Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

formid omitted from HTTP_POST_VARS in login, checkout etc.


Recommended Posts

I'm running an oscommerce 2.3.1 site on an ubuntu server 10.04.1 machine (apache 2.2.14 / php 5.3.2 / mysql 5.1.70). Recently I've been having problems when a user is trying to log in, check out or create a new account (i.e. pretty much do anything other than just browsing the store).


I've managed to track down the problem to the lines in create_account.php, login.php, etc. that checks if the HTTP_POST_VARS contains a formid with a session token.


if ( ... && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken))


The problem is that it never does. A print_r(HTTP_POST_VARS) reveals that it contains all the expected information, except the formid string. If I comment out the check, at least account creation starts working as intended. From what I've gathered, though, formid is some sort of security measure, so I don't feel comfortable blindly removing the check in the "money handling" parts of the site.


Being new to the oscommerce code I'm at a loss as to where to go next. Does anyone know where this formid string is supposed to be injected, why it's not anymore, or perhaps maybe even how to solve the problem?

Link to comment
Share on other sites

  • 4 months later...


This topic is now archived and is closed to further replies.

  • Create New...