All posts by simon

stop double htpasswd authentication for http https login in admin

If you have set up an htpasswd login to your admin (which is a good idea) you may be having to login twice to the htpasswd popup – once for an http and again for an https connection. This is so you’re authenticated in both connections which use different ports.

If you don’t want to have to login twice, here’s how to fix it:

1. The obvious way
If you login to your https admin using a http link, it will ask you to login twice in the htpasswd login popu.

Fix: Make sure your admin link/bookmark url you connect to your admin with starts with https://

2. Redirect all admin logins to https
Use this approach if 1. above doesn’t work.
Add the following to the top of the admin htaccess (not store htaccess file) to direct all admin urls to run under https.

Note – you must have 1) an htpasswd login setup and 2) an SSL certificate stored on your server to use this modification.

Find /admin/.htaccess and add at the top under the first commented line:

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "mywebsite.com"
ErrorDocument 403 https://mywebsite.com/admin

Note – change ‘mywebsite.com’ and also the ‘mywebsite.com/admin’ to your actual store’s domain name and admin (which shouldn’t be ‘admin’ either as this is a security risk.)

products attributes not showing on confirmation email

This bug which causes the product attribute information not to appear on order confirmation emails sent by the Cre Loaded or Loaded Commerce admin has been around forever on Cre Loaded (and now Loaded Commerce 6.5.x) carts.

Replicate as follows:
1. Admin >> Configuration >> Download … set ‘Enable Download’ to false


2. Place order for product with attributes
3. Receive email without mention of product attributes

The fix:
Find the file /checkout_process.php, backup first, then anywhere from line 450 through to 510 (depends on your version) replace with the block as shown

$products_ordered_attributes = '';
  if (isset($order->products[$i]['attributes'])) {
    for ($j=0, $n2=sizeof($order->products[$i]['attributes']); $j<$n2; $j++) {
      $sql_data_array = array('orders_id' => $insert_id,
                              'orders_products_id' => $order_products_id,
                              'products_options' => $order->products[$i]['attributes'][$j]['option'],
                              'products_options_values' => $order->products[$i]['attributes'][$j]['value'],
                              'options_values_price' => $order->products[$i]['attributes'][$j]['price'],
                              'price_prefix' => $order->products[$i]['attributes'][$j]['prefix'],
                              'products_options_id' => $order->products[$i]['attributes'][$j]['option_id'],
                              'products_options_values_id' => $order->products[$i]['attributes'][$j]['value_id']);
      tep_db_perform(TABLE_ORDERS_PRODUCTS_ATTRIBUTES, $sql_data_array);
      if (DOWNLOAD_ENABLED == 'true') {
        $attributes_query = "select pad.products_attributes_maxdays, pad.products_attributes_maxcount , pad.products_attributes_filename
                               from " . TABLE_PRODUCTS_ATTRIBUTES . " pa,
                                    " . TABLE_PRODUCTS_ATTRIBUTES_DOWNLOAD . " pad
                             where pa.products_id = '" . $order->products[$i]['id'] . "'
                               and pa.options_id = '" . $order->products[$i]['attributes'][$j]['option_id'] . "'
                               and pa.options_values_id = '" . $order->products[$i]['attributes'][$j]['value_id'] . "'
                               and pa.products_attributes_id = pad.products_attributes_id";
        $attributes = tep_db_query($attributes_query);
        $attributes_values = tep_db_fetch_array($attributes);
        if ( isset($attributes_values['products_attributes_filename']) && tep_not_null($attributes_values['products_attributes_filename']) ) {
          $sql_data_array = array('orders_id' => $insert_id,
                                  'orders_products_id' => $order_products_id,
                                  'orders_products_filename' => $attributes_values['products_attributes_filename'],
                                  'download_maxdays' => $attributes_values['products_attributes_maxdays'],
                                  'download_count' => $attributes_values['products_attributes_maxcount']);
          tep_db_perform(TABLE_ORDERS_PRODUCTS_DOWNLOAD, $sql_data_array);
        } // download filename loop ends
      }  // download attributes loop ends

        if( (!empty($order->products[$i]['attributes'])) ){
          $products_ordered_attributes .= "\n\t" . (isset($order->products[$i]['attributes'][$j]['option']) ? $order->products[$i]['attributes'][$j]['option'] : '') . ' ' . (isset($order->products[$i]['attributes'][$j]['value']) ? $order->products[$i]['attributes'][$j]['value'] : '') . ' ' .
          ( (isset($order->products[$i]['attributes'][$j]['price']) && ($order->products[$i]['attributes'][$j]['price'] > 0) ?
           $order->products[$i]['attributes'][$j]['prefix'] . ' ' . $currencies->display_price($order->products[$i]['attributes'][$j]['price'], tep_get_tax_rate($products[$i]['tax_class_id']), 1): ''));
     //number_format($order->products[$i]['attributes'][$j]['price'],2,'.','')

      } // attributes not empty loop
    } // loop through the attributes
  }  // attributes set?

tinymce editor box outlines visible when editing product

If you’re seeing outline boxes appearing in product edit pages of your 6.4.x or earlier cart caused by the tinymce editor, like this:

here’s the fix:

file: admin/editors/tiny_mce.php, around line 57

replace:

$mailscripts = array(FILENAME_NEWSLETTERS, FILENAME_MAIL);
   
    echo "n";

 

with:

$mailscripts = array(FILENAME_NEWSLETTERS, FILENAME_MAIL);

if(substr($textarea, -1, 1) == ','){
     $textarea = substr($textarea,0,-1);
}
   
    echo "n";

 

what relative links and absolute links are and when to use them

When you place a link to a page or media that is on your server, use relative links.
If you are linking to something on another website (ie not on your server) use absolute links.

“What’s the difference between relative and absolute links?”

A ‘relative link’ doesn’t require the “http://yourdomain.com…” at the start, because the resource is on your server.

Here are some examples of relative links:

<a href="mypages.html">About Me</a>
<img src="mypic.jpg"/>
<a href="articles.php?tPath=3">My Page</a>

 

[important]

TIP: If you are using a url rewriter use the cart’s default urls, in relative link style:

USE:    <a href="pages.php?pID=2">Links</a>
NOT:   <a href="difference-between-relative-absolute-links.html">Links</a>

 

[/important]

 

An ‘absolute link’ does require the “http://yourdomain.com…” at the start, because the resource is on another server.
Absolute links are sometimes referred to as ‘hard-coded’ links.

Here are some examples of absolute links:

<script href="https://www.google.com/jquery/repository/jquery1.1.min.js">
<img src="https://wwwbestpiceverofsand.com/pic1.jpg">

Why do both the absolute link examples start https?

If you link to content that will be displayed on an https:// page, unless you link ALL of the content on that page using https:// or relative links, you will get the dreaded ‘mix of insecure content’ warning which will alarm your customers (especially if it happens in the checkout area) and probably lose you the sale.

If you need to link to an external site (therefore use an absolute link), the site needs to provide the option of linking via https://. If it doesn’t, can you save the resource locally and use a relative link to that? (you should always checkout copyright ownership and license and if necessary contact the owner of the image/external content if you are planning on making a local copy for use from your server.)

Why is this stuff about relative links and absolute links important?

1. to avoid seeing warnings about insecure / secure content which can lose you business
2. to future-proof against any change of url writing

Where is this particularly relevant?

On your homepage, especially in introductory text (eg mainpage.php module) and in article and info pages.

why do I need a SSL certificate (https connection) on my ecommerce site?

Your ecommerce website needs to have a valid SSL certificate installed and running.
Here’s some background and reasons why:

What’s does a SSL certificate do?

A Secure Socket Layer (SSL) certificate does a couple of things:

1. encrypts information entered into a form (a ‘form’ is exactly what it sounds like – any ‘fill in the box’ type page that requires you to enter in information and click a button on the screen; could be creating an account or sending an email to the store owner or signing up to a newsletter etc)
2. checks the integrity of the connection between the browser and the server (are you connected to the correct server?)

How can I tell it’s working?
The address bar will show a padlock and the word https:// in front of your website name on pages that require SSL encryption.


Note – there is no advantage in making all pages on your site https:// – it works with pages that have forms. Technically, https:// will slow down page loading speeds of your site and also may interfer with indexing by search engines. Most oscommerce-based carts have certain pages where https:// connections will be made, in particular logins, creating accounts and checkout.

But SSL certificates and https:// connections are just for payment pages though right?
Not true – a SSL certificate scrambles data and secures connections when any form is submitted (a form is basically what it sounds like – anytime you type information on a website, you’re probably filling out a form of some sort.)

So this means your admin and customer logins, contact us and create account pages as well all benefit from your server having a SSL certificate.

And if I don’t use one?
All of the data submitted will go as clear text, ie unencrypted. It is possible for unscrupulous people to set up ‘sniffer’ and ‘listening’ scripts and grab those clear text details being sent, which could gain them admin login details, customer address information as well as payment details.

Some payment gateways will not accept your payments without a valid SSL certificate installed and running on your site.

Also, the server may not in fact be the server you or your customers intended on reaching, as the integrity of the link will not have been verified to any extent.

Implications
Customers are now very aware of the https:// symbol in an address and if they don’t see it when they go to complete an order or set up an account, most will leave.

Identity fraud is a major industry around the world, so it is strongly recommended that if you want to get the business, you operate with a good SSL certificate in place and advertise the fact. Really, it’s a bare minimum to be in business online.

Furthermore, some payment gateways and processors require you as a merchant to have a valid SSL certificate installed before you can connect to them and use their services.

How do I get a SSL certificate?
There are a couple of ways – 1) contact your hosting company to set one up, or  2) Do It Yourself (DIY)

Installing a SSL certificate is not difficult as long as you have access to the interface needed. If you use cPanel, you can use the TLS/SSL Manager in the Security box on the right. Create a CRT and private key, go buy the certificate and supply these parts, generate certificate, copy emailed certificate in certificate box, install – done.

If you don’t have access to the necessary interface, contact your hosting company and ask them to install the certificate.

Most SSL resellers like RapidSSL, Geotrust, Verisign, Digicert etc have instruction sheets to assist you as well as online support.

SSL certificate prices range from under USD100 a year through to bank-level EV SSLs with multiple verifications (ie way over the top) costing much more. Get one that fits with your business volume and turnover – but most importantly, get one!

 

If you need help installing a SSL certificate please contact me via my Contact page.