Guest Posted April 13, 2005 Share Posted April 13, 2005 (edited) I've got some trouble i.c.w. the "official PayPal IPN module"and this register_globals patch <{POST_SNAPBACK}> Ok, in case others have the same issue I've found a better fix now change (inludes/modules/payment/paypal_ipn.php): if (tep_session_is_registered('cartID')) { to // if (tep_session_is_registered('cartID')) { // PandA.nl: register_globals fix!? if (array_key_exists('cartID', $_SESSION)) { end fix /***********************************/ notes: it appears that function tep_session_is_registered($variable) { return session_is_registered($variable); } returns TRUE if the key for $variable exists in the SESSION array, even if $variable does not have a value assigend but function tep_session_is_registered($variable) { return isset($_SESSION[$variable]); } returns FALSE if the key exists for $variable, but $variable does not have a value assigend Of course it's quite rare that a SESSION variable exists and does not have a value at the same time. This seems like a bug/flaw to me, allthough I'm not sure if it's a osC bug (to add an empty var to the session array, and check for the existence later), and/or if the sessions.php function of the register_globals patch should be updated like this: change: function tep_session_is_registered($variable) { return isset($_SESSION[$variable]); } to: function tep_session_is_registered($variable) { return array_key_exists($variable,$_SESSION); } ?? or something like that? so that empty session vars will be detected as registered too Edited April 13, 2005 by PandA.nl Quote Link to comment Share on other sites More sharing options...
Guest Posted April 13, 2005 Share Posted April 13, 2005 New note: it's also possible/likely that $_SESSION['cartID'] actually should have a value at the time it's checked by the PaylPal module. And that would mean detecting the null value as true is an error! Anybody around that knows more about this cartID? Or that is willing to test it's value on another (test)shop? Quote Link to comment Share on other sites More sharing options...
djashjones Posted May 5, 2005 Share Posted May 5, 2005 Just installed this to my live shop & i have 2 major payment problems. If a customer via worldpay then i dont get the order. The order is lost but i have his cash :huh: if a customer pays via paypal then i get the order but no order email (order porcess). The ipn is showing on the lpn list. Quote Link to comment Share on other sites More sharing options...
theoverer Posted May 14, 2005 Share Posted May 14, 2005 (edited) Hello, i want to install the Multi-Stores Contribution on my register_global off webserver. So I tried to integreat this Contribution in the multi-stores Contribution. The shop itself seems to work too, but I am not able to get into the administrators area. Instead of the login page I get an error (something like a loop). I think the problem is in /catalog/admin/includes/functions/administrators.php, because when I uncomment the code in the "RequireLoginValidForPage" Function he loads the Background of the page and some text. So maybe you can say me, where the Problem is? Here is the code off this side: <?php $aADMBoxes = array ( 'configuration.php' => BOX_HEADING_CONFIGURATION, 'modules.php' => BOX_HEADING_MODULES, 'catalog.php' => BOX_HEADING_CATALOG, 'stores.php' => BOX_HEADING_STORES, 'customers.php' => BOX_HEADING_CUSTOMERS, 'orders.php' => BOX_HEADING_ORDERS, //rmh M-S_multi-stores 'taxes.php' => BOX_HEADING_LOCATION_AND_TAXES, 'localization.php' => BOX_HEADING_LOCALIZATION, 'reports.php' => BOX_HEADING_REPORTS, 'tools.php' => BOX_HEADING_TOOLS, 'administrators.php' => BOX_HEADING_ADMINISTRATORS, ); // associate all the admin pages with the box class that includes it $aADMPages = array( 'configuration.php' => 'configuration.php', 'index.php' => '*', 'categories.php' => '*', 'modules.php' => 'modules.php', 'categories.php' => 'catalog.php', 'products_price_schedules.php' => 'catalog.php', //rmh M-S_pricing 'products_attributes.php' => 'catalog.php', 'manufacturers.php' => 'catalog.php', 'reviews.php' => 'catalog.php', 'specials.php' => 'catalog.php', 'products_expected.php' => 'catalog.php', 'customers.php' => 'customers.php', 'customers_groups.php' => 'customers.php', //rmh M-S_pricing 'orders.php' => 'orders.php', //rmh M-S_multi-stores 'invoice.php' => 'orders.php', //rmh M-S_multi-stores 'packingslip.php' => 'orders.php', //rmh M-S_multi-stores 'countries.php' => 'taxes.php', 'zones.php' => 'taxes.php', 'geo_zones.php' => 'taxes.php', 'tax_classes.php' => 'taxes.php', 'tax_rates.php' => 'taxes.php', 'currencies.php' => 'localization.php', 'languages.php' => 'localization.php', 'orders_status.php' => 'localization.php', 'stats_products_viewed.php' => 'reports.php', 'stats_products_purchased.php' => 'reports.php', 'stats_customers.php' => 'reports.php', 'backup.php' => 'tools.php', 'banner_manager.php' => 'tools.php', 'banner_statistics.php' => 'tools.php', 'cache.php' => 'tools.php', 'define_language.php' => 'tools.php', 'file_manager.php' => 'tools.php', 'mail.php' => 'tools.php', 'newsletters.php' => 'tools.php', 'server_info.php' => 'tools.php', 'whos_online.php' => 'tools.php', 'administrators.php' => 'administrators.php', //rmh M-S_multi-stores 'distributors.php' => 'administrators.php', //rmh M-S_multi-stores 'stores.php' => 'stores.php', //rmh M-S_multi-stores ); function RequireLoginValidForPage( $aRetPage ) { global $PHP_SELF, $in_login, $login_id, $aADMPages; $aThisPage = basename( $PHP_SELF ); $aRetPage = str_replace( $aThisPage, 'index.php', $aRetPage ); if ( empty( $in_login ) ) { if ( !tep_session_is_registered( 'login_id' ) ) { header( 'Location: login.php?in_login=yes&retpage=' . urlencode( $aRetPage ) . "\n" ); } else { $aSQL = "select administrators_allowed_pages from ". TABLE_ADMINISTRATORS ." where administrators_id = '". $login_id ."'"; $aRes = tep_db_query( $aSQL ); if ( $aVal = tep_db_fetch_array( $aRes ) ) { $aPages = $aVal['administrators_allowed_pages']; if ( trim( $aPages != '*' ) ) { $aAllowedPages = explode( '|', $aPages ); $aCurrentPageBox = $aADMPages[$aThisPage]; if ( $aCurrentPageBox != '*' ) { if ( !in_array( $aCurrentPageBox, $aAllowedPages ) ) { header( 'Location: login.php?' . urlencode( $aRetPage ) . "\n" ); } } } } } } } function CanShowBox( $aBoxName ) { global $login_id; $aSQL = "select administrators_allowed_pages from ". TABLE_ADMINISTRATORS ." where administrators_id = '". $login_id . "'"; $aRes = tep_db_query( $aSQL ); if ( $aVal = tep_db_fetch_array( $aRes ) ) { $aPages = $aVal['administrators_allowed_pages']; if ( trim( $aPages != '*' ) ) { $aAllowedPages = explode( '|', $aPages ); $aCurrentPageBox = $aBoxName; if ( in_array( $aCurrentPageBox, $aAllowedPages ) ) { return true; } } else { return true; } } return false; } ?> Does anybody of you know, how I can make this site with register_globals off work? Thank you from Germany (and excuse my bad english) Ole Edited May 14, 2005 by theoverer Quote Link to comment Share on other sites More sharing options...
poorman Posted May 16, 2005 Share Posted May 16, 2005 Did anyone get anywhere witrh the "official PayPal IPN" issues? I am using that and Authorize.nrt and I am told soon register globals will be turned off, am I dead? Thanks. Quote The way of life, and the way we work for you. Link to comment Share on other sites More sharing options...
djashjones Posted May 16, 2005 Share Posted May 16, 2005 Did anyone get anywhere witrh the "official PayPal IPN" issues? I am using that and Authorize.nrt and I am told soon register globals will be turned off, am I dead? Thanks. <{POST_SNAPBACK}> Er? i think you are mate. I posted my problem in the worldpay & paypal thread & still no joy. The work around is to add 'php_flag register_globals on' in your .htaccess file in the stores root directory. With my version of paypal IPN v3.0a I've had to comment out the empty cart on checkout success as there was a global issue there, apart from that its ok. Quote Link to comment Share on other sites More sharing options...
poorman Posted May 16, 2005 Share Posted May 16, 2005 Thanks djashjones, I am looking at moving to a VPS soon, that will help me for now, but a real fix would be nice, or off to find a new cart and start all over, not my first choice.... Quote The way of life, and the way we work for you. Link to comment Share on other sites More sharing options...
djashjones Posted May 16, 2005 Share Posted May 16, 2005 Hi, I know the feeling X-cart is a better option which does'nt have this problem & is more secure & powerful but like you i invested alot of time & mods to my shop & dont really want to change. Maybe this issue will be addressed in the next MS or someone might find a fix. ash. Quote Link to comment Share on other sites More sharing options...
morphir Posted July 30, 2005 Share Posted July 30, 2005 (edited) Hi, I would like to apply the Master Products module with register globals off. Anyone who could help me out with that one? All help are most appriciated! Regards :thumbsup: Edited July 30, 2005 by morphir Quote Link to comment Share on other sites More sharing options...
zoeticlight Posted August 18, 2005 Share Posted August 18, 2005 New note: it's also possible/likely that $_SESSION['cartID'] actually should have a value at the time it's checked by the PaylPal module. And that would mean detecting the null value as true is an error! Anybody around that knows more about this cartID? Or that is willing to test it's value on another (test)shop? <{POST_SNAPBACK}> Alright, I've been racking my brain over this "osCommerce PayPal IPN Module v1.0 For 2.2MS2" contribution with the "Register Globals Off" contribution for days now. I'm just about to give up, but I'm too damn tenacious. At any rate, I've discovered something with regards to the $cartID session variable that I can't figure out, and it has absolutely nothing to do with the PayPal IPN module. Perhaps someone around here can explain. Here are the symptoms. 1. If the customer does not have any items stored in their cart from a previous session, adds one or more items to a cart, logs in, and continues to checkout, the $_SESSION['cartID'] variable WILL have a valid ID number. THIS WORKS CORRECTLY. 2. If the customer does not have any items stored in their cart from a previous session, logs in, adds one or more items to their cart, and continues to checkout, the $_SESSION['cartID'] variable WILL have a valid ID number. THIS WORKS CORRECTLY. 3. If the customer has items stored in their cart from a previous session, logs in, clears all items from their cart, adds one or more items to their cart, and continues to checkout, the $_SESSION['cartID'] variable WILL have a valid ID number. THIS WORKS CORRECTLY. 4. If the customer has items stored in their cart from a previous session, logs in, and continues to checkout without adding any additional items, the $_SESSION['cartID'] variable WILL NOT have a valid ID number. The variable is registered, but the value is null. THIS DOES NOT WORK CORRECTLY. 5. If the customer has items stored in their cart from a previous session, logs in, adds one or more items to their cart, and continues to checkout, the $_SESSION['cartID'] variable WILL NOT have a valid ID number. The variable is registered, but the value is null. THIS DOES NOT WORK CORRECTLY. 6. If the customer has items stored in their cart from a previous session, adds one or more items to their cart, logs in, and continues to checkout, the $_SESSION['cartID'] variable WILL NOT have a valid ID number. The variable is registered, but the value is null. THIS DOES NOT WORK CORRECTLY. To see this in action, I added the following short bit of debugging code to checkout_confirmation.php to tell me what the $_SESSION variables were when the customer reached the checkout_confirmation.php page: echo "<pre>"; print_r($_SESSION); echo "</pre>"; Find the following block of code around line 239 of checkout_confirmation.php: if (is_array($payment_modules->modules)) { if ($confirmation = $payment_modules->confirmation()) { ?> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <tr> <td class="main"><b><?php echo HEADING_PAYMENT_INFORMATION; ?></b></td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <tr> <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox"> <tr class="infoBoxContents"> <td><table border="0" cellspacing="0" cellpadding="2"> <tr> <td class="main" colspan="4"><?php echo $confirmation['title']; ?></td> </tr> <?php for ($i=0, $n=sizeof($confirmation['fields']); $i<$n; $i++) { ?> <tr> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> <td class="main"><?php echo $confirmation['fields'][$i]['title']; ?></td> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> <td class="main"><?php echo $confirmation['fields'][$i]['field']; ?></td> </tr> <?php } ?> </table></td> </tr> </table></td> </tr> <?php } } Add my debugging code at the end just before the last closing brace: if (is_array($payment_modules->modules)) { if ($confirmation = $payment_modules->confirmation()) { ?> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <tr> <td class="main"><b><?php echo HEADING_PAYMENT_INFORMATION; ?></b></td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <tr> <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox"> <tr class="infoBoxContents"> <td><table border="0" cellspacing="0" cellpadding="2"> <tr> <td class="main" colspan="4"><?php echo $confirmation['title']; ?></td> </tr> <?php for ($i=0, $n=sizeof($confirmation['fields']); $i<$n; $i++) { ?> <tr> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> <td class="main"><?php echo $confirmation['fields'][$i]['title']; ?></td> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> <td class="main"><?php echo $confirmation['fields'][$i]['field']; ?></td> </tr> <?php } ?> </table></td> </tr> </table></td> </tr> <?php } echo "<pre>"; print_r($_SESSION); echo "</pre>"; } Alright with that in place, you'll be able to see what the value is for the $_SESSION['cartID'] variable under the conditions I've outlined above. Also please note that this is not a problem with "osCommerce PayPal IPN Module v1.0 For 2.2MS2". In fact, these symptoms are still present when any of the payment modules are installed. So...I'm not sure if this is an osCommerce bug or a PHP bug. I'd love to hear what others think about this and if anyone else has come across this. Does anyone have a solution? Should this be submitted as a bug to the developing team? Quote Link to comment Share on other sites More sharing options...
zoeticlight Posted August 19, 2005 Share Posted August 19, 2005 Alright...I think I found a solution. But first off, I have to correct myself on point #1 noted above. In my haste, I wrote down the wrong outcome. This actually does not work properly. The revision is: 1. If the customer does not have any items stored in their cart from a previous session, adds one or more items to a cart, logs in, and continues to checkout, the $_SESSION['cartID'] variable WILL NOT have a valid ID number. The variable is registered, but the value is null. THIS DOES NOT WORK CORRECTLY. Anyway, after looking through the shopping cart class, it appears that a temporary unique ID number is never assigned when the customer's basket is restored from the database(whether it's got items or not) after they log in and go directly to checkout without adding any additional items. In fact, the cartID is only set when an item is added to or removed from the cart. So, to fix this, all I did was add the following line at the end of the cart_restore() function: // assign a temporary unique ID to the order contents to prevent hack attempts during the checkout procedure $this->cartID = $this->generate_cart_id(); Alright, I look forward to hearing a response from somebody a little more experienced than me. I've implemented this fix for now and will do some more testing, especially with "osCommerce PayPal IPN Module v1.0 For 2.2MS2", but I'd like someone else's opinion or thoughts. Perhaps I'm not seeing something that I should or there was a specific reason it was done this way. Mike Quote Link to comment Share on other sites More sharing options...
zoeticlight Posted August 19, 2005 Share Posted August 19, 2005 So, to fix this, all I did was add the following line at the end of the cart_restore() function: My bad...this function is actually: restore_contents() Quote Link to comment Share on other sites More sharing options...
Guest Posted September 8, 2005 Share Posted September 8, 2005 To all: Just in case somebody has this set up: - Running Apache on Linux/Unix - Can' turn off Register Globals from the php.ini file (No access because on a shared server, etc.) - HAS to run the shop with Register Globals = off As you all know, in Apache you can use an .htaccess file in the root directory (or the shop's root directory) using the " php_value register_globals 0" to tun off Register Globals off locally. However, I kept having a session error ONLY in the administration similar to the one described in the README file. "Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0" The .htaccess did not seem to affect this warning. The .htaccess file was tested using the phpinfo.php in subdirectories and I saw the Register Global got to "off" as I moved around, so the .htaccess file is turning off Register Globals BUT ONLY on the Local Value column, not the Master value column. In any event, the README file continues by advicing to: "The scenario described by the warning does NOT apply to this patch (ie - this patch does NOT make use of the bug/feature in 4.2.3), so it is safe (indeed very desirable) to switch this functionality and warning off. To remove this functionality and stop the warning, set both of these parameters in php.ini as follows : session.bug_compat_42 = 0 session.bug_compat_warn = 0 " Which, of course I could not do since I had no access to the php.ini file. I searched the web and found this two lines of code than when added to the .htaccess file, turn off the warnings: <IfModule mod_php4.c> php_value register_globals 0 php_value session.bug_compat_42 0 php_value session.bug_compat_warn 0 </IfModule> I guess I just sharing this information because I could not find it anywhere here and in case some lost soul is looking for it. Also, if anyone has any commenst on this set up, possible unexpected results, thinks it is not really a solution, and so on...please, correct me. Thanks Quote Link to comment Share on other sites More sharing options...
dasonix2000 Posted September 28, 2005 Share Posted September 28, 2005 are there any known problems between this and any of the worldpay modules? Quote Link to comment Share on other sites More sharing options...
korbermodels Posted September 29, 2005 Share Posted September 29, 2005 I have the following error FATAL ERROR: register_globals is disabled in php.ini, please enable it Which one of the downloads in this contribution is the corect one for me? Quote Link to comment Share on other sites More sharing options...
Guest Posted September 29, 2005 Share Posted September 29, 2005 Which one of the downloads in this contribution is the corect one for me? Latest version is v 1.3, dated 13 Jan 2005. And this may upset someone, but I strongly suggest you do NOT use the "Illegal Offset QUICKFix" dates 5 Sep 2005 - it's simply not correct. Rich. Quote Link to comment Share on other sites More sharing options...
Guest Posted October 1, 2005 Share Posted October 1, 2005 Vger ?s Register Globals Patch is super! Quote Link to comment Share on other sites More sharing options...
Guest Posted October 2, 2005 Share Posted October 2, 2005 Vger ?s Register Globals Patch is super! Errr... actually it's my patch. But thanks anyway. Rich. Quote Link to comment Share on other sites More sharing options...
Guest Posted October 3, 2005 Share Posted October 3, 2005 Errr... actually it's my patch. But thanks anyway. Rich. ooh i didn?t know that. sorry mate. Quote Link to comment Share on other sites More sharing options...
Guest Posted October 7, 2005 Share Posted October 7, 2005 To all: Just in case somebody has this set up: - Running Apache on Linux/Unix - Can' turn off Register Globals from the php.ini file (No access because on a shared server, etc.) - HAS to run the shop with Register Globals = off As you all know, in Apache you can use an .htaccess file in the root directory (or the shop's root directory) using the " php_value register_globals 0" to tun off Register Globals off locally. However, I kept having a session error ONLY in the administration similar to the one described in the README file. "Warning: Unknown(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in Unknown on line 0" The .htaccess did not seem to affect this warning. The .htaccess file was tested using the phpinfo.php in subdirectories and I saw the Register Global got to "off" as I moved around, so the .htaccess file is turning off Register Globals BUT ONLY on the Local Value column, not the Master value column. In any event, the README file continues by advicing to: "The scenario described by the warning does NOT apply to this patch (ie - this patch does NOT make use of the bug/feature in 4.2.3), so it is safe (indeed very desirable) to switch this functionality and warning off. To remove this functionality and stop the warning, set both of these parameters in php.ini as follows : session.bug_compat_42 = 0 session.bug_compat_warn = 0 " Which, of course I could not do since I had no access to the php.ini file. I searched the web and found this two lines of code than when added to the .htaccess file, turn off the warnings: <IfModule mod_php4.c> php_value register_globals 0 php_value session.bug_compat_42 0 php_value session.bug_compat_warn 0 </IfModule> I guess I just sharing this information because I could not find it anywhere here and in case some lost soul is looking for it. Also, if anyone has any commenst on this set up, possible unexpected results, thinks it is not really a solution, and so on...please, correct me. Thanks I am getting this warning and cannot seem to find out how to fix it. Could someone help me please. Warning: session_write_close(): Your script possibly relies on a session side-effect which existed until PHP 4.2.3. Please be advised that the session extension does not consider global variables as a source of data, unless register_globals is enabled. You can disable this functionality and this warning by setting session.bug_compat_42 or session.bug_compat_warn to off, respectively. in /srv/vhosts/*/httpdocs/oscommerce-2.2ms2/catalog/includes/functions/sessions.php on line 106 Thank you Quote Link to comment Share on other sites More sharing options...
dionn Posted October 26, 2005 Share Posted October 26, 2005 (edited) Hi, I would like to apply the Master Products module with register globals off. Anyone who could help me out with that one? All help are most appriciated! Regards :thumbsup: Did you find a way to get this done? I'd like to do the same.. Thanks!! :) Edited October 26, 2005 by dionn Quote Link to comment Share on other sites More sharing options...
sh1no Posted November 8, 2005 Share Posted November 8, 2005 Hi, im a newbie to this. I wanted to know can I simply install the following together without having any problems? oscommerce-2.2ms2 with the patch 1.3 ? Thanks. Quote Link to comment Share on other sites More sharing options...
sh1no Posted November 8, 2005 Share Posted November 8, 2005 Fatal error: Cannot re-assign $this in c:\wamp\www\excwheels\admin\includes\classes\upload.php on line 31 I get this error when i go in the admin section, is there a reason why? I am using: oscommerce-2.2ms2 with the patch 1.3 ? Quote Link to comment Share on other sites More sharing options...
Foochuck Posted November 11, 2005 Share Posted November 11, 2005 Hello, I need some help with creating an .htaccess file for a fix on a shared server. Here is the info I'd like to use in the .htaccess file: # $Id: .htaccess,v 1.3 2003/06/12 10:53:20 hpdl Exp $ # # This is used with Apache WebServers # # For this to work, you must include the parameter 'Options' to # the AllowOverride configuration # # Example: # # <Directory "/usr/local/apache/htdocs"> # AllowOverride Options # </Directory> # # 'All' with also work. (This configuration is in the # apache/conf/httpd.conf file) # The following makes adjustments to the SSL protocol for Internet # Explorer browsers <IfModule mod_setenvif.c> <IfDefine SSL> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </IfDefine> </IfModule> # Fix certain PHP values # (commented out by default to prevent errors occuring on certain # servers) #<IfModule mod_php4.c> # php_value session.use_trans_sid 0 # php_value register_globals 1 #</IfModule> Could someone send me a copy of the .htacess file for this fix? Thanks Quote Link to comment Share on other sites More sharing options...
xtronics Posted November 29, 2005 Share Posted November 29, 2005 There is a update to osCommerce 2.2 Milestone 2 (Update 051113) See: http://www.oscommerce.com/ext/update-20051...l#_Toc119693714 This update is not mergered with Register Globals -- yuck (what were they thinking?) Anyway, The key part of the update for this thread is as follows: Problem: Validate the session ID and redirect to the front page when an invalid session ID is requested. Solution: The following function must be replaced in catalog/includes/functions/sessions.php. Lines 66-68, from: function tep_session_start() { return session_start(); } to: function tep_session_start() { global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS; $sane_session_id = true; if (isset($HTTP_GET_VARS[tep_session_name()])) { if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == false) { unset($HTTP_GET_VARS[tep_session_name()]); $sane_session_id = false; } } elseif (isset($HTTP_POST_VARS[tep_session_name()])) { if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) { unset($HTTP_POST_VARS[tep_session_name()]); $sane_session_id = false; } } elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) { if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) == false) { $session_data = session_get_cookie_params(); setcookie(tep_session_name(), '', time()-42000, $session_data['path'], $session_data['domain']); $sane_session_id = false; } } if ($sane_session_id == false) { tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false)); } return session_start(); } So - the following seems to work: // >>> BEGIN REGISTER_GLOBALS tep_session_start function tep_session_start() { $success = session_start(); // Work-around to allow disabling of register_globals - map all defined // session variables if ($success && count($_SESSION)) { $session_keys = array_keys($_SESSION); foreach($session_keys as $variable) { link_session_variable($variable, true); } } global $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS; $sane_session_id = true; if (isset($HTTP_GET_VARS[tep_session_name()])) { if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == false) { unset($HTTP_GET_VARS[tep_session_name()]); $sane_session_id = false; } } elseif (isset($HTTP_POST_VARS[tep_session_name()])) { if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) { unset($HTTP_POST_VARS[tep_session_name()]); $sane_session_id = false; } } elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) { if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) == false) { $session_data = session_get_cookie_params(); setcookie(tep_session_name(), '', time()-42000, $session_data['path'], $session_data['domain']); $sane_session_id = false; } } if ($sane_session_id == false) { tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false)); } return $success; } // <<< END REGISTER_GLOBALS tep_session_start I'm testing it now -- seems to work. Others might want to test or comment - I'm not sure how this code functions. Quote ------------------------------------------------------------------------ The first panacea for a mismanaged nation is inflation of the currency; the second is war. Both bring atemporary prosperity; both bring permanent ruin.Ernest Hemingway------------------------------------------------------------------------ Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.