Sonny Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 13, 2011 Author Share Posted February 13, 2011 I installed Security Pro 2.0 ( r7 ) and everything seems to be working fine except now the link (For more information, please visit this products "webpage".) on the products pages. When clicked it takes you to index.htm, does not go to the url I entered. I uninstalled Security Pro 2.0 ( r7 ) and all that link works again. Any ideas? Sonny Please read this support thread. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
s0nny61 Posted February 13, 2011 Share Posted February 13, 2011 Please read this support thread. Thanks for direction. I Read the whole thread. Exclude redirect.php, is this correct? Sonny Quote Link to comment Share on other sites More sharing options...
s0nny61 Posted February 14, 2011 Share Posted February 14, 2011 I tried both methods to fix my problem with the link not working (For more information, please visit this products "webpage".) on the products pages: --------------------------- #1) Excluding Certain Files from Cleansing var $excluded_from_cleansing = array( 'protx_process.php', 'redirect.php' ); And #2) Modifying the product url code for Security Pro catalog/product_info.php Find: <td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode($product_info['products_url']), 'NONSSL', true, false)); ?></td> Change to: <td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=product&products_id=' . (int)$HTTP_GET_VARS['products_id'], 'NONSSL', true, false)); ?></td> ---------------- catalog/redirect.php Find: case 'url': if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) { $check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1"); if (tep_db_num_rows($check_query)) { tep_redirect('http://' . $HTTP_GET_VARS['goto']); } } break; Change to: case 'url': if ( ( isset( $HTTP_GET_VARS['goto'] ) && ( $HTTP_GET_VARS['goto'] == 'product' ) ) && ( isset( $HTTP_GET_VARS['products_id'] ) && is_numeric( $HTTP_GET_VARS['products_id'] ) ) ) { $url_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "'"); if (tep_db_num_rows($url_query)) { $row = tep_db_fetch_array( $url_query ); tep_db_free_result( $url_query ); if ( tep_not_null( $row['products_url'] ) ) { tep_redirect('http://' . $row['products_url']); } } } elseif (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) { $check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1"); if (tep_db_num_rows($check_query)) { tep_redirect('http://' . $HTTP_GET_VARS['goto']); } } break; Both work, but chose to use Modifying the product url code for Security Pro because the installation file states: A word of warning: Try your hardest not to exclude files in this manner. If they are payment or shipping files then fine .. but not for badly written contributions, in these cases the contribution should be modified so that it no longer passes bad characters. Also never be tempted to weaken Security Pro by adding characters to the whitelist, you will restrict the scripts ability to do its job. Hope I made the better choice!!! Thank you for the contribution FWR Media. Best Regards, Sonny Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 14, 2011 Author Share Posted February 14, 2011 Hope I made the better choice!!! Thank you for the contribution FWR Media. Best Regards, Sonny You did indeed. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Guest Posted February 17, 2011 Share Posted February 17, 2011 I have a question on what version of security pro to install on a new site. I notice that SecurityPro_1.0.2 has an installer.php script. 2.0 only has fwr_media_security_pro. Should I install 1.0.2.first then upgrade?? I tried reading here first but didn"t find anything. Thank You DWP Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 17, 2011 Author Share Posted February 17, 2011 I have a question on what version of security pro to install on a new site. I notice that SecurityPro_1.0.2 has an installer.php script. 2.0 only has fwr_media_security_pro. Should I install 1.0.2.first then upgrade?? I tried reading here first but didn"t find anything. Thank You DWP 2.0 is a full product and needs no database install. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Guest Posted February 17, 2011 Share Posted February 17, 2011 Thank you, working so far DWP Quote Link to comment Share on other sites More sharing options...
artstyle Posted February 20, 2011 Share Posted February 20, 2011 (edited) Hi, I added the latest version of Security Pro and it works for the english version of my site. My site also has Greek language installed. When I add the edit for special characters I get Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/**/includes/modules/fwr_media_security_pro.php:1) in /home/*/includes/functions/sessions.php on line 98 I used notepad to save the file. My charset on the site is 'CHARSET', 'iso-8859-7'. The choices on notepad are ANSI, unicode, unicode big endian and UTF-8. I used UTF-8. I now someone had a similar problem and you said it this usually means a space or BOM before the opening <?php tab. There is no space, and I'm not sure what a BOM is. I also read that someone used $cleansed = preg_replace( "/[^\s{}a-z0-9äüöéèê_\.\-]/i", "", urldecode( $get ) ); So my question is if I just add the Greek letters small and capital in the code above is it the same or just as good as trying to get the code below to work? Am I saving it in the wrong charset? Any help is greatly appreciated. Thank you in advance. I am adding the edit I made in case I made a mistake: function spro_cleanse_get_recursive( $get ) { /** * IMPORTANT - DO NOT use the below to gimp the whitelist, this should be used for valid language special characters only * * @example $lang_additions = 'åÅäÄöÖ'; * @var string - Valid language special characters to be added to the whitelist */ $lang_additions = 'αβγ'; // Special language characters go here - see the example above if ( !is_array( $get ) ) { $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i'; // Apply the whitelist $pattern = "/[^\s{}a-z0-9_\.\-" . $lang_additions . "]/i"; $cleansed = preg_replace( $pattern, "", urldecode( $get ) ); // Remove banned words $cleansed = preg_replace( $banned_string_pattern, '', $cleansed ); // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing return preg_replace( '@[-]+@', '-', $cleansed ); } // Add the preg_replace to every element. return array_map( 'spro_cleanse_get_recursive', $get ); } /** * Security Pro Querystring whitelist protection against hacking. Edited February 20, 2011 by artstyle Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 20, 2011 Author Share Posted February 20, 2011 (edited) I used notepad to save the file. My charset on the site is 'CHARSET', 'iso-8859-7'. The choices on notepad are ANSI, unicode, unicode big endian and UTF-8. I used UTF-8. I now someone had a similar problem and you said it this usually means a space or BOM before the opening <?php tab. There is no space, and I'm not sure what a BOM is. If you are adding special language characters to a file then the file has to be saved as the correct charset ( in this case ISO-8859-7 ) and no UTF-8 is a different charset. Try using a more capable flat file editor .. although I don't use it notepad++ gets a lot of good reviews and it's free. notepad++ has an option to save without BOM, which should always be the case with PHP files. Edited February 20, 2011 by FWR Media Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
artstyle Posted February 20, 2011 Share Posted February 20, 2011 Thank you very much! I downloaded notepad++ and I was able to save in the correct format. The contribution works great. Thanks again! Quote Link to comment Share on other sites More sharing options...
samtiger Posted February 23, 2011 Share Posted February 23, 2011 Hello, Do I need to install the full Security Pro 1.02 and THEN upgrade to 2.0? The instructions for 2.0 are very simple and dont mention that anything from 1.02 is required. I installed 2.0 and added the additions to application_top.php and copied over the security_pro.php file to catalog/includes/modules but it doesn't seem to work when I apply the test string [w](o)%3Cr%3Ek|i*n^g in the search box. I get the following result in my url: http://www.mydomain.com/advanced_search_result.php?keywords=%5Bw%5D%28o%29%253Cr%253Ek%7Ci*n%5Eg&x=33&y=8 Thank-you in advance for instrucitons on how to get this great contribution to work. Regards, Sam Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 23, 2011 Author Share Posted February 23, 2011 Hello, Do I need to install the full Security Pro 1.02 and THEN upgrade to 2.0? The instructions for 2.0 are very simple and dont mention that anything from 1.02 is required. I installed 2.0 and added the additions to application_top.php and copied over the security_pro.php file to catalog/includes/modules but it doesn't seem to work when I apply the test string [w](o)%3Cr%3Ek|i*n^g in the search box. I get the following result in my url: http://www.mydomain....*n%5Eg&x=33&y=8 Thank-you in advance for instrucitons on how to get this great contribution to work. Regards, Sam Please see post #237 What's in the URL is unimportant. What is in _GET and HTTP_GET_VARS is what matters. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
RMD27 Posted February 24, 2011 Share Posted February 24, 2011 Hi Robert Is Security Pro compatible with this contribution? http://addons.oscommerce.com/info/5390 I have no clue about php and I saw you write this "The concept here (not a new one) is to totally sanitise the incoming ($_GET/$HTTP_GET_VARS) at source (the top of catalog/includes/application_top.php) then to sanitise $_REQUEST by $_REQUEST = $_GET + $_POST (Yes we lost $_COOKIE)." and it made me wonder if it would disable the contribution Cart Cookie? Quote Link to comment Share on other sites More sharing options...
Fresh Start Posted February 28, 2011 Share Posted February 28, 2011 Hello all, Having installed Security Pro in the last few weeks, is there a very simple way for me to test that it is actually working, without my causing too much damage to my current test site >_< Quote Kind regards, Peter... Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 28, 2011 Author Share Posted February 28, 2011 Hello all, Having installed Security Pro in the last few weeks, is there a very simple way for me to test that it is actually working, without my causing too much damage to my current test site >_< Well on a standard osCommerce you would put the test code in the search box and press return. When you look again at the search box it should have been reduced to just "working". Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Fresh Start Posted February 28, 2011 Share Posted February 28, 2011 Hi all, Many thanks for the swift response! Have just cut and pasted the '[w](o)%3Cr%3Ek|i*n^g' characters into the search box and it came back with 'working'. All ok? Quote Kind regards, Peter... Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 28, 2011 Author Share Posted February 28, 2011 Hi all, Many thanks for the swift response! Have just cut and pasted the '[w](o)%3Cr%3Ek|i*n^g' characters into the search box and it came back with 'working'. All ok? Yup Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
starcarlton Posted March 2, 2011 Share Posted March 2, 2011 I have installed security pro file fwr_media_security_pro into this folder per the instructions includes/modules/ Then made the changes in application_top.php but when I put the query in my site's search bar: [w](o)%3Cr%3Ek|i*n^g it did not say "working" it just shows nothing. rc2a version any ideas? Quote Link to comment Share on other sites More sharing options...
usabn Posted March 2, 2011 Share Posted March 2, 2011 Just installed on a test site and got the following error: Fatal error: Call to a member function cleanse() on a non-object in /home/username/public_html/includes/application_top.php on line 57 The compatibility functions are called after this, so I'm not sure where to proceed. Any help would be appreciated. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.