spooks Posted March 15, 2010 Author Share Posted March 15, 2010 And the resources folder? its just for the doc files!. I though the instructions quite strait forward, I did'nt think people would go looking for stuff that's not there!! It takes a long time to write these docs and most time people don't even bother to read what you took the trouble to write (see how many time I post 'please read the doc') so there is no insentive to spend ages making sure every little thing is blindingly obvious, especially as most of the time you get sod all thanks for all the work anyway! Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Follkes Posted March 16, 2010 Share Posted March 16, 2010 I am sorry to bother you, but I always surf with no-script on and I didn't realized such a comfy tool. Quote Link to comment Share on other sites More sharing options...
spooks Posted March 16, 2010 Author Share Posted March 16, 2010 I always surf with no-script on . You should perhaps shout that loader! The number here that rely on javascript/ajax script on their sites to the detriment of all else is scary, all too often I find sites that simply wont work with scripts off!! Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Camilleah Posted March 16, 2010 Share Posted March 16, 2010 Okay I really want to secure my new but am having trouble with my very first contribution - Sam's Anti-hacker Account Mods. I uploaded all of the files to the original oscommerce 2.2rc2a, checked with them with a compare tool, read installation file, and read instructions. Changed all the $HTTP_POST_VARS to $_POST for the new files. Here is my problem. I can not create a profile. Once everything is filled in and continue button clicked on I am sent back to the create profile page and have to reenter everything. Also it does not recognize a profile I set up before the changes. Any help appreciated. Quote Link to comment Share on other sites More sharing options...
technoczech Posted March 16, 2010 Share Posted March 16, 2010 Hi Sam, First, many thanks for all you do for the community. I (and I know many others) have learned so much from your posts and contributions. On to my question... I have a heavily modified site where I have already dinked with the create account, contact us, login page, and many others that allow input by the user. I've also already fixed my country code/state dropdown, removed the fax field, etc, etc. Consequently, I would like to only use the part of your contribution that sanitizes all the input strings. To do that, would I: 1. Put the account_secure.php file in my includes/functions directory 2. For any file with an input field, put: require('includes/functions/account_secure.php'); clean_post (); Is there anything else I would need to do? Also - a remedial question (sorry, but I'm asking so I'll learn) - the clean_post() goes in the file with the input field, and has to go after the require, but other than that does it matter where it's put in the file? At first, I thought it had to go after the $_POST, but then I noticed the directions for the address_book_process.php had it before. Many thanks for your help! Quote Link to comment Share on other sites More sharing options...
spooks Posted March 16, 2010 Author Share Posted March 16, 2010 Here is my problem. I can not create a profile. Once everything is filled in and continue button clicked on I am sent back to the create profile page and have to reenter everything. Try using the supplied files, what you describe is abnormal, if there are erros in the input data you will return to the form with error messages, but the data will still be there, though sanitised. Also check your settings, as detailed in the doc. PS Whe posting info like server type, php and osC versions are best given in case or relavence. Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
spooks Posted March 17, 2010 Author Share Posted March 17, 2010 1. Put the account_secure.php file in my includes/functions directory 2. For any file with an input field, put: require('includes/functions/account_secure.php'); clean_post (); Yes thats fine, so long as it appears b4 any post vars are used, remember the password issue that was the original idea of the add-on & that you wll loose all the advantages of the various input validations. Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Camilleah Posted March 17, 2010 Share Posted March 17, 2010 Try using the supplied files, what you describe is abnormal, if there are erros in the input data you will return to the form with error messages, but the data will still be there, though sanitised. Also check your settings, as detailed in the doc. PS Whe posting info like server type, php and osC versions are best given in case or relavence. Thanks for taking the time to respond so quickly. I agree this sounds abnormal from all that I have read. Sorry for not including all the info you may need Server Apache 2.0, PHP Version 4.3.9, osC 2.2rc2a. SO I restarted again by uploading oscommerce 2.2rc2a (it was working fine) next I uploaded all of the supplied files (now not working). Then I went back to the install file and changed the following then using WINMERGE I compared each file to make sure they were correct: 1. In account_password.php -> changed 2 instances of $HTTP_ POST_VARS to $_POST 2. In login.php -> changed 2 instances of $HTTP_GET_VARS 3. In includes/modules/address_book_details.php -> changed 3 instances of $HTTP_GET_VARS 4. In checkout_shipping.php -> changed 7 instances of $HTTP_POST_VARS 5. In includes/languages/english.php -> added wording for ENTRY_PASSWORD_TEXT & ENTRY_PASSWORD_NEW_TEXT 6. Changed $strong_pw = false to true 7. Changed $login_box = false to true 8. Changed $no_fax = false to true I did not change in the file /includes/functions/account_secure on line 47 if (PHP_VERSION >= 4.1) $HTTP_POST_VARS =& $_POST; (It didn't look like something I should change.) After all of that I still have the following problems: 1. Cannot login is to an existing account -> Error message saying no email and/or password 2. Forgot password page does not recognize the email address -> I verified it is in the database. 3. Create Account page does not work -> once the continue button is click it brings you back to a blank page with no errors except the date is March 17, 1900 4. Contact Us page gives errors for the last name, forgotten message warning, email address not valid -> even though all item were filled in correctly. So what do you think is the problem besides I am new to this. Hopefully something easy. :unsure: Quote Link to comment Share on other sites More sharing options...
spooks Posted March 17, 2010 Author Share Posted March 17, 2010 (edited) The only thing I can think of is that your server is not recognising expresions correctly & so the sanitise function is wiping all the data (you do have a rather old php versiomn!) Try the contact_us (i assume u updated that too) form, if you leave the e-mail address blank, on submit you will get returned to to form with with error, you should see what you placed b4, if not try commenting out the line clean_post (); ie change to // clean_post; If your data issues vanish, then its you server not recognising the regex expression, if so ask your host why the server appears not to understand perl syntax regex expressions. Yu could also check your error log to see if that is showing anything. Edited March 17, 2010 by spooks Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
technoczech Posted March 17, 2010 Share Posted March 17, 2010 Yes thats fine, so long as it appears b4 any post vars are used, remember the password issue that was the original idea of the add-on & that you wll loose all the advantages of the various input validations. Thanks so much Sam. 1. My passwords are already saved in hex format - is that enough? 2. I've already added most of the validations that I need for the various account pages, but will definitely be referencing this add-on if any of them turn out to not be good enough. 3. On my contact_us page I was already using this validation for the enquiry field: $enquiry = strip_tags($_POST['enquiry']); $enquiry = preg_replace ('/([\x80-\xff])/se','',$enquiry); Using the clean_post function instead, was taking out exclamation points and other characters normally used in the message text of emails, which if it's a security issue, I'm glad to take out, but needed to ask - since the $enquiry field is not written to the database, is the above validation enough? If it's not, is there still a way I can securely allow users to use periods and exclamation points in their message text? 4. I did my best to research what your regular expression is limiting, but it's like learning a really hard foreign language to me. Would you be willing to explain it in plain english if it wouldn't take too much time? preg_replace("/[^\p{L}\p{M}\w\r@ :{}_.-]/i", "", urldecode($vars)); Thanks again for your time. Quote Link to comment Share on other sites More sharing options...
Camilleah Posted March 17, 2010 Share Posted March 17, 2010 The only thing I can think of is that your server is not recognising expresions correctly & so the sanitise function is wiping all the data (you do have a rather old php versiomn!) Try the contact_us (i assume u updated that too) form, if you leave the e-mail address blank, on submit you will get returned to to form with with error, you should see what you placed b4, if not try commenting out the line clean_post (); ie change to // clean_post; If your data issues vanish, then its you server not recognising the regex expression, if so ask your host why the server appears not to understand perl syntax regex expressions. Yu could also check your error log to see if that is showing anything. Yep! Your right! If I comment out the clean_post the contact us page works. But I'm guessing doing that isn't a good thing. As you suggested I also checked my error log and found >> 1. PHP Notice: Undefined index: email_address in /xxxxxxxxxx/httpdocs/catalog/login.php on line 17, referer: 2. PHP Warning: Compilation failed: PCRE does not support \\L, \\l, \\N, \\P, \\p, \\U, \\u, or \\X at offset 3 in /xxxxxxxxxx/catalog/includes/functions/account_secure.php on line 39, referer: Are these causing the problem and can it be fixed? Quote Link to comment Share on other sites More sharing options...
Follkes Posted March 17, 2010 Share Posted March 17, 2010 Hi again. I have installed twice and always find the same stone in the road. Firefox and Iexplorer (not a php errorshows an error about codification if a add this piece of code in particular to login.php // anti-hacker account require('includes/functions/account_secure.php'); $password = tep_to_hex($_POST['password']); unset($_POST['password']); if (!isset($_POST['email_address'])) { $_POST['email_address'] = $_GET['email_address']; unset($_GET['email_address']); } $email_address = ''; clean_post (); // EOF anti-hacker account Don´t get me wrong as i get "working" in contact-us , tell-a-friend or anything without login i have tested so far. Quite puzzled... Quote Link to comment Share on other sites More sharing options...
spooks Posted March 17, 2010 Author Share Posted March 17, 2010 2. PHP Warning: Compilation failed: PCRE does not support \\L, \\l, \\N, \\P, \\p, \\U, \\u, or \\X at offset 3 in /xxxxxxxxxx/catalog/includes/functions/account_secure.php on line 39, referer: OK, yes its as I expected, your server does not understand the expession, its using PCRE rather than perl & further your PCRE is compiled without unicode support, you could ask your host to remidy that. The issue is that it don't understand \p{L}\p{M} in the line: return preg_replace("/[^\p{L}\p{M}\w\r@ :{}_.-]/i", "", urldecode($vars)); within account_secure.php. you could alter that line to: return preg_replace("/[^\w\r@ :{}_.-]/i", "", urldecode($vars)); but the result will be any 'foreign chars' input will be removed, ie its best if your host can sort their server, I hope their not a re-seller!! Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
spooks Posted March 18, 2010 Author Share Posted March 18, 2010 I have installed twice and always find the same stone in the road. Firefox and Iexplorer (not a php errorshows an error about codification if a add this piece of code in particular to login.php Don´t get me wrong as i get "working" in contact-us , tell-a-friend or anything without login i have tested so far. I'm sorry, I can't tell what you mean, do you have errors, is something hapenning, or not happening? Please make your issue clear. Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Follkes Posted March 18, 2010 Share Posted March 18, 2010 Sorry, my previous post was severed somehow. If i add this piece of code to login.php // anti-hacker account require('includes/functions/account_secure.php'); $password = tep_to_hex($_POST['password']); unset($_POST['password']); if (!isset($_POST['email_address'])) { $_POST['email_address'] = $_GET['email_address']; unset($_GET['email_address']); } $email_address = ''; clean_post (); // EOF anti-hacker account I get this firefox crash "Content encoding error The page you are trying to view can not be shown because it uses a compression format invalid or unsupported" and if usin original login.php it shows ok. Quote Link to comment Share on other sites More sharing options...
spooks Posted March 18, 2010 Author Share Posted March 18, 2010 I get this firefox crash "Content encoding error The page you are trying to view can not be shown because it uses a compression format invalid or unsupported" and if usin original login.php it shows ok. Its your editor, its refering to the encoding of the page, not code in the page, use a proper editor MS programs such as 'word' etc cause this also filemanager in admin. Edit your files with a proper text editor, such as html-kit or notepad++ You must also ensure you transfer your files by ftp in the correct mode http://www.oscommerce.com/forums/topic/353800-how-to-ensure-your-images-have-valid-filenames/page__view__findpost__p__1484091 Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Follkes Posted March 18, 2010 Share Posted March 18, 2010 Notepad ++ and Wamp , no ftp involved and as soon as i remove that piede of code i see the login page. Keep testing, BTW only have 1 language, spanish. Quote Link to comment Share on other sites More sharing options...
Follkes Posted March 18, 2010 Share Posted March 18, 2010 And php error log says: PHP Notice: Undefined index: password in D:\wamp\www\hm\login.php on line 14 PHP Notice: Undefined index: email_address in D:\wamp\www\hm\login.php on line 17 >_< Quote Link to comment Share on other sites More sharing options...
spooks Posted March 18, 2010 Author Share Posted March 18, 2010 And php error log says: PHP Notice: Undefined index: password in D:\wamp\www\hm\login.php on line 14 PHP Notice: Undefined index: email_address in D:\wamp\www\hm\login.php on line 17 Those are notices, minor isssue can be ignored As I said b4 its refering to the encoding of the page, not code in the page, you need to find what you are doing to create mal encoded pages, they should have no encoding, just plain text Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Follkes Posted March 18, 2010 Share Posted March 18, 2010 As far as i can see that piece of code in index.php triggers that firefox error, I am using all your files in the contribution. With this: // anti-hacker account require('includes/functions/account_secure.php'); $password = tep_to_hex($_POST['password']); unset($_POST['password']); if (!isset($_POST['email_address'])) { $_POST['email_address'] = $_GET['email_address']; unset($_GET['email_address']); } $email_address = ''; clean_post (); // EOF anti-hacker account I still get the error. No index.php is shown But with this // anti-hacker account require('includes/functions/account_secure.php'); //$password = tep_to_hex($_POST['password']); //unset($_POST['password']); //if (!isset($_POST['email_address'])) { //$_POST['email_address'] = $_GET['email_address']; unset($_GET['email_address']); //} //$email_address = ''; clean_post (); // EOF anti-hacker account Shows login.php, i can try [w](o)%3Cr%3Ek|i*n^g an i get "working"...... :huh: Quote Link to comment Share on other sites More sharing options...
spooks Posted March 18, 2010 Author Share Posted March 18, 2010 Perhaps you have your server set up oddly, of course windows is not the best type of server to use. You need to use the tep_to_hex function, the e-mail stuff is just for convenience. The sanitise is working as u have left that part in. Upload your files to a real server (linux) I bet you will find it all fine, or install linux onto your PC, the basic is a lot more strait forward than windows & it will install alongside your existing. I recomend Fedora 12. There are quite a number of areas within osC(add-ons) that wont work under windows most times. Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Follkes Posted March 19, 2010 Share Posted March 19, 2010 Perhaps you have your server set up oddly, of course windows is not the best type of server to use. You need to use the tep_to_hex function, the e-mail stuff is just for convenience. The sanitise is working as u have left that part in. Upload your files to a real server (linux) I bet you will find it all fine, or install linux onto your PC, the basic is a lot more strait forward than windows & it will install alongside your existing. I recomend Fedora 12. There are quite a number of areas within osC(add-ons) that wont work under windows most times. Indeed. I uploaded the wamp version to my linux server online, a kind of a shadow shop and once I modified the configure file i saw login.php without problem. There is the thin to adapt to spanish the languages files you provided. PD. I also use Opensuse 11.2 but no with lamp or similar...another think to do... Regards Quote Link to comment Share on other sites More sharing options...
Follkes Posted March 20, 2010 Share Posted March 20, 2010 Sam, have you ever tried it in firefox with "remember password feature ON" keeps seeing the postal code field as password........quite odd. " Want to remember 3355 as your password?" Other fields get a clean "working". This time is online with linux server. Quote Link to comment Share on other sites More sharing options...
spooks Posted March 20, 2010 Author Share Posted March 20, 2010 Sam, have you ever tried it in firefox with "remember password feature ON" keeps seeing the postal code field as password........quite odd. " Want to remember 3355 as your password?" Other fields get a clean "working". This time is online with linux server. Its not taking the postcode field as the password, but as the id or name for the account. Its a firefox error, there's not a lot I can do, the field names & id's are unchanged from ther default osC & it would be a bad idea to vary from that. What firefox is actually doing is taking the last input field b4 the password fields & assumeing thats the 'id' field for the account If you move the email field to below the country field, it gets the right one!! Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Follkes Posted March 21, 2010 Share Posted March 21, 2010 Hi Sam At first I thought was cos I unpicked genre and dob i admin panel. But after resetting those on still same failure. I guess is my pc and my firefox... I see "working" everywhere !! Cheers!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.