I'll be copying some information from another thread to here.

Main Application Site: http://www.oscommerce.com

Documentation: http://www.oscdox.com

Specific code editing: http://wiki.oscommerce.com/helpHowto When editing be prepared to spend a lot of time changing code. Especially if you want a very different look for your site from the stock installation of OSC.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OSCommerce is a full functional e-commerce application.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Options to remove "read error" at top of pages.

Originally posted by stevel
1. Delete the install folder itself, not just the files in it.

2. Create a file called protect.php with the following contents:

<?php
chmod('includes/configure.php', 0444);
?>

Upload it to your catalog folder and then in a browser open protect.php on your site. It will set the protection. The only alternative seems to be to ask PowWeb support to set it for you.

I suggest also uploading this to your admin folder and opening that too. Once you have done this, you can delete the protect.php files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Customizing OSCommerce.

Everything you want to do to effect changes within the OSCommerce package does require hand coding. This is very time consuming as many files need to be changed in order to have a uniform theme across your site.

To start with the basics look for the following.

To change logo look at /includes/header.php

header/footer/title are controlled by the /include/language files.

along with the welcome page at /includes/language/english/default.php

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GZIP Compression.

By turning this on you will have a compressed output to the user's browser. This also saves on bandwidth. You will need to change the /includes/application_top.php file in order to remove the ob_gzhandler error.

Look for

// if gzip_compression is enabled, start to buffer the output
if ( (GZIP_COMPRESSION == 'true') && ($ext_zlib_loaded = extension_loaded('zlib')) && (PHP_VERSION >= '4') ) {
if (($ini_zlib_output_compression = (int)ini_get('zlib.output_compression')) < 1) {
if (PHP_VERSION >= '4.0.4') {
ob_start('ob_gzhandler');
} else {
include(DIR_WS_FUNCTIONS . 'gzip_compression.php');
ob_start();
ob_implicit_flush();
}
} else {
ini_set('zlib.output_compression_level', GZIP_LEVEL);
}
}



and replace with

// if gzip_compression is enabled, start to buffer the output
if ( (GZIP_COMPRESSION == 'true') && ($ext_zlib_loaded = extension_loaded('zlib')) && (PHP_VERSION >= '4') ) {
if (($ini_zlib_output_compression = (int)ini_get('zlib.output_compression')) < 1) {
if (PHP_VERSION >= '4.0.4') {
ob_end_clean();
ob_start('ob_gzhandler');
} else {
include(DIR_WS_FUNCTIONS . 'gzip_compression.php');
ob_start();
ob_implicit_flush();
}
} else {
ini_set('zlib.output_compression_level', GZIP_LEVEL);
}
}


~~~~~~~~~~~~~~~~~

Hope this helps everyone get started. I will be adding to this post as time permits.

=)
Jade

ok, I have no idea how to chmod

ftp ftp.[domain]
[enter username]
[enter password]
[go to correct directory]
chmod [value] [filename]


It's that easy... ;)

Brought over from the other thread, WenzlerPaul posted very good tip to protect your OSCommerce admin panel. This is also suggested on the OSCommerce site.

Originally posted by WenzlerPaul
This is an advisory for osCommerce users regarding security, since Powweb Service automatically gives Writable permission to any subscriber. It can present vulnerability to some people using the tool.

The complete catalog includes an admin directory that is equipped with a File Manager under the Tools which can directly write files to the server without going through any FTP or Shell tool.

You will need to protect such directory (admin) with .htaccess so it will not be accessible to anyone. A good reference to this is on this link http://support.powweb.com/tutorials/passwordprotection.php .

Another thing you might need to consider is that Powweb service is not set up to recognize default.php as a directory index and is capable of listing your directory content once an index.htm, index.html or index.php is not found. This also presents security risk. One way of working around this thing is by placing another .htaccess in the htdocs directory with an override option for DirectoryIndex including default.php as one of your startup file.

A complete walk through is at the bottom:

Step 1
Create a directory/folder inside your FTP Space called ETC or any folder name you wish to call it (this will contain the .passwd file)

Step 2
Create an .htaccess for your admin directory. (refer to the link above) or look at the code below.

AuthUserFile /www/u/username/.htpasswd
AuthGroupFile /dev/null
AuthName "Your Desired Login Message Goes Here"
AuthType Basic

<Limit GET>
require user username
</Limit>

For AuthUserFile, login to your Ops and look under HTTP (Website), you will see this line:
DocumentRoot: /www/u/username/htdocs

If you created a directory/folder inside your htdocs, the path should point like this:

/www/u/username/htdocs/etc/.htpasswd

You should directly follow the steps.

Step 3
Create the .htpasswd file. Use this link below to generate the needed info.
http://help.powweb.com/cgi-bin/crypt.cgi

Copy the information that was generated by the tool, paste it to a file named .htapsswd and directly upload it to the directory/folder you have created on Step 1.

Note: for Windows users, it is impossible to create a file starting with a dot, you can simply create a file named htaccess.txt, upoload it later then rename it through your FTP tool like WS_FTP PRO. For Linux or any Unix based OS users, this is not an issue.

Once you have accomplished this, upload the file .htaccess to any directory you want to protect. (Do not forget to rename both files to .htaccess and .htpasswd)

If you wish to add users to the login, repeat Step 3 and simply add any generated password to your file, do not forget to put them one line after another.

This is the complete step for the admin protection or any directory protection on your website.

Another issue is to set default.php as one of your startup file. to do this, create a separate .htaccess file with this code:

DirectoryIndex index.htm index.html index.php3 index.php default.html default.htm default.php index.cgi

It will actually depend on what startup files you want to add or remove. Upload this on your htdocs directory/folder and you are all set.

I also included sample files for you to just edit them according to your settings. Download the Sample Files Here (http://www.jcdesignpro.com/samples.zip)

In case you need further assistance, you can directly email me at wenzlerpaul@yahoo.com

I hope this helps
Paul V. Barrera

Helps very much! Thanks!

Note to users: you can post your questions on the forum so answers can benefit all.

=)
Jade

Once the chmod of 444 had been made to the file,
will I still be able to add/drop products and
services etc... ?

Thanks,
Steve

Yes - the chmod protects the configure.php file itself, which you typically don't change once set up.

Hi!

I tried to change the logo in "header.php", but now a fatal error is appearing.

Can you help?

Read the earlier post I wrote in this section!

THANKS!

Jocelyn

Hey, Jade... thank you very much for your postings...
Helped me solve a few errors i didn't where the heck they were coming from...

nznl

In Paul's directions for password protecting the admin folder:

Shouldn't this...

If you created a directory/folder inside your htdocs, the path should point like this:

/www/u/username/htdocs/etc/.htpasswd


really be...


/www/u/username/.htpasswd

So that the password file is not accessible? That's where I have mine and I think (hope) it cannot be seen that way?

As long as your reference to it from your htaccess file reflects where the htpasswd file is located, you can place it anywhere. But for security reasons, you should place it above htdocs. You can even rename it to something else as htpasswd is the common name and sometimes hackers search for that file specifically. Of course, you won't have to worry about that if you place it above htdocs.

Thanks for the method to remove the error message at the top of the catalog page.

You may view my site to see if there are any security concerns.

Thank you.

www.incomeasap.com/catalog/

www.incomeasap.com/oscommerce/catalog/

ty

Hello All,

I followed these directions to protect the admin directory in OSC but the path to the .htpasswd file seems to be wrong because when I enter my username and password it does not let me in. Is there a something obvious that I am missing. This is my path for the htpasswd file in htaccess:

AuthUserFile /www/me/meagain/htdocs/etc/.htpasswd
AuthGroupFile /dev/null
AuthName "Your Desired Login Message Goes Here"
AuthType Basic

<Limit GET>
require user username
</Limit>

Is there something else I could be doing wrong?
here is my link: http://topshelfwebdesigns.com/shop/catalog/admin


NYColt

In the line:

require user username

you are supposed to replace "username" with one of the users you defined in .htpasswd. (Don't feel bad, I made the same error starting out.)

Another option is to put:

require valid-user

This will accept any user listed in .htpasswd.

First of all, Jade thanks for the info on deleting the install directory and protecting my configure.php file.

I have two questions though. First, in order to protect the admin directory can I use the same "protect.php" file even though there is no "configure.php" file in that directory?

My second question is the biggest one. I looked at the "header.php" file, and I can't begin to figure out how to change it. I tried to access the documentation file indicated above at http://www.oscdox.com, but the pages with the info on them would not load. Can someone hold an idots hand and explain exactly what I need to change in the "header.php" file, or at least recommend somewhere where I can read up on personalizing my osCommerce? Any help would be greatly appreciated!

There is indeed a configure.php under admin - in admin/includes. It also needs to be protected.

I'm away from my local files right now, but the main thing to change in header.php is where it includes the osCommerce graphic in the upper left of the page. It may also set the page title here. Change the code as you require (which may be a simple substitute of the image. Don't forget to also change the ALT tag, which is supplied as one of the arguments to tep_image.

I was able to locate the 'configure.php' file in admin and protect it. I was able to change the graphic in the top left of the page, however I'm getting an error. Even when I disabled my changes, I'm still getting the error.

The original code was "<?php echo tep_image(DIR_WS_IMAGES . 'oscommerce.gif', 'oscommerce.com', '204', '50'); ?>", and I changed it to "<?php echo tep_image(DIR_WS_IMAGES . 'de.gif', 'Dargan Enterprises', '204', '50'); ?>.

The graphic comes up, but then I get an error message:

"Fatal error: Call to undefined function: tep_catalog_href_link() in /www/d/dargane/htdocs/osCommerce/catalog/includes/header.php on line 20"

Even when I reversed my changes, I still get the error. I didn't even change the code where the fatal error is. Can you or anyone help?

I've tried everything i've read in this thread for the .htaccess and .htpasswd, and still no luck. This is what i have:

AuthUserFile /www/me/meagain/.htpasswd
AuthGroupFile /dev/null
AuthName "Your Desired Login Message Goes Here"
AuthType Basic

<Limit GET>
require valid-user
</Limit>

~and my .htpasswd is:

myusername:myencryptedpasswd

Doesn't that look right?
each time i go to the file i want protected, i get the pop-up, but when i put in my password it just pops up again.:(

Well, assuming that by /me/ you mean /m/ (the first letter of your master username), it looks ok. Is .htpasswd at the top level of your FTP root? (Same folder htdocs is in?) Are you sure you have the password right?

QUOTE]Well, assuming that by /me/ you mean /m/ (the first letter of your master username), it looks ok. Is .htpasswd at the top level of your FTP root? (Same folder htdocs is in?) Are you sure you have the password right?[/QUOTE]

Yes it is the first letter in the master username, and yes the .htpasswd is at the top level, and i have redone the password several times..... I just dont get it. So i am just going to delete both files and start again. Thank you for your help.

Dave
http://www.DizzyDProductions.com

osCommerce has a "cache" feature which, if enabled, saves copies of various "boxes" (such as a Categories list) in a file, the idea being that these boxes don't need to be recreated on every visit to the page. The file names are based on the type of box and the products_id or cPath number of the page where the box is to appear. This can improve performance, especially for sites that are frequently accessed.

From what I can gather, the cached boxes "expire" after an hour after which they are replaced by recreated versions.

You enable the cache through the admin panel, configuration, Cache.

WARNING!!!

If you enable the Cache option, you MUST change the cache directory! The default is /tmp, which is a common directrory shared among all users on the server. If you don't change this, your store will "pick up" cached boxes from other stores on the same server!

Using an FTP client (or PowWeb's web-ftp), create a tmp directory in your package's root directory, alongside htdocs (not IN htdocs). Then change the cache directory setting in the admin panel to /www/u/username/tmp/ where "u/username" is replaced by the appropriate values for your package.

What's the purpose of doing that???

The purpose of enabling the cache is to make pages in your web store appear quicker - this can be helpful if you get a lot of visitors. The primary point of my note was to say that IF you enable the cache, be sure to configure a private cache directory rather than use the default.

I got tired of explaining how to set the protection of the configure.php files (and how to update the files once protected), so I created the feature that should have been in osC to begin with.

http://www.oscommerce.com/community/contributions,2137

Couple of things:
To make your configuration file read only, I sugesst chmod to 400 instead of the previously suggested 444. 400 means read only for you, and no access at all for any other user. This works on powweb because they use the suexec apache module to run your scripts with your user id. It might not work on other servers with different setups.

When setting up htaccess, you probably are trying to limit access. period. not just limit access via the "GET" method. In that case you want to use:
<Limit>
require user username
</Limit>
rather than the previously suggested:
<Limit GET>
require user username
</Limit>

I do not know for a fact that "limit GET" is a security hole, but I do not know that it is not either. Better to follow the advice in the Apache manual and use simple limit directives unless you have a good reason not to.

Mike

Actually the user doesn't need to use Limit at all.

In a couple days perhaps Stevel and I will go through and create a new sticky that concerns the changes powweb has recently made.

=)
Jade

In a couple days perhaps Stevel and I will go through and create a new sticky that concerns the changes powweb has recently made.


Cool!

I think the sticky thread below this one, started by natural and contributed to by me and a cast of thousands, is completly obsolete now. It looks like powweb's servers (at least the one I am on) is now setting the "HTTPS" environment variable now, so natural's code fixup is no longer necessary.

The new secure url's are nice. It would be good to have an example config file that uses them.

Thanks, Jade

Mike

Some more tips:

- Do not set the "Force Cookie Use" option under Sessions to true - that does not work on hosts with shared SSL, such as PowWeb
- Do set Prevent Spider Sessions to true. Replace the catalog/includes/spiders.txt with the one attached to this post
- Go into the Shipping/Packaging page in admin, set your postal code (zip code) and set the Tare Weight to 0

so...I have installed everything using Fetch and I can now go to mywebpage/catalog/install and I see the install screen.

Duh... is the database server the same as my web server?

or

Am I already supposed to have set up some database somewhere with my online store?

(If the answer is #2, then this is going to be a lot harder than I thought...)

You create the database through OPS>>hosting package>>billing/Plan>> scroll to the bottom of page & click on mysql.

Then chose your database name.

once that is done, you will be directed to the mysql tab, There is where you create your Database username and password. You will also see what mysql server you are on. Should read to something like mysql01.powweb.com (the '01' being replaced by the actual server number)

All that information is what you need to know for your installation of OSC.

:)
Jade

hehe...right. OK gotcha.

all right, now another thing.

Everytime I try to chmod 444 the /catalog/includes/configure.php file in PowWeb FTP, it says "Chmod successful!" but when the screen refreshes, it has the old permissions. Fetch's FTP "Set Permissions" command did the same thing. What am I doing wrong?

nevermind...I just used stevel's thingy and that worked.

another question: is it OK to just cut and paste Paul's .htaccess code into the .htaccess file that already exists inside my admin directory? there's other stuff already there and I don't want to mess it up.

Yes, you can do that.

Hi - I tried creating the "protect.php" file with the chmod 444 and it does not seem to get rid of the error message I am having. I did try opening the file as suggested - do I have to wait for the changes to take effect? Alternatively, I like the "Protection of Configuration" oscommerce contribution. I notice there are 2 ways to download (which would be best?) and how would I install the Configure protection in my tools section on powweb. Sorry to be a novice.

Jeff

The protect.php takes effect immediately. If it did not work for you, you probably uploaded it to the wrong folder.

There are two download sites for contributions - the one on the left is best for the US, the one on the right is in Europe. You will get a zip file - open it and read the readme.txt inside for install instructions.

Thanks for the info Steve. I did download and unzip protection.php but when I FTP this to powweb, I can only add the file to ...htdocs/catalog/admin and can notaccess the protection.php to activate it.

My question is there a way to move files within powweb directories or how else should I upload this .php file into my catalog/admin file? Many thanks in advance.

Jeff

I installed the Protection of Configuration file code and when I went to tools to write protect the files, I received this error message:

Fatal error: Cannot redeclare tep_db_connect() (previously declared in /www/m/mountboards/htdocs/osCommerce/catalog/admin/includes/functions/database.php:13) in /www/m/mountboards/htdocs/osCommerce/catalog/admin/includes/functions/database.php on line 13

How should I edit the database.php file? Thanks.

Jeff

Thanks for the tip Steve...

Using an FTP client (or PowWeb's web-ftp), create a tmp directory in your package's root directory, alongside htdocs (not IN htdocs). Then change the cache directory setting in the admin panel to /www/u/username/tmp/ where "u/username" is replaced by the appropriate values for your package.

I was wondering if we should combine it with the shared webserver tip (http://forum.powweb.com/showthread.php?t=42021) - which talked about moving the /tmp directory to 3;/www/php

The message was regarding sessions but I think it applies here as well. I'm going to give it a try and see if anything blows up.

Well ... that was quick.

I had no luck trying either 3;/www/php or /www/php;3

Both came back with error messages when I looked under Tools | Cache Control Error: Cache directory does not exist. Please set this Configuration->Cache.

Maybe there's some change needed inside the code? Or is it recommended we just stick to the hard coded path?

Read my post here. http://forum.powweb.com/showthread.php?t=43594

It will take care of sessions.

Turn Cache *off*

=)
Jade

I use the MySQL sessions method.

The caching is used to speed up products/categories lookups.

In re: Paul's info on protecting osCommerce admin panel:

Is this still the best way to protect directories or has PowWeb since improved on having to create .htaccess files from scratch like this?

It seems that it should suffice to do it from Member Ops/Packages Tab/Site Tools Tab/.htaccess/Password Protection. Doesn't creating password protection automatically from there suffice? Or is it still necessary to do it the way Paul described a few years ago in order to get the best protection?

Thanks.

Since osCommerce provides a .htaccess I would just add my own authorization info. The OPS tool just creates its own.

"Since osCommerce provides a .htaccess I would just add my own authorization info. The OPS tool just creates its own."

Oh, I see- I think. (I am just starting to learn all this.) You're saying that osCommerce has a .htaccess separate and distinct from the OPS one. The OPS tool prevents unauthorized access to its files, and to protect the osCommerce files, you need to add the authorization info there as well.

So--o-o,I hypothesize:

I use Paul's information to set up a password prompt in the osCommerce .htaccess files. Then, each time anyone navigates to the URL for my shopping cart's catalog/admin pages, a prompt appears and a valid user name and password must be typed in before the pages can be opened. Correct?

So this is what protects those files from being accessed by anyone who isn't authorized? Otherwise, they are not as fully protected if I only have .htaccess set up in OPS??

Not quite. The OPS tool adds a .htaccess if you don't have one. I haven't used it, but it might be smart enough to add to one if you already have it. It's just a convenient way of filling in the info you need and putting the files in the right places. There are not two different .htaccess files.

If you add password protection for admin, then anyone trying to open a page in admin for the first time will be prompted for a username and password. If they don't supply a correct one, they can't open the page.

jeez... is there an easy way?

I thought the instant installer would sort things out pretty quickly.

Is there nothing that just requires me to answer configuration questions instead of recoding the whole lot myself?

Paragliding, I don't know what you are referring to. The initial installation process does ask you questions and fills in the configuration. What is it you want to change?

I'm referring to the fact that I tried to install an e-commerce package and could not get it to work.
When I followed the link that took me to the login page, the password I had created did not log me in.

I tried 3 different e-commerce packages before giving up.

I then found this thread about installing them and decided that they were not for the inexperienced, since I know very little about modify scripts.

I was under the impression that these were supposed to be 'user friendly', 'non techy' solutions. They do not appear to be.

I will spend a few hours having another go before I give up.

Hi, Steve,

In re your post:
- Do set Prevent Spider Sessions to true. Replace the catalog/includes/spiders.txt with the one attached to this post

This php is above the list in the original file:

$Id: spiders.txt,v 1.2 2003/05/05 17:58:17 dgw_ Exp $

Does your replacement file get inserted below that, or is it OK to omit it?

Also, I don't see anythng in your replacement file on ask jeeves. Is it OK to leave that one out?

Still trying, and getting somewhere.

I tried os Commerce again. This time it works. I did everything the same as I did before.
Not sure why it works this time. This is more like what I was expecting...

lots of form filling (even I can do that), requires no previous knowledge.

jjny, please get the latest spiders.txt from http://www.oscommerce.com/community/contributions,2455 This provides a spiders.txt file which replaces the one in catalog/includes. Subscribe to the announcement topic (http://forums.oscommerce.com/index.php?showtopic=112610) to get notice of updates.

It does detect the spider used by AskJeeves (Teoma).

Thanks for the very helpful further info. I subscribed to your excellent osCommerce contribution 2455.

You didn't say whether or not to omit the old php text. Please explain. There must be a reason it's there in the first place. Having just started, I have no idea why.

Would I want to change it to this?:

$Id: spiders.txt,Contribution version 2005-09-16 dgw_ Exp $

You would not want to retain it. It's there because ALL files from the distribution have version info in it. That line is ignored when spiders.txt is processed (and actually slows down the processing of the file.) I put my own version info at the end.

Simply copy the spiders.txt file from the contrib over the one that's already there.