MS2.2 to RC2A - register global variables

[lee the bean]

My hosting provider updated php from 4.4.9 to 5.2.14 which left my osC ver2 MS2 unusable, although provider stated that there are no issues with PHP5 and RC2A (which they recommend I upgrade too). Luckily they allow the PHP server version to be selected via .htaccess so a simple change allowed my MS2.2 release to continue to run.

 

I have now nearly finished testing RC2A and added back my contributions / ammendments installed on the MS2.2 basic release. I have found (so far) 2 ammendments that will not work on php5 without turning on register global variables (r-g-v is not needed for RC2A as I understand it and presents a security risk - also future releases of php may disallow the turning on of r-g-v).

 

The 2 I'll highlight here are:

 

1. Add Quantity Box - from installation documentation.pdf page 93.

2. Easy Meta Tags for SEO 1.0.1 - http://addons.oscommerce.com/info/6360

 

Can someone let me know whether these 2 simple to install and wonderfully useful (with r-g-v on) enhancements can be easily changed in order for them to work with r-g-v turned off. If so, once I understand the logic of the change I'll be able to (hopefully) change any other contribs installed that only work with r-g-v turned on as I continue my testing. (I'm a novice).

 

Am I worrying too much about r-g-v being turned on - should I just continue testing RC2a / PHP5 with r-g-v turned on - as I'm able to do so at the moment.

 

Thanks in anticipation.

 

Lee

[MrPhil]

The add-ons could be modified to eliminate the use of r-g-v's. You would have to go into each file and determine what r-g-v(s) are being used -- look for variables that "magically appear out of nowhere" with values (read/used first without being explicitly written to). You can also look at the pages (files) sending the values via a form or URL Query String, and build a list of r-g-v's from that. Then in the receiving script, you add

$varname = $_REQUEST['varname'];

to capture each (former) r-g-v (before the first use of the former r-g-v $varname), rather than simply using $varname "out of thin air".

 

It requires carefully going through all files affected by the add-on. It's not rocket science, but you need to be methodical and have a good understanding of PHP. Is it worth doing? Well, eventually you can expect r-g-v's to be unavailable, so if your store is to be around for a while, it might be a good idea. Furthermore, r-g-v's are something of a security hazard, so everything you can do to secure your store is good. If dozens and dozens of files are hit, and/or your PHP skills are shaky, you might want to think about not doing this (for now), but otherwise I'd go for it. It will be two less things to worry about while you run your store (loss of function at a later PHP upgrade, and hacks using r-g-v's right now). If you want to put it off for a while while your PHP skills improve, you can always fix the files one by one with a running store (keep backups!).

 

You might look to see if more up-to-date add-ons are available to do the same thing as the two you listed, that don't use r-g-v's.

[lee the bean]

Thanks Phil, can you help further (I'm having a blonde moment).

 

source file has call to metatags,php

 

metatags.php has following code:

define("PREFIX_TITLE", "Some Nice Words: ");
function MetaTagTitle($id, $lid) {
 $languages_id=(int)$lid;

 $Title = TITLE; // Defaults to global TITLE definition

 $product_name_query = tep_db_query("select products_name from " . TABLE_PRODUCTS_DESCRIPTION . " where products_id = '" . $id . "' and language_id = '" . (int)$languages_id . "'");
 $product_name = tep_db_fetch_array($product_name_query);

 if (tep_not_null($product_name['products_name'])) {
 	$Title = PREFIX_TITLE . $product_name['products_name'];
 }
 $Title = str_replace('<br>', ' ', $Title);

 return ($Title);
}

back to source file which has this code (presumably using $Title info

<TITLE><?php echo MetaTagTitle($products_id, $languages_id); ?></TITLE>

 

How do I use the $_REQUEST in this example for it to work.

 

Thanks in anticipation.

[MrPhil]

There's nothing in the code you showed (MegaTagTitle() function) that uses r-g-v's. In the <TITLE> line, can you account for the variables $products_id and $languages_id? That is, where do they come from? If they just "magically" appear out of thin air, and came in from a form or from another page via the URL (products_id=123&languages_id=2), you would add lines

$products_id = $_REQUEST['products_id'];
$languages_id = $_REQUEST['languages_id'];

somewhere before the <TITLE> line.

[lee the bean]

Phil, you're a *star*.

 

Logic understood and both ammendments are now working as wonderfully as they always have (under MS2.2). I think I should be able to tackle any others that I find as I continue testing (which I'm sure I nearly have now). Cant wait to go live. Thanks for your help.

 

Lee

[MrPhil]

Sounds good. If you've migrated to the final release, 2.2 RC2a (there is a 2.3 promised, but I wouldn't hold my breath), you've done about all you can until the time (if and when) 2.3 or 3.0 actually are released (they should be PHP 5.3 compatible). How are you set for your database? Sooner or later your host will move you up to MySQL 5, which will break a number of things in 2.2 (don't know about 2.3 or 3.0). Fortunately, the fixes are easy, and backwards compatible to MySQL 4: http://www.oscommerce.com/forums/topic/335136-osc-and-mysql-5-1054-errors