stamattina una brutta sorprea....

Postate qui discussioni di carattere generale riguardo a problemi di installazione e configurazione di osCommerce

Moderatore: mod Generali

membro Baby
membro Baby
Messaggi: 91
Iscritto il: 20/03/2008, 14:53

stamattina una brutta sorprea....

Messaggio da YARYZ »

Ciao Ragazzi,ho bisogno del vostro aiuto.Fino a venerdi il mio sito funzionava alla perfezione,mentre stamattina mi accorgo che va in errore

Fatal error: Call to a member function on a non-object in

.../home/includes/application_top.php on line 320 che sarebbe la riga

in giro ho trovato questa soluzione

// navigation history
if (tep_session_is_registered('navigation')) {
if (PHP_VERSION < 4) {
$broken_navigation = $navigation;
$navigation = new navigationHistory;
} else {
$navigation = new navigationHistory;

Replace it with this
CODE// navigation history
if (tep_session_is_registered('navigation')) {
if (PHP_VERSION < 4) {
$broken_navigation = $navigation;
$navigation = new navigationHistory;
} else {
$navigation = new navigationHistory;
} else {
$navigation = new navigationHistory;

e diciamo che fino a qua funziona nuovamente, ma mi accorgo che facendo il login con un account prova mi ritorna semore all' homepage e non mi fa accedere.

sto impazzendo :cry:

Può essere che i signori di Aruba stiano facendo modifiche???

sto su hosting linux
mysql 5
php 4.4.7
membro Junior
membro Junior
Messaggi: 14
Iscritto il: 05/07/2008, 9:18

Messaggio da raffy-raffy »

Mi sa che sei nei guai come me , da quando tophost e passato da 4 a 5 , non mi funzionano diverse cose
membro Baby
membro Baby
Messaggi: 91
Iscritto il: 20/03/2008, 14:53

Messaggio da YARYZ »

non so che fare e a chi rivolgermi!

quelli di aruba nemmeno rispondono!

qualcuno può aiutarmi??
Avatar utente
Messaggi: 1199
Iscritto il: 23/12/2002, 1:00
Località: Italy

Messaggio da hozone »

per risolvere compatibilità php e mysql 4 -> 5
su oscommerce 2.2 ms2 (che credo sia proprio ciò che avete voi)

scaricate l'ultima milestone 2.2, dentro troverete il file per bugfix e upgrade.
per evitarvi il lavoro di ricerca lo riporto nel post.

buon lavoro ;)

Codice: Seleziona tutto

osCommerce 2.2 Milestone 2 Update 060817
Update Package 17th August 2006

Table of Contents

## Update 060817 (17th August 2006)

Magic Quotes Compatibility Layer Fix
Parse GET Variables In Cache Functions
PHP 3 Session ID XSS Issue
Product Attributes SQL Injection
Resize Images To Round Numbers
Use The Correct Country Name Value When Formatting Addresses
Prevent The Session ID Being Passed In Tell-A-Friend E-Mails
Properly Remove Deleted Products That Exist In Shopping Carts

## Update 051113 (13th November 2005)

customer_country_id in addressbook

## Update 051112 (12th November 2005)

Cannot re-assign $this
limit -20, 20
Database Input Enhancement
Adding Non-Existing Products To Cart
Session ID XSS Issue
Validate Session ID
File Manager Problem
HTTP Header Injection
E-Mail Header Injection
Contact Us Form XSS Issue
Open Redirector
Extra Slashes In New Products
Order Status Filtering
MySQL 5.0 Compatibility

###### Update 060817 ######

Magic Quotes Compatibility Layer Fix,1435


The Magic Quotes compatibility layer does not parse arrays within the GET/POST/COOKIE scope that can be used to inject SQL into database queries.


The following lines must be replaced in catalog/includes/functions/compatibility.php:

Lines 22-23, from:

if (is_array($value)) {


if (is_array($ar[$key])) {

The following lines must be replaced in catalog/admin/includes/functions/compatibility.php:

Lines 22-23, from:

if (is_array($value)) {


if (is_array($ar[$key])) {

Parse GET Variables In Cache Functions


The GET variables used in caching functions are not parsed.


The following lines must be replaced in catalog/includes/functions/cache.php:

Line 121, from:

if (isset($HTTP_GET_VARS['manufactuers_id']) && tep_not_null($HTTP_GET_VARS['manufacturers_id'])) {


if (isset($HTTP_GET_VARS['manufactuers_id']) && is_numeric($HTTP_GET_VARS['manufacturers_id'])) {

Lines 142-148, from:

if (($refresh == true) || !read_cache($cache_output, 'also_purchased-' . $language . '.cache' . $HTTP_GET_VARS['products_id'], $auto_expire)) {
  $cache_output = ob_get_contents();
  write_cache($cache_output, 'also_purchased-' . $language . '.cache' . $HTTP_GET_VARS['products_id']);


$cache_output = '';

if (isset($HTTP_GET_VARS['products_id']) && is_numeric($HTTP_GET_VARS['products_id'])) {
  if (($refresh == true) || !read_cache($cache_output, 'also_purchased-' . $language . '.cache' . $HTTP_GET_VARS['products_id'], $auto_expire)) {
    $cache_output = ob_get_contents();
    write_cache($cache_output, 'also_purchased-' . $language . '.cache' . $HTTP_GET_VARS['products_id']);

PHP 3 Session ID XSS Issue


The session ID in the PHP 3 compatibility layer is not being parsed.


The following lines must be added in catalog/includes/classes/sessions.php:

Line 380:

if (!empty($session->id)) {
  if (preg_match('/^[a-zA-Z0-9]+$/', $session->id) == false) {

Product Attributes SQL Injection


With the failure of arrays not being parsed by the magic_quotes_gpc compatibility layer, it is possible to inject SQL into database queries.


The following lines must be replaced in catalog/includes/classes/shopping_cart.php:

Line 84, from:

if (is_numeric($products_id) && is_numeric($qty)) {


$attributes_pass_check = true;

if (is_array($attributes)) {
  while (list($option, $value) = each($attributes)) {
    if (!is_numeric($option) || !is_numeric($value)) {
      $attributes_pass_check = false;

if (is_numeric($products_id) && is_numeric($qty) && ($attributes_pass_check == true)) {

Line 125, from:

if (is_numeric($products_id) && isset($this->contents[$products_id_string]) && is_numeric($quantity)) {


$attributes_pass_check = true;

if (is_array($attributes)) {
  while (list($option, $value) = each($attributes)) {
    if (!is_numeric($option) || !is_numeric($value)) {
      $attributes_pass_check = false;

if (is_numeric($products_id) && isset($this->contents[$products_id_string]) && is_numeric($quantity) && ($attributes_pass_check == true)) {

The following lines must be replaced in catalog/shopping_cart.php:

Lines 84-85, from:

where pa.products_id = '" . $products[$i]['id'] . "'
and pa.options_id = '" . $option . "'


where pa.products_id = '" . (int)$products[$i]['id'] . "'
and pa.options_id = '" . (int)$option . "'

Line 87, from:

and pa.options_values_id = '" . $value . "'


and pa.options_values_id = '" . (int)$value . "'

Lines 89-90, from:

and popt.language_id = '" . $languages_id . "'
and poval.language_id = '" . $languages_id . "'");


and popt.language_id = '" . (int)$languages_id . "'
and poval.language_id = '" . (int)$languages_id . "'");

Resize Images To Round Numbers,1371


The image resizing logic may result in decimal numbers which the HTML specification does not allow.


The following lines must be replaced in catalog/includes/functions/html_output.php:

Line 91, from:

$width = $image_size[0] * $ratio;


$width = intval($image_size[0] * $ratio);

Line 94, from:

$height = $image_size[1] * $ratio;


$height = intval($image_size[1] * $ratio);

Use The Correct Country Name Value When Formatting Addresses,1291


Depending on the values passed to tep_address_format(), an array value could be used as the country name instead of a string value.


The following line must be replaced in catalog/includes/functions/general.php:

Line 453, from:

$country = tep_output_string_protected($address['country']);


$country = tep_output_string_protected($address['country']['title']);

The following line must be removed:

Line 483:

if ($country == '') $country = tep_output_string_protected($address['country']);

Prevent The Session ID Being Passed In Tell-A-Friend E-Mails,3986


If the customer has cookies disabled their session ID may exist in the store URL used in tell-a-friend emails.


The following line must be replaced in catalog/tell_a_friend.php:

Line 77, from:

$email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'])) . "\n\n" .


$email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'], 'NONSSL', false)) . "\n\n" .

Properly Remove Deleted Products That Exist In Shopping Carts,3193


Deleting products via the Administration Tool would not successfully remove the product from customers shopping carts if the product had attributes.


The following lines must be replaced in catalog/admin/includes/functions/general.php:

Lines 900-901, from:

tep_db_query("delete from " . TABLE_CUSTOMERS_BASKET . " where products_id = '" . (int)$product_id . "'");
tep_db_query("delete from " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . " where products_id = '" . (int)$product_id . "'");


tep_db_query("delete from " . TABLE_CUSTOMERS_BASKET . " where products_id = '" . (int)$product_id . "' or products_id like '" . (int)$product_id . "{%'");
tep_db_query("delete from " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . " where products_id = '" . (int)$product_id . "' or products_id like '" . (int)$product_id . "{%'");

###### Update 051113 ######

customer_country_id in addressbook,1662


When the customer updates their address in the My Account page, their country value is being stored in an incorrect variable that can cause an incorrect tax rate value being used in product prices.


The following lines must be replaced in catalog/address_book_process.php:

Line 150, from:

$customer_country_id = $country_id;


$customer_country_id = $country;

Line 171, from:

$customer_country_id = $country_id;


$customer_country_id = $country;

###### Update 051112 ######

Cannot re-assign $this,1650


Fatal error: Cannot re-assign $this in /path/to/catalog/admin/includes/classes/upload.php on line 31


Lines 27-34 in catalog/admin/includes/classes/upload.php must be changed from:

if ( ($this->parse() == true) && ($this->save() == true) ) {
  return true;
} else {
// self destruct
  $this = null;

  return false;


if ( ($this->parse() == true) && ($this->save() == true) ) {
  return true;
} else {
  return false;

limit -20, 20,1605


1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-20, 20' at line 1


Line 67 in catalog/includes/classes/split_page_results.php must be changed from:

$this->sql_query .= " limit " . $offset . ", " . $this->number_of_rows_per_page;


$this->sql_query .= " limit " . max($offset, 0) . ", " . $this->number_of_rows_per_page;

Line 38 in catalog/admin/includes/classes/split_page_results.php must be changed from:

$sql_query .= " limit " . $offset . ", " . $max_rows_per_page;


$sql_query .= " limit " . max($offset, 0) . ", " . $max_rows_per_page;

Database Input Enhancement


Native MySQL functions should be used in preference to the addslashes() function, to properly protect the SQL queries being executed on the database server.


The following function must be replaced in catalog/includes/functions/database.php.

Lines 126-128, from:

function tep_db_input($string) {
  return addslashes($string);


function tep_db_input($string, $link = 'db_link') {
  global $$link;

  if (function_exists('mysql_real_escape_string')) {
    return mysql_real_escape_string($string, $$link);
  } elseif (function_exists('mysql_escape_string')) {
    return mysql_escape_string($string);

  return addslashes($string);

The following function must be replaced in catalog/admin/includes/functions/database.php.

Lines 130-132, from:

function tep_db_input($string) {
  return addslashes($string);


function tep_db_input($string, $link = 'db_link') {
  global $$link;

  if (function_exists('mysql_real_escape_string')) {
    return mysql_real_escape_string($string, $$link);
  } elseif (function_exists('mysql_escape_string')) {
    return mysql_escape_string($string);

  return addslashes($string);

Adding Non-Existing Products To Cart,1617


It is possible to add non-existing products into the shopping cart which may prevent customers from removing the products from their cart.


The following functions must be replaced in catalog/includes/functions/general.php.

Lines 912-921, from:

function tep_get_uprid($prid, $params) {
  $uprid = $prid;
  if ( (is_array($params)) && (!strstr($prid, '{')) ) {
    while (list($option, $value) = each($params)) {
      $uprid = $uprid . '{' . $option . '}' . $value;

  return $uprid;


function tep_get_uprid($prid, $params) {
  if (is_numeric($prid)) {
    $uprid = $prid;

    if (is_array($params) && (sizeof($params) > 0)) {
      $attributes_check = true;
      $attributes_ids = '';

      while (list($option, $value) = each($params)) {
        if (is_numeric($option) && is_numeric($value)) {
          $attributes_ids .= '{' . (int)$option . '}' . (int)$value;
        } else {
          $attributes_check = false;

      if ($attributes_check == true) {
        $uprid .= $attributes_ids;
  } else {
    $uprid = tep_get_prid($prid);

    if (is_numeric($uprid)) {
      if (strpos($prid, '{') !== false) {
        $attributes_check = true;
        $attributes_ids = '';

// strpos()+1 to remove up to and including the first { which would create an empty array element in explode()
        $attributes = explode('{', substr($prid, strpos($prid, '{')+1));

        for ($i=0, $n=sizeof($attributes); $i<$n; $i++) {
          $pair = explode('}', $attributes[$i]);

          if (is_numeric($pair[0]) && is_numeric($pair[1])) {
            $attributes_ids .= '{' . (int)$pair[0] . '}' . (int)$pair[1];
          } else {
            $attributes_check = false;

        if ($attributes_check == true) {
          $uprid .= $attributes_ids;
    } else {
      return false;

  return $uprid;

Lines 925-929, from:

function tep_get_prid($uprid) {
  $pieces = explode('{', $uprid);

  return $pieces[0];


function tep_get_prid($uprid) {
  $pieces = explode('{', $uprid);

  if (is_numeric($pieces[0])) {
    return $pieces[0];
  } else {
    return false;

The following functions must be replaced in catalog/includes/classes/shopping_cart.php.

Lines 78-108, from:

function add_cart($products_id, $qty = '1', $attributes = '', $notify = true) {
  global $new_products_id_in_cart, $customer_id;

  $products_id = tep_get_uprid($products_id, $attributes);
  if ($notify == true) {
    $new_products_id_in_cart = $products_id;

  if ($this->in_cart($products_id)) {
    $this->update_quantity($products_id, $qty, $attributes);
  } else {
    $this->contents[] = array($products_id);
    $this->contents[$products_id] = array('qty' => $qty);
// insert into database
    if (tep_session_is_registered('customer_id')) tep_db_query("insert into " . TABLE_CUSTOMERS_BASKET . " (customers_id, products_id, customers_basket_quantity, customers_basket_date_added) values ('" . (int)$customer_id . "', '" . tep_db_input($products_id) . "', '" . $qty . "', '" . date('Ymd') . "')");

    if (is_array($attributes)) {
      while (list($option, $value) = each($attributes)) {
        $this->contents[$products_id]['attributes'][$option] = $value;
// insert into database
        if (tep_session_is_registered('customer_id')) tep_db_query("insert into " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . " (customers_id, products_id, products_options_id, products_options_value_id) values ('" . (int)$customer_id . "', '" . tep_db_input($products_id) . "', '" . (int)$option . "', '" . (int)$value . "')");

// assign a temporary unique ID to the order contents to prevent hack attempts during the checkout procedure
  $this->cartID = $this->generate_cart_id();


function add_cart($products_id, $qty = '1', $attributes = '', $notify = true) {
  global $new_products_id_in_cart, $customer_id;

  $products_id_string = tep_get_uprid($products_id, $attributes);
  $products_id = tep_get_prid($products_id_string);

  if (is_numeric($products_id) && is_numeric($qty)) {
    $check_product_query = tep_db_query("select products_status from " . TABLE_PRODUCTS . " where products_id = '" . (int)$products_id . "'");
    $check_product = tep_db_fetch_array($check_product_query);

    if (($check_product !== false) && ($check_product['products_status'] == '1')) {
      if ($notify == true) {
        $new_products_id_in_cart = $products_id;

      if ($this->in_cart($products_id_string)) {
        $this->update_quantity($products_id_string, $qty, $attributes);
      } else {
        $this->contents[$products_id_string] = array('qty' => $qty);
// insert into database
        if (tep_session_is_registered('customer_id')) tep_db_query("insert into " . TABLE_CUSTOMERS_BASKET . " (customers_id, products_id, customers_basket_quantity, customers_basket_date_added) values ('" . (int)$customer_id . "', '" . tep_db_input($products_id_string) . "', '" . (int)$qty . "', '" . date('Ymd') . "')");

        if (is_array($attributes)) {
          while (list($option, $value) = each($attributes)) {
            $this->contents[$products_id_string]['attributes'][$option] = $value;
// insert into database
            if (tep_session_is_registered('customer_id')) tep_db_query("insert into " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . " (customers_id, products_id, products_options_id, products_options_value_id) values ('" . (int)$customer_id . "', '" . tep_db_input($products_id_string) . "', '" . (int)$option . "', '" . (int)$value . "')");


// assign a temporary unique ID to the order contents to prevent hack attempts during the checkout procedure
      $this->cartID = $this->generate_cart_id();

Lines 110-127, from:

function update_quantity($products_id, $quantity = '', $attributes = '') {
  global $customer_id;

  if (empty($quantity)) return true; // nothing needs to be updated if theres no quantity, so we return true..

  $this->contents[$products_id] = array('qty' => $quantity);
// update database
  if (tep_session_is_registered('customer_id')) tep_db_query("update " . TABLE_CUSTOMERS_BASKET . " set customers_basket_quantity = '" . $quantity . "' where customers_id = '" . (int)$customer_id . "' and products_id = '" . tep_db_input($products_id) . "'");

  if (is_array($attributes)) {
    while (list($option, $value) = each($attributes)) {
      $this->contents[$products_id]['attributes'][$option] = $value;
// update database
      if (tep_session_is_registered('customer_id')) tep_db_query("update " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . " set products_options_value_id = '" . (int)$value . "' where customers_id = '" . (int)$customer_id . "' and products_id = '" . tep_db_input($products_id) . "' and products_options_id = '" . (int)$option . "'");


function update_quantity($products_id, $quantity = '', $attributes = '') {
  global $customer_id;

  $products_id_string = tep_get_uprid($products_id, $attributes);
  $products_id = tep_get_prid($products_id_string);

  if (is_numeric($products_id) && isset($this->contents[$products_id_string]) && is_numeric($quantity)) {
    $this->contents[$products_id_string] = array('qty' => $quantity);
// update database
    if (tep_session_is_registered('customer_id')) tep_db_query("update " . TABLE_CUSTOMERS_BASKET . " set customers_basket_quantity = '" . (int)$quantity . "' where customers_id = '" . (int)$customer_id . "' and products_id = '" . tep_db_input($products_id_string) . "'");

    if (is_array($attributes)) {
      while (list($option, $value) = each($attributes)) {
        $this->contents[$products_id_string]['attributes'][$option] = $value;
// update database
        if (tep_session_is_registered('customer_id')) tep_db_query("update " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . " set products_options_value_id = '" . (int)$value . "' where customers_id = '" . (int)$customer_id . "' and products_id = '" . tep_db_input($products_id_string) . "' and products_options_id = '" . (int)$option . "'");

Session ID XSS Issue,1546


A cross site scripting issue exists with malformed session IDs being used in the tep_href_link() function.


Line 66 in catalog/includes/functions/html_output.php must be changed from:

$link .= $separator . $_sid;


$link .= $separator . tep_output_string($_sid);

Validate Session ID


Validate the session ID and redirect to the front page when an invalid session ID is requested.


The following function must be replaced in catalog/includes/functions/sessions.php.

Lines 66-68, from:

function tep_session_start() {
  return session_start();


function tep_session_start() {

  $sane_session_id = true;

  if (isset($HTTP_GET_VARS[tep_session_name()])) {
    if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_GET_VARS[tep_session_name()]) == false) {

      $sane_session_id = false;
  } elseif (isset($HTTP_POST_VARS[tep_session_name()])) {
    if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_POST_VARS[tep_session_name()]) == false) {

      $sane_session_id = false;
  } elseif (isset($HTTP_COOKIE_VARS[tep_session_name()])) {
    if (preg_match('/^[a-zA-Z0-9]+$/', $HTTP_COOKIE_VARS[tep_session_name()]) == false) {
      $session_data = session_get_cookie_params();

      setcookie(tep_session_name(), '', time()-42000, $session_data['path'], $session_data['domain']);

      $sane_session_id = false;

  if ($sane_session_id == false) {
    tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));

  return session_start();

File Manager Problem,1391


Parsing errors occur when saving edited files through the File Manager.


Line 148 in catalog/admin/file_manager.php must be changed from:

$file_contents = htmlspecialchars(implode('', $file_array));


$file_contents = addslashes(implode('', $file_array));

Note: This update also requires the Contact Us Form XSS Issue update in order to function correctly.

HTTP Header Injection


By using malicious data it is possible to inject headers into HTTP requests. 

The following function must be replaced in catalog/includes/functions/general.php.

Lines 22-32, from:

function tep_redirect($url) {
  if ( (ENABLE_SSL == true) && (getenv('HTTPS') == 'on') ) { // We are loading an SSL page
    if (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) { // NONSSL url
      $url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER)); // Change it to SSL

  header('Location: ' . $url);



function tep_redirect($url) {
  if ( (strstr($url, "\n") != false) || (strstr($url, "\r") != false) ) {
    tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));

  if ( (ENABLE_SSL == true) && (getenv('HTTPS') == 'on') ) { // We are loading an SSL page
    if (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) { // NONSSL url
      $url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER)); // Change it to SSL

  header('Location: ' . $url);


The following function must be replaced in catalog/admin/includes/functions/general.php.

Lines 15-26, from:

function tep_redirect($url) {
  global $logger;

  header('Location: ' . $url);

  if (STORE_PAGE_PARSE_TIME == 'true') {
    if (!is_object($logger)) $logger = new logger;



function tep_redirect($url) {
  global $logger;

  if ( (strstr($url, "\n") != false) || (strstr($url, "\r") != false) ) {
    tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));

  header('Location: ' . $url);

  if (STORE_PAGE_PARSE_TIME == 'true') {
    if (!is_object($logger)) $logger = new logger;


E-Mail Header Injection,2488


By using malicious data it is possible to inject headers into emails the online store sends. 


The following function must be replaced in catalog/includes/classes/email.php and catalog/admin/includes/classes/email.php.

Lines 473-504, from:

function send($to_name, $to_addr, $from_name, $from_addr, $subject = '', $headers = '') {
  $to = (($to_name != '') ? '"' . $to_name . '" <' . $to_addr . '>' : $to_addr);
  $from = (($from_name != '') ? '"' . $from_name . '" <' . $from_addr . '>' : $from_addr);

  if (is_string($headers)) {
    $headers = explode($this->lf, trim($headers));

  for ($i=0; $i<count($headers); $i++) {
    if (is_array($headers[$i])) {
      for ($j=0; $j<count($headers[$i]); $j++) {
        if ($headers[$i][$j] != '') {
          $xtra_headers[] = $headers[$i][$j];

    if ($headers[$i] != '') {
      $xtra_headers[] = $headers[$i];

  if (!isset($xtra_headers)) {
    $xtra_headers = array();

  if (EMAIL_TRANSPORT == 'smtp') {
    return mail($to_addr, $subject, $this->output, 'From: ' . $from . $this->lf . 'To: ' . $to . $this->lf . implode($this->lf, $this->headers) . $this->lf . implode($this->lf, $xtra_headers));
  } else {
    return mail($to, $subject, $this->output, 'From: '.$from.$this->lf.implode($this->lf, $this->headers).$this->lf.implode($this->lf, $xtra_headers));


function send($to_name, $to_addr, $from_name, $from_addr, $subject = '', $headers = '') {
  if ((strstr($to_name, "\n") != false) || (strstr($to_name, "\r") != false)) {
    return false;

  if ((strstr($to_addr, "\n") != false) || (strstr($to_addr, "\r") != false)) {
    return false;

  if ((strstr($subject, "\n") != false) || (strstr($subject, "\r") != false)) {
    return false;

  if ((strstr($from_name, "\n") != false) || (strstr($from_name, "\r") != false)) {
    return false;

  if ((strstr($from_addr, "\n") != false) || (strstr($from_addr, "\r") != false)) {
    return false;

  $to = (($to_name != '') ? '"' . $to_name . '" <' . $to_addr . '>' : $to_addr);
  $from = (($from_name != '') ? '"' . $from_name . '" <' . $from_addr . '>' : $from_addr);

  if (is_string($headers)) {
    $headers = explode($this->lf, trim($headers));

  for ($i=0; $i<count($headers); $i++) {
    if (is_array($headers[$i])) {
      for ($j=0; $j<count($headers[$i]); $j++) {
        if ($headers[$i][$j] != '') {
          $xtra_headers[] = $headers[$i][$j];

    if ($headers[$i] != '') {
      $xtra_headers[] = $headers[$i];

  if (!isset($xtra_headers)) {
    $xtra_headers = array();

  if (EMAIL_TRANSPORT == 'smtp') {
    return mail($to_addr, $subject, $this->output, 'From: ' . $from . $this->lf . 'To: ' . $to . $this->lf . implode($this->lf, $this->headers) . $this->lf . implode($this->lf, $xtra_headers));
  } else {
    return mail($to, $subject, $this->output, 'From: '.$from.$this->lf.implode($this->lf, $this->headers).$this->lf.implode($this->lf, $xtra_headers));

Contact Us Form XSS Issue,2422


By using malicious data it is possible to inject HTML into the page. 


Lines 221-225 in catalog/includes/functions/html_output.php must be changed from:

if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {
  $field .= stripslashes($GLOBALS[$name]);
} elseif (tep_not_null($text)) {
  $field .= $text;


if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {
  $field .= tep_output_string_protected(stripslashes($GLOBALS[$name]));
} elseif (tep_not_null($text)) {
  $field .= tep_output_string_protected($text);

Lines 244-248 in catalog/admin/includes/functions/html_output.php must be changed from:

if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {
  $field .= stripslashes($GLOBALS[$name]);
} elseif (tep_not_null($text)) {
  $field .= $text;


if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {
  $field .= tep_output_string_protected(stripslashes($GLOBALS[$name]));
} elseif (tep_not_null($text)) {
  $field .= tep_output_string_protected($text);

Open Redirector,2970


There is no URL checking being performed on the redirection page, and allows external sources to use the page as an open redirect relay.


Lines 27-29 in catalog/redirect.php must be changed from:

if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {
  tep_redirect('http://' . $HTTP_GET_VARS['goto']);


if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {
  $check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");
  if (tep_db_num_rows($check_query)) {
    tep_redirect('http://' . $HTTP_GET_VARS['goto']);

Extra Slashes In New Products


When new products are entered and previewed, hitting the back button to edit the product data again adds extra slashes to apostrophes in the products name and description.


The following lines must be replaced in catalog/admin/categories.php:

Line 504, from:

<td class="main"><?php echo tep_image(DIR_WS_CATALOG_LANGUAGES . $languages[$i]['directory'] . '/images/' . $languages[$i]['image'], $languages[$i]['name']) . ' ' . tep_draw_input_field('products_name[' . $languages[$i]['id'] . ']', (isset($products_name[$languages[$i]['id']]) ? $products_name[$languages[$i]['id']] : tep_get_products_name($pInfo->products_id, $languages[$i]['id']))); ?></td>


<td class="main"><?php echo tep_image(DIR_WS_CATALOG_LANGUAGES . $languages[$i]['directory'] . '/images/' . $languages[$i]['image'], $languages[$i]['name']) . ' ' . tep_draw_input_field('products_name[' . $languages[$i]['id'] . ']', (isset($products_name[$languages[$i]['id']]) ? stripslashes($products_name[$languages[$i]['id']]) : tep_get_products_name($pInfo->products_id, $languages[$i]['id']))); ?></td>

Line 538, from:

<td class="main"><?php echo tep_draw_textarea_field('products_description[' . $languages[$i]['id'] . ']', 'soft', '70', '15', (isset($products_description[$languages[$i]['id']]) ? $products_description[$languages[$i]['id']] : tep_get_products_description($pInfo->products_id, $languages[$i]['id']))); ?></td>


<td class="main"><?php echo tep_draw_textarea_field('products_description[' . $languages[$i]['id'] . ']', 'soft', '70', '15', (isset($products_description[$languages[$i]['id']]) ? stripslashes($products_description[$languages[$i]['id']]) : tep_get_products_description($pInfo->products_id, $languages[$i]['id']))); ?></td>

Line 574, from:

<td class="main"><?php echo tep_image(DIR_WS_CATALOG_LANGUAGES . $languages[$i]['directory'] . '/images/' . $languages[$i]['image'], $languages[$i]['name']) . ' ' . tep_draw_input_field('products_url[' . $languages[$i]['id'] . ']', (isset($products_url[$languages[$i]['id']]) ? $products_url[$languages[$i]['id']] : tep_get_products_url($pInfo->products_id, $languages[$i]['id']))); ?></td>


<td class="main"><?php echo tep_image(DIR_WS_CATALOG_LANGUAGES . $languages[$i]['directory'] . '/images/' . $languages[$i]['image'], $languages[$i]['name']) . ' ' . tep_draw_input_field('products_url[' . $languages[$i]['id'] . ']', (isset($products_url[$languages[$i]['id']]) ? stripslashes($products_url[$languages[$i]['id']]) : tep_get_products_url($pInfo->products_id, $languages[$i]['id']))); ?></td>

Order Status Filtering,1543


After changing the order status filtering on the Administration Tool -> Customers -> Orders page, selecting "All Orders" would show an empty listing of orders.


Line 357 in catalog/admin/orders.php must be changed from:

} elseif (isset($HTTP_GET_VARS['status'])) {


} elseif (isset($HTTP_GET_VARS['status']) && is_numeric($HTTP_GET_VARS['status']) && ($HTTP_GET_VARS['status'] > 0)) {

MySQL 5.0 Compatibility


MySQL 5.0 introduces Server SQL modes as part of its SQL 2003 standards support, and uses a more stricter approach to executing SQL queries. This is performed by default with setting STRICT_TRANS_TABLES as a Server SQL mode.

Due to this new setting, MySQL fails on certain SQL queries and produces error messages on the screen.


Lines 213-223 in catalog/advanced_search_result.php must be changed from:

$from_str = "from " . TABLE_PRODUCTS . " p left join " . TABLE_MANUFACTURERS . " m using(manufacturers_id) left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_CATEGORIES . " c, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c";

if ( (DISPLAY_PRICE_WITH_TAX == 'true') && (tep_not_null($pfrom) || tep_not_null($pto)) ) {
  if (!tep_session_is_registered('customer_country_id')) {
    $customer_country_id = STORE_COUNTRY;
    $customer_zone_id = STORE_ZONE;
  $from_str .= " left join " . TABLE_TAX_RATES . " tr on p.products_tax_class_id = tr.tax_class_id left join " . TABLE_ZONES_TO_GEO_ZONES . " gz on tr.tax_zone_id = gz.geo_zone_id and (gz.zone_country_id is null or gz.zone_country_id = '0' or gz.zone_country_id = '" . (int)$customer_country_id . "') and (gz.zone_id is null or gz.zone_id = '0' or gz.zone_id = '" . (int)$customer_zone_id . "')";

$where_str = " where p.products_status = '1' and p.products_id = pd.products_id and pd.language_id = '" . (int)$languages_id . "' and p.products_id = p2c.products_id and p2c.categories_id = c.categories_id ";


$from_str = "from " . TABLE_PRODUCTS . " p left join " . TABLE_MANUFACTURERS . " m using(manufacturers_id) left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id";

if ( (DISPLAY_PRICE_WITH_TAX == 'true') && (tep_not_null($pfrom) || tep_not_null($pto)) ) {
  if (!tep_session_is_registered('customer_country_id')) {
    $customer_country_id = STORE_COUNTRY;
    $customer_zone_id = STORE_ZONE;
  $from_str .= " left join " . TABLE_TAX_RATES . " tr on p.products_tax_class_id = tr.tax_class_id left join " . TABLE_ZONES_TO_GEO_ZONES . " gz on tr.tax_zone_id = gz.geo_zone_id and (gz.zone_country_id is null or gz.zone_country_id = '0' or gz.zone_country_id = '" . (int)$customer_country_id . "') and (gz.zone_id is null or gz.zone_id = '0' or gz.zone_id = '" . (int)$customer_zone_id . "')";


$where_str = " where p.products_status = '1' and p.products_id = pd.products_id and pd.language_id = '" . (int)$languages_id . "' and p.products_id = p2c.products_id and p2c.categories_id = c.categories_id ";

The following lines must be replaced in catalog/index.php:

Line 175, from:

$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = '1' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS['manufacturers_id'] . "' and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$HTTP_GET_VARS['filter_id'] . "'";


$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c where p.products_status = '1' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS['manufacturers_id'] . "' and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$HTTP_GET_VARS['filter_id'] . "'";

Line 178, from:

$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = '1' and pd.products_id = p.products_id and pd.language_id = '" . (int)$languages_id . "' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS['manufacturers_id'] . "'";


$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m where p.products_status = '1' and pd.products_id = p.products_id and pd.language_id = '" . (int)$languages_id . "' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS['manufacturers_id'] . "'";

Line 184, from:

$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = '1' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS['filter_id'] . "' and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$current_category_id . "'";


$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS . " p left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_MANUFACTURERS . " m, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c where p.products_status = '1' and p.manufacturers_id = m.manufacturers_id and m.manufacturers_id = '" . (int)$HTTP_GET_VARS['filter_id'] . "' and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$current_category_id . "'";

Line 187, from:

$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_PRODUCTS . " p left join " . TABLE_MANUFACTURERS . " m on p.manufacturers_id = m.manufacturers_id, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_status = '1' and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$current_category_id . "'";


$listing_sql = "select " . $select_column_list . " p.products_id, p.manufacturers_id, p.products_price, p.products_tax_class_id, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price from " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_PRODUCTS . " p left join " . TABLE_MANUFACTURERS . " m on p.manufacturers_id = m.manufacturers_id left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id, " . TABLE_PRODUCTS_TO_CATEGORIES . " p2c where p.products_status = '1' and p.products_id = p2c.products_id and pd.products_id = p2c.products_id and pd.language_id = '" . (int)$languages_id . "' and p2c.categories_id = '" . (int)$current_category_id . "'";

Line 292 in catalog/admin/categories.php must be changed from:

tep_db_query("insert into " . TABLE_PRODUCTS . " (products_quantity, products_model,products_image, products_price, products_date_added, products_date_available, products_weight, products_status, products_tax_class_id, manufacturers_id) values ('" . tep_db_input($product['products_quantity']) . "', '" . tep_db_input($product['products_model']) . "', '" . tep_db_input($product['products_image']) . "', '" . tep_db_input($product['products_price']) . "',  now(), '" . tep_db_input($product['products_date_available']) . "', '" . tep_db_input($product['products_weight']) . "', '0', '" . (int)$product['products_tax_class_id'] . "', '" . (int)$product['manufacturers_id'] . "')");


tep_db_query("insert into " . TABLE_PRODUCTS . " (products_quantity, products_model,products_image, products_price, products_date_added, products_date_available, products_weight, products_status, products_tax_class_id, manufacturers_id) values ('" . tep_db_input($product['products_quantity']) . "', '" . tep_db_input($product['products_model']) . "', '" . tep_db_input($product['products_image']) . "', '" . tep_db_input($product['products_price']) . "',  now(), " . (empty($product['products_date_available']) ? "null" : "'" . tep_db_input($product['products_date_available']) . "'") . ", '" . tep_db_input($product['products_weight']) . "', '0', '" . (int)$product['products_tax_class_id'] . "', '" . (int)$product['manufacturers_id'] . "')");

The following SQL queries need to be performed:

ALTER TABLE whos_online MODIFY COLUMN last_page_url VARCHAR(255) NOT NULL;

ALTER TABLE customers MODIFY COLUMN customers_default_address_id INTEGER;

ALTER TABLE customers_basket MODIFY COLUMN final_price DECIMAL(15,4);
osCommerceItalia - Comunità Italiana di Utenti e Sviluppatori osCommerce
Per piacere NON scrivetemi in PM per richieste di aiuto, postate un nuovo topic nel forum.
membro Baby
membro Baby
Messaggi: 91
Iscritto il: 20/03/2008, 14:53

Messaggio da YARYZ »

Innanzitutto grazie per la risposta.
La cosa che mi fa impazzire è che fino a venerdi andava tutto ok e non c'è stato nessun passaggio ne di php ne sql.

comunque proverò le modifiche e le faccio sapere.
membro Master
membro Master
Messaggi: 1669
Iscritto il: 10/02/2006, 14:04

Messaggio da maury2ma »

YARYZ ha scritto:Innanzitutto grazie per la risposta.
La cosa che mi fa impazzire è che fino a venerdi andava tutto ok e non c'è stato nessun passaggio ne di php ne sql.

comunque proverò le modifiche e le faccio sapere.

al contrario aruba ha avvisato (tramite e-mail) i suoi clienti del progressivo passaggio a mysql 5.
per evitare il passaggio bisognava fare richiesta scritta, ma non ricordo dove.
apri un ticket nella loro assistenza on-line
Avatar utente
membro Junior
membro Junior
Messaggi: 6
Iscritto il: 22/06/2008, 17:30

Messaggio da vinx »

E' capitata la stessa cosa a me sull'host
americano che ospita il mio forum...
Risultato ho dovuto convertire A MANO
15mb di database!!! :shock:
2 giorni e 3 notti di lavoro...
membro Junior
membro Junior
Messaggi: 14
Iscritto il: 05/07/2008, 9:18

Messaggio da raffy-raffy »

grazie mille della risponta......
sono disperata , ora piu' di prima , ma almeno so il problema
grazie ancora.
membro Baby
membro Baby
Messaggi: 91
Iscritto il: 20/03/2008, 14:53

Messaggio da YARYZ »

Allora punto della situazione.

Confermato al telefono dall'assistenza Aruba che non c'è stato nessun passaggio di php da 4 a 5 sul mio server, quindi sto ancora su php 4.
Mi hanno detto che manderanno avanti il ticket e che mi fanno sapere.
Ma nel frattempo mi sto sbroccando il cervello!
Avatar utente
membro Baby
membro Baby
Messaggi: 90
Iscritto il: 30/06/2007, 20:37

Messaggio da carlo_gra »

Ciao, aldilà degli inconvenienti sicuramente problematici che vi possa causare il passaggio dalla versione 4 alla versione 5, è bene che sappiate che questa variazione è un atto dovuto: le versioni 4 di php non sono più né sviluppate né supportate da fine dicembre 2007.

Tali release soffrono di numerosi bug e non conviene assolutamente tenerle installate sul server (soprattuto da parte del provider).

Inoltre il patching di OSC per php5 non è poi così difficoltoso anche se laborioso.
ChipHosting.Net - Hosting & VPS Linux
membro Regular
membro Regular
Messaggi: 134
Iscritto il: 30/07/2004, 0:00

Messaggio da grenda »

ciao ragazzi

mi scuso in anticipo per la banalità della mia domanda

anch'io ho il mio oscommerce su hosting aruba e php4

sono terrorizzato dall'imminente passaggio a php5

come faccio a sapere se la mia vesione di oscommerce è già compatibile oppure no ?

ho installato il sito nel settembre 2004

membro Master
membro Master
Messaggi: 1677
Iscritto il: 07/04/2005, 0:00
Località: Svizzera

Messaggio da hsg26 »

grenda ha scritto:ciao ragazzi

mi scuso in anticipo per la banalità della mia domanda

anch'io ho il mio oscommerce su hosting aruba e php4

sono terrorizzato dall'imminente passaggio a php5

come faccio a sapere se la mia vesione di oscommerce è già compatibile oppure no ?

ho installato il sito nel settembre 2004

la prima versione compatibile è la MS2 060817, cioè del 17.8.2006
La funzione CERCA si trova sotto al logo Oscommerce italia in questa pagina. - I Love Marketing!

I miei preferiti: internet marketing blog - biancheria da letto - prodotti tipici piemonte - vini piemontesi - roero arneis
membro Regular
membro Regular
Messaggi: 134
Iscritto il: 30/07/2004, 0:00

Messaggio da grenda »

ciao ragazzi

sto provando ad applicare le modifiche del post di hozone

ho iniziato con i primi files compatibility edho trovato e sostituito le rghe di codice

mentre nel nel file catalog/includes/classes/shopping_cart.php

non trovo le righe di codice da sostituire

la mia versione di OScommerce è del 2003

cosa mi suggerite ?

sono terrorizzato dall'immininente aggiornamento di aruba a php5 .
membro Regular
membro Regular
Messaggi: 134
Iscritto il: 30/07/2004, 0:00

Messaggio da grenda »

grenda ha scritto:ciao ragazzi

sto provando ad applicare le modifiche del post di hozone

ho iniziato con i primi files compatibility edho trovato e sostituito le rghe di codice

mentre nel nel file catalog/includes/classes/shopping_cart.php

non trovo le righe di codice da sostituire

la mia versione di OScommerce è del 2003

cosa mi suggerite ?

sono terrorizzato dall'immininente aggiornamento di aruba a php5 .

mi rispondo da solo

ho risolto il precedente problema
si trattava di una svista mia, in realtà la riga c'era

ne approfitto per fare un altra domanda

è sufficiente applicare tutte le modifiche suggerite da hozone per stare tranquilli in caso di passaggio del server da php e mysql da 4-->5 ?

le ultime modifiche alla struttura del database posso rinviarle al momento in cui aruba passerà a mysql 5

vero ?