Osc Setup info : READ THIS FIRST

[Jade Dragon]

I'll be copying some information from another thread to here.

Main Application Site: http://www.oscommerce.com

Documentation: http://www.oscdox.com

Specific code editing: http://wiki.oscommerce.com/helpHowto When editing be prepared to spend a lot of time changing code. Especially if you want a very different look for your site from the stock installation of OSC.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OSCommerce is a full functional e-commerce application.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Options to remove "read error" at top of pages.

Quote:

Originally posted by stevel
1. Delete the install folder itself, not just the files in it.

2. Create a file called protect.php with the following contents:

Code:

<?php
chmod('includes/configure.php', 0444);
?>

Upload it to your catalog folder and then in a browser open protect.php on your site. It will set the protection. The only alternative seems to be to ask PowWeb support to set it for you.

I suggest also uploading this to your admin folder and opening that too. Once you have done this, you can delete the protect.php files.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Customizing OSCommerce.

Everything you want to do to effect changes within the OSCommerce package does require hand coding. This is very time consuming as many files need to be changed in order to have a uniform theme across your site.

To start with the basics look for the following.

To change logo look at /includes/header.php

header/footer/title are controlled by the /include/language files.

along with the welcome page at /includes/language/english/default.php

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GZIP Compression.

By turning this on you will have a compressed output to the user's browser. This also saves on bandwidth. You will need to change the /includes/application_top.php file in order to remove the ob_gzhandler error.

Look for

Code:

// if gzip_compression is enabled, start to buffer the output
  if ( (GZIP_COMPRESSION == 'true') && ($ext_zlib_loaded = extension_loaded('zlib')) && (PHP_VERSION >= '4') ) {
    if (($ini_zlib_output_compression = (int)ini_get('zlib.output_compression')) < 1) {
      if (PHP_VERSION >= '4.0.4') {
        ob_start('ob_gzhandler');
      } else {
        include(DIR_WS_FUNCTIONS . 'gzip_compression.php');
        ob_start();
        ob_implicit_flush();
      }
    } else {
      ini_set('zlib.output_compression_level', GZIP_LEVEL);
    }
  }

and replace with

Code:

// if gzip_compression is enabled, start to buffer the output
  if ( (GZIP_COMPRESSION == 'true') && ($ext_zlib_loaded = extension_loaded('zlib')) && (PHP_VERSION >= '4') ) {
    if (($ini_zlib_output_compression = (int)ini_get('zlib.output_compression')) < 1) {
      if (PHP_VERSION >= '4.0.4') {
		ob_end_clean();
        ob_start('ob_gzhandler');
      } else {
        include(DIR_WS_FUNCTIONS . 'gzip_compression.php');
        ob_start();
        ob_implicit_flush();
      }
    } else {
      ini_set('zlib.output_compression_level', GZIP_LEVEL);
    }
  }

~~~~~~~~~~~~~~~~~

Hope this helps everyone get started. I will be adding to this post as time permits.

=)
Jade

ok, I have no idea how to chmod

[evert]

ftp ftp.[domain]
[enter username]
[enter password]
[go to correct directory]
chmod [value] [filename]


It's that easy...

[Jade Dragon]

Brought over from the other thread, WenzlerPaul posted very good tip to protect your OSCommerce admin panel. This is also suggested on the OSCommerce site.

Quote:

Originally posted by WenzlerPaul
This is an advisory for osCommerce users regarding security, since Powweb Service automatically gives Writable permission to any subscriber. It can present vulnerability to some people using the tool.

The complete catalog includes an admin directory that is equipped with a File Manager under the Tools which can directly write files to the server without going through any FTP or Shell tool.

You will need to protect such directory (admin) with .htaccess so it will not be accessible to anyone. A good reference to this is on this link http://support.powweb.com/tutorials/...protection.php .

Another thing you might need to consider is that Powweb service is not set up to recognize default.php as a directory index and is capable of listing your directory content once an index.htm, index.html or index.php is not found. This also presents security risk. One way of working around this thing is by placing another .htaccess in the htdocs directory with an override option for DirectoryIndex including default.php as one of your startup file.

A complete walk through is at the bottom:

Step 1
Create a directory/folder inside your FTP Space called ETC or any folder name you wish to call it (this will contain the .passwd file)

Step 2
Create an .htaccess for your admin directory. (refer to the link above) or look at the code below.

AuthUserFile /www/u/username/.htpasswd
AuthGroupFile /dev/null
AuthName "Your Desired Login Message Goes Here"
AuthType Basic

<Limit GET>
require user username
</Limit>

For AuthUserFile, login to your Ops and look under HTTP (Website), you will see this line:
DocumentRoot: /www/u/username/htdocs

If you created a directory/folder inside your htdocs, the path should point like this:

/www/u/username/htdocs/etc/.htpasswd

You should directly follow the steps.

Step 3
Create the .htpasswd file. Use this link below to generate the needed info.
http://help.powweb.com/cgi-bin/crypt.cgi

Copy the information that was generated by the tool, paste it to a file named .htapsswd and directly upload it to the directory/folder you have created on Step 1.

Note: for Windows users, it is impossible to create a file starting with a dot, you can simply create a file named htaccess.txt, upoload it later then rename it through your FTP tool like WS_FTP PRO. For Linux or any Unix based OS users, this is not an issue.

Once you have accomplished this, upload the file .htaccess to any directory you want to protect. (Do not forget to rename both files to .htaccess and .htpasswd)

If you wish to add users to the login, repeat Step 3 and simply add any generated password to your file, do not forget to put them one line after another.

This is the complete step for the admin protection or any directory protection on your website.

Another issue is to set default.php as one of your startup file. to do this, create a separate .htaccess file with this code:

DirectoryIndex index.htm index.html index.php3 index.php default.html default.htm default.php index.cgi

It will actually depend on what startup files you want to add or remove. Upload this on your htdocs directory/folder and you are all set.

I also included sample files for you to just edit them according to your settings. Download the Sample Files Here

In case you need further assistance, you can directly email me at wenzlerpaul@yahoo.com

I hope this helps
Paul V. Barrera

Helps very much! Thanks!

Note to users: you can post your questions on the forum so answers can benefit all.

=)
Jade

Once the chmod of 444 had been made to the file,
will I still be able to add/drop products and
services etc... ?

Thanks,
Steve

[stevel]

Yes - the chmod protects the configure.php file itself, which you typically don't change once set up.

Hi!

I tried to change the logo in "header.php", but now a fatal error is appearing.

Can you help?

Read the earlier post I wrote in this section!

THANKS!

Jocelyn

Hey, Jade... thank you very much for your postings...
Helped me solve a few errors i didn't where the heck they were coming from...

nznl

[erodzen]

In Paul's directions for password protecting the admin folder:

Shouldn't this...

Quote:

If you created a directory/folder inside your htdocs, the path should point like this:

/www/u/username/htdocs/etc/.htpasswd

really be...


/www/u/username/.htpasswd

So that the password file is not accessible? That's where I have mine and I think (hope) it cannot be seen that way?

[tbonekkt]

As long as your reference to it from your htaccess file reflects where the htpasswd file is located, you can place it anywhere. But for security reasons, you should place it above htdocs. You can even rename it to something else as htpasswd is the common name and sometimes hackers search for that file specifically. Of course, you won't have to worry about that if you place it above htdocs.

Thanks for the method to remove the error message at the top of the catalog page.

You may view my site to see if there are any security concerns.

Thank you.

www.incomeasap.com/catalog/

www.incomeasap.com/oscommerce/catalog/

ty

Hello All,

I followed these directions to protect the admin directory in OSC but the path to the .htpasswd file seems to be wrong because when I enter my username and password it does not let me in. Is there a something obvious that I am missing. This is my path for the htpasswd file in htaccess:

AuthUserFile /www/me/meagain/htdocs/etc/.htpasswd
AuthGroupFile /dev/null
AuthName "Your Desired Login Message Goes Here"
AuthType Basic

<Limit GET>
require user username
</Limit>

Is there something else I could be doing wrong?
here is my link: http://topshelfwebdesigns.com/shop/catalog/admin


NYColt

[stevel]

In the line:

require user username

you are supposed to replace "username" with one of the users you defined in .htpasswd. (Don't feel bad, I made the same error starting out.)

Another option is to put:

require valid-user

This will accept any user listed in .htpasswd.

First of all, Jade thanks for the info on deleting the install directory and protecting my configure.php file.

I have two questions though. First, in order to protect the admin directory can I use the same "protect.php" file even though there is no "configure.php" file in that directory?

My second question is the biggest one. I looked at the "header.php" file, and I can't begin to figure out how to change it. I tried to access the documentation file indicated above at http://www.oscdox.com, but the pages with the info on them would not load. Can someone hold an idots hand and explain exactly what I need to change in the "header.php" file, or at least recommend somewhere where I can read up on personalizing my osCommerce? Any help would be greatly appreciated!

[stevel]

There is indeed a configure.php under admin - in admin/includes. It also needs to be protected.

I'm away from my local files right now, but the main thing to change in header.php is where it includes the osCommerce graphic in the upper left of the page. It may also set the page title here. Change the code as you require (which may be a simple substitute of the image. Don't forget to also change the ALT tag, which is supplied as one of the arguments to tep_image.

I was able to locate the 'configure.php' file in admin and protect it. I was able to change the graphic in the top left of the page, however I'm getting an error. Even when I disabled my changes, I'm still getting the error.

The original code was "<?php echo tep_image(DIR_WS_IMAGES . 'oscommerce.gif', 'oscommerce.com', '204', '50'); ?>", and I changed it to "<?php echo tep_image(DIR_WS_IMAGES . 'de.gif', 'Dargan Enterprises', '204', '50'); ?>.

The graphic comes up, but then I get an error message:

"Fatal error: Call to undefined function: tep_catalog_href_link() in /www/d/dargane/htdocs/osCommerce/catalog/includes/header.php on line 20"

Even when I reversed my changes, I still get the error. I didn't even change the code where the fatal error is. Can you or anyone help?

[dizzyd]

I've tried everything i've read in this thread for the .htaccess and .htpasswd, and still no luck. This is what i have:

AuthUserFile /www/me/meagain/.htpasswd
AuthGroupFile /dev/null
AuthName "Your Desired Login Message Goes Here"
AuthType Basic

<Limit GET>
require valid-user
</Limit>

~and my .htpasswd is:

myusername:myencryptedpasswd

Doesn't that look right?
each time i go to the file i want protected, i get the pop-up, but when i put in my password it just pops up again.

[stevel]

Well, assuming that by /me/ you mean /m/ (the first letter of your master username), it looks ok. Is .htpasswd at the top level of your FTP root? (Same folder htdocs is in?) Are you sure you have the password right?

[dizzyd]

QUOTE]Well, assuming that by /me/ you mean /m/ (the first letter of your master username), it looks ok. Is .htpasswd at the top level of your FTP root? (Same folder htdocs is in?) Are you sure you have the password right?[/quote]

Yes it is the first letter in the master username, and yes the .htpasswd is at the top level, and i have redone the password several times..... I just dont get it. So i am just going to delete both files and start again. Thank you for your help.

Dave
http://www.DizzyDProductions.com

[stevel]

osCommerce has a "cache" feature which, if enabled, saves copies of various "boxes" (such as a Categories list) in a file, the idea being that these boxes don't need to be recreated on every visit to the page. The file names are based on the type of box and the products_id or cPath number of the page where the box is to appear. This can improve performance, especially for sites that are frequently accessed.

From what I can gather, the cached boxes "expire" after an hour after which they are replaced by recreated versions.

You enable the cache through the admin panel, configuration, Cache.

WARNING!!!

If you enable the Cache option, you MUST change the cache directory! The default is /tmp, which is a common directrory shared among all users on the server. If you don't change this, your store will "pick up" cached boxes from other stores on the same server!

Using an FTP client (or PowWeb's web-ftp), create a tmp directory in your package's root directory, alongside htdocs (not IN htdocs). Then change the cache directory setting in the admin panel to /www/u/username/tmp/ where "u/username" is replaced by the appropriate values for your package.

[dizzyd]

What's the purpose of doing that???

[stevel]

The purpose of enabling the cache is to make pages in your web store appear quicker - this can be helpful if you get a lot of visitors. The primary point of my note was to say that IF you enable the cache, be sure to configure a private cache directory rather than use the default.

[stevel]

I got tired of explaining how to set the protection of the configure.php files (and how to update the files once protected), so I created the feature that should have been in osC to begin with.

http://www.oscommerce.com/community/contributions,2137

Couple of things:
To make your configuration file read only, I sugesst chmod to 400 instead of the previously suggested 444. 400 means read only for you, and no access at all for any other user. This works on powweb because they use the suexec apache module to run your scripts with your user id. It might not work on other servers with different setups.

When setting up htaccess, you probably are trying to limit access. period. not just limit access via the "GET" method. In that case you want to use:
<Limit>
require user username
</Limit>
rather than the previously suggested:
<Limit GET>
require user username
</Limit>

I do not know for a fact that "limit GET" is a security hole, but I do not know that it is not either. Better to follow the advice in the Apache manual and use simple limit directives unless you have a good reason not to.

Mike

[Jade Dragon]

Actually the user doesn't need to use Limit at all.

In a couple days perhaps Stevel and I will go through and create a new sticky that concerns the changes powweb has recently made.

=)
Jade

Quote:

Originally Posted by Jade Dragon

In a couple days perhaps Stevel and I will go through and create a new sticky that concerns the changes powweb has recently made.

Cool!

I think the sticky thread below this one, started by natural and contributed to by me and a cast of thousands, is completly obsolete now. It looks like powweb's servers (at least the one I am on) is now setting the "HTTPS" environment variable now, so natural's code fixup is no longer necessary.

The new secure url's are nice. It would be good to have an example config file that uses them.

Thanks, Jade

Mike

[stevel]

Some more tips:

- Do not set the "Force Cookie Use" option under Sessions to true - that does not work on hosts with shared SSL, such as PowWeb
- Do set Prevent Spider Sessions to true. Replace the catalog/includes/spiders.txt with the one attached to this post
- Go into the Shipping/Packaging page in admin, set your postal code (zip code) and set the Tare Weight to 0

so...I have installed everything using Fetch and I can now go to mywebpage/catalog/install and I see the install screen.

Duh... is the database server the same as my web server?

or

Am I already supposed to have set up some database somewhere with my online store?

(If the answer is #2, then this is going to be a lot harder than I thought...)

[Jade Dragon]

You create the database through OPS>>hosting package>>billing/Plan>> scroll to the bottom of page & click on mysql.

Then chose your database name.

once that is done, you will be directed to the mysql tab, There is where you create your Database username and password. You will also see what mysql server you are on. Should read to something like mysql01.powweb.com (the '01' being replaced by the actual server number)

All that information is what you need to know for your installation of OSC.


Jade

hehe...right. OK gotcha.

all right, now another thing.

Everytime I try to chmod 444 the /catalog/includes/configure.php file in PowWeb FTP, it says "Chmod successful!" but when the screen refreshes, it has the old permissions. Fetch's FTP "Set Permissions" command did the same thing. What am I doing wrong?

nevermind...I just used stevel's thingy and that worked.

another question: is it OK to just cut and paste Paul's .htaccess code into the .htaccess file that already exists inside my admin directory? there's other stuff already there and I don't want to mess it up.

[stevel]

Yes, you can do that.

Hi - I tried creating the "protect.php" file with the chmod 444 and it does not seem to get rid of the error message I am having. I did try opening the file as suggested - do I have to wait for the changes to take effect? Alternatively, I like the "Protection of Configuration" oscommerce contribution. I notice there are 2 ways to download (which would be best?) and how would I install the Configure protection in my tools section on powweb. Sorry to be a novice.

Jeff