Burts AIS, osCommerce & More Blog
New URL: www.osworld.biz

Thursday, July 28, 2005

The dreaded Price Bug - fix your osC Shop today!

osCommerce suffers from a very serious Bug as it is possible to manipulate any Shop (that has not been patched) to get free of charge products and services. This is not a major hassle for those Shop Owners who check each and every order before sending, but for those who sell downloadable products and those who don't check order closely, you are shafted! The Bug cannot be seen here, but if you append this to the URL: ¤cy=usD this is what happens. Now you can buy that product for ZERO! and you can continue browsing the rest of the shop as all the other products will also cost zero. That, my friends, is how to get free of charge products! GOOD NEWS! There is a solution:

The appropriate fix for this is on the database side as this is a MySQL feature. The column should have been created with the BINARY attribute. You can modify the column using the following statement: alter table currencies modify code char(3) binary not null default ''; After that then MySQL will only do a binary comparison. You can read more at the MySQL site...
If you are unsure how to do this, I can check your Store for you and make the necessary changes for a very small (beer) fee! Get in touch by email: shop AT oscbooks.com

New URL: www.osworld.biz - thanks!

6 Comments:

At 7/28/2005 10:56:00 AM, Blogger WizardsandWars said...

One thing I'd like to mention, regarding this bug, is that even though you can set all prices to 0 in the store, I have yet to find a payment module that is susceptable to it, other than the 'COD', 'Check/ Money Order' or stock CC' methods. In other words, you can set the price to zero, but unless one of thoese payment methods are installed, you won't be able to checkout.

Payment methods I've tested for this bug are paypal, paypal IPN, authorize.net (aim and sim) worldpay, paysec, 2chechout, and propay. none of these methods allow you to checkout with a $0 product total before shipping.

I certainly don't mean to trivialize this bug, I ust found it interesting that it looks alot scarier to shop owners that it might actually be.

 
At 7/28/2005 11:16:00 AM, Blogger Gary B. said...

Hey W&W. You can definately checkout on zero prices using the standard Paypal as someone did that to a client of mine (he wasn't a client when this happened)...though it does take an extra little bit of knowledge to do this...

I haven't tested the others that you mention though!

It's still worth fixing as it is a nasty bug.

 
At 7/28/2005 01:09:00 PM, Blogger WizardsandWars said...

..though it does take an extra little bit of knowledge to do this...

Yes, I'll agree with you there, but technically that's a different 'bug'. I remember that post, and was suprised to find out about that one as well.

Needless to say, the best thing to do is to install the PayPal IPN module, and add this fix as Burt suggests.

Nice article, Burt!

 
At 7/28/2005 01:39:00 PM, Blogger devosc said...

This comment has been removed by a blog administrator.

 
At 7/28/2005 02:02:00 PM, Blogger Gary B. said...

Ah, that's interesting - I'll have another look at the code!

Cheers guys.

 
At 7/28/2005 02:15:00 PM, Blogger devosc said...

Hi Gary,

Couldn't edit the previous post and wasn't happy with the way it was worded...

The problem I had was due to the LANGUAGE_CURRENCY being specified in the language files, on the second page request the prices then dropped to zero..

application_top.php around line 310
------------------
//$currency = (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') ? LANGUAGE_CURRENCY : DEFAULT_CURRENCY;
$currency = (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') ? ((tep_session_is_registered('currency') && !empty($currency)) ? $currency : LANGUAGE_CURRENCY) : DEFAULT_CURRENCY;

 

Post a Comment

<< Home

View Latest Posts

To View Newer Posts - Click Here!