Something I stumbled across when debugging something the other day.

osCommerce comes with default settings to use caching (so that it doesn't need to always query the database, which is a good thing) and to cache to /tmp (which is a bad thing). Caching to /tmp means that:

a) Anyone else could conceivably read your cached data. This isn't a huge deal, as the data osCommerce caches is just rendered HTML and not any confidential data.

b) If your osCommerce site isn't using SIDs, you may start picking up someone else's cached data (or someone else may be getting yours.

Case (b) is the one I debugged the other day. We had customers who were seeing someone else's manufacturer list because the manufactuer list desn't use an SID when it's generated, and, thus, when it gets cached, doesn't have any unique identifier. So, if someone else's cached list gets created before yours, boom, you'll never see yours if you have USE_CACHE set to true and the cache dir set to /tmp.

We're going to fix this in our installer, but it's something to note for those of you who have osCommerce installs already. You'll want to check in your settings to see if you're using caching and where that path is set. Set it to your cgi-bin/tmp path and you'll be fine.