RIP and YNWA Bobby Easland aka Chemo

Robert R. Easland Jr., “Bobby,” 34, of Florence, formerly of Radcliff, died Monday, June 14, 2010, at his home in Florence.

Though I regularly disagreed with his strident viewpoint I will miss his input into osCommerce and osQuantum. A very sad loss for us all.

I know nothing of his family, but would like to say that my thoughts are with them at this very difficult time.

Rest In Peace, Chemo, You’ll Never Walk Alone.

UPS shipping in osCommerce

I recently set live a client store that I am very pleased with how it all turned out, as is my client. We’ve been working on it off and on since deploying it on a number of things to make the site better and better.

Anyway, I’ve used UPS on a number of client stores, but yesterday I learned something new which I wanted to pass on to readers of this blog.

With the standard UPS module that ships with osCommerce rc3, there is a number of options for the Pickup Method;

In here you can choose which method you use to give packages to UPS – and which method you choose will return vastly different rates for shipping. So, make sure that you are on the correct method!

If you are unsure about which you should be using, contact UPS Technical Support – they don’t bite;

You have a UPS Occasional or sometimes called on On Call Air pickup account. This is a code 03 pickup. If you are not entering that code into the request you will not receive the correct rates back.

As soon as my client inserted OCA into the pickup method field, the quotes returned are correct for his shipping system!

Hope it help someone else in the future.

osCommerce Previously Purchased

Contacted today by someone who wanted the ability to show customers what they have already purchased (whilst browsing the site). In other words display a “You have already purchased this” warning message at the top of the product info page etc etc.

The first thing to know is that we need to have the customer logged in as without their customer ID there is no way to grab the needed information.

The next thing to know is that we need to join together two database tables; orders & orders_products

It’s really very straightforward;

1. customer logs in
2. we join the orders and orders_products table and grab the needed product IDs of the already purchased items
3. we place these into an array
4. we check the product Id whilst the customer is browsing the store, against the array. If the numbers match, show the message

All in all, this was 10 minutes work to get a viable solution. Of course, it could be cleaned up and made better (eg, show the “you’ve bought” message elsewhere such as the shopping_cart page, or in the products_new module etc), but for now all that is needed is the message on the product_info.php page, and it works OK.

osCommerce Security – protecting and recovering from hacks

Recently, I’ve been seeing many osCommerce sites that are insecure. I’ve been emailing shop owners to let them know. To prove the point, I’ve been (after having permission to do so) uploading an image file to the insecure site, and pointing out that it could just as easily have been a page of malicious code uploaded instead…

So, what I want to do in this blog post is try to show every shop owner some steps they should take to secure their osCommerce.

  1. Rename your Admin area to something completely random. So instead of it being yoursite.com/admin/ it is something like www.yoursite.com/frfrow0033kdie7/
  2. Remove the admin file called file_manager.php and the file called define_language.php (note that rc3 delivers without the file_manager.php already)
  3. Protect your admin area using .htaccess via your hosting control panel (note that osCommerce rc3 has this feature installed already via the admin area)
  4. As a minimum, install the following addons listed here.

If you have already been hacked, then the most likely culprit is the “eval” hack, which inserts code at the top of almost every .php page, and adds a few extra malicious files. This “eval” code needs to be decrypted, and then the malicious files can be found and removed.

Once that’s done, then you must remove the “eval” code from each and every php file. Important to note that “eval” is in fact used by osCommerce legitimately – so you only need to find the malicious eval code (always at the top of each infected php page).

There are also other newer contributions that you can use to protect your site – such as Intrusion Detection System. Have a hunt for more in the osCommerce forum and addons area.

If all this is beyond the scope of your ability, please feel free to contact me (my email address is up there^^ )as I am happy to fix a hacked site and secure it against known hacks. Note that this is a commercial service that I offer, hence you would be paying commercial rates.