Zencart ver. 1.3.8 security update

A vulnerability has been discovered in the admin section of v1.3.8 (and previous versions). To take advantage of this vulnerability any attacker must know the URL of your admin section

Please apply the following updates

1. RENAME YOUR ADMIN FOLDER !!!!!
Yes, if you haven’t already renamed your /admin/ folder, do it NOW!
Instructions can be found here: http://tutorials.zen-cart.com/index.php?article=33

2. APPLY THE SECURITY PATCH !!!
http://www.zen-cart.com/forum/showthread.php?t=130161

3. Subscribe yourself to the Zen Cart Announcements mailing list:
http://www.zen-cart.com/forum/subscription.php?do=addsubscription&f=2

4. Keep your site’s Zen Cart software up-to-date at all times. Numerous bugs, improvements, and security fixes are included in every new release. It is in your best interests to remain current.
http://www.zen-cart.com/forum/forumdisplay.php?f=2

Hope the above helps

How to display tweets from Twitter on your website?

If you tweet a lot on Twitter and wish to display them on your website or blog then you can do that easily with the following code

<?php

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, “http://twitter.com/statuses/friends_timeline.xml”);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERPWD, “<username>:<password>”);

$str = curl_exec($ch);

curl_close($ch);
echo $str;

?>

Once you get your tweets you can then customize the look and feel accordingly or save them in the database. Please note that you will need to enter the username and password of your Twitter account other wise the above will not work.

Hope the above helped

Is your website PCI DSS certified?

The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.

The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

If your website fulfills the above requirements then you are PCI DSS certified otherwise you should audit and try to enfore the above requirements.

Hope the above helped

How can I quicken my link submission to directories

If you have submitted your website link to directories on the web you will have come across the following steps.

1. Finding a directory or directory category which fits your website theme.
2. Checking the PR level of the directory. This step may be overlooked sometimes.
3. Submitting your website detail to that website directory.

Now if you follow the above steps for 50 to 100 websites you will find that its very time consuming and frustrating if you are operating more than one website.

What SubmitEaze provides you is the following

1. Large list of quality directories and their relevant Google PR.
2. Prioritize link submission accordingly.
3. Use the Auto-Fill button to fill all your details with the click of a button. You don’t need to retype the same information over and over again.

Just by looking at the steps above you will see that you save a lot of time and effort by using the SubmitEaze software to do all your link submission.

I use SubmitEaze on a regular basis. Download your copy today

How to connect .NET with mySQL?

mySQL is one of the most widely used open source databases around the world. Today this is the database engine driving up to 90% of PHP driven websites on the web. PHP has been the first love of mySQL and it will always have a special place. However, with other technologies coming to the fore like .NET mySQL has come up with its own data provider to help connect .NET applications with mySQL easier.

Most .NET developers would answer that they would use ODBC to connect with mySQL. For that they would most probably download the ODBC driver from the mySQL website, install the driver and then connect the .NET application through it thereby making their application have to communicate with the ODBC and then the ODBC communicate with the mySQL driver which will only slow down performance.

mySQL now provides the Connector/NET drivers for .NET applications which can be downloaded directly from their website. Download the MSI and run it. It will register the MySQL.Data assembly into the Global Assembly Cache. ASP.NET developers would most probably have to place the assembly into their Bin folder and use it.

I have used .NET Connector 5.2 and it worked fantastic with ASP.NET. No performance issues nothing. The best part is that the syntax is similar to the SqlClient namespace so there’s no learning curve and you can start development at once.

Download the .NET Connector 5.2 driver from here

Hope the above helps

How to debug an error in Zencart

By default Zencart disables all types of errors. Due to this if an error is encountered then all you would see is the “dreaded white page” and that is bad programming practice if you are developing in PHP. As PHP is a scripting language it stops execution as soon as it encounters an error due to which you will have a hard time debugging your application. You will not only waste your time and effort but also some of the hair left on your head. I know I did. Just joking!

You need to enable error reporting in your application during development and disable it when deploying it to the production server.

Open the includes/application_top.php file. Search for error_reporting and you will encounter a block of code as follows

if (defined('STRICT_ERROR_REPORTING') && STRICT_ERROR_REPORTING == true) {
  @ini_set('display_errors', '1');
  error_reporting(E_ALL);
} else {
  error_reporting(0);
}

The code checks for a constant STRICT_ERROR_REPORTING and if its true then it enables error_reporting and also displays the errors on the web page. If its false (by default) then error_reporting is disabled. You need to define the constant as its not present in the code. Just add the following line before the if block and now the block of code will look like.

define('STRICT_ERROR_REPORTING', true);
if (defined('STRICT_ERROR_REPORTING') && STRICT_ERROR_REPORTING == true) {
  @ini_set('display_errors', '1');
  error_reporting(E_ALL);
} else {
  error_reporting(0);
}

Now when you run the website it will display all notices, warnings and errors. Don’t get scared if you see a lot of lines come up on the web page. This will help you to debug the issue and correct it. This also helps you in writing good code and provides you the opportunity to make the code as error free as possible.

Hope the above helps

How to integrate PayPal IPN with your website

After signing up for PayPal IPN with PayPal you have to start integration with your website. If you have worked with PayPal before and integrated PayPal Standard then most of the procedure is similar apart from minor modifications. For those of you who have just started integration with PayPal IPN then no need to panic. Its pretty simple.

First you have to write the <form> code in the file that will be submitting the order information to PayPal from your website. You can use the following code snippet and change it accordingly. Depending on your requirements you may need more fields for integration however the code below fulfills the basic requirements

<form name=”frmPal” action=”https://www.paypal.com/cgi-bin/webscr” method=”post”>
<input type=”hidden” name=”cmd” value=”_cart”>
<input type=”hidden” name=”business” value=”<merchant_email_address>”>
<input type=”hidden” name=”invoice” value=”<unique_number_to_identify_transaction>”>
<input type=”hidden” name=”currency_code” value=”<3_digit_currency_code>”>
<input type=”hidden” name=”handling_cart” value=”<handling_charges_if_applicable>”>
<input type=”hidden” name=”item_name_1″ value=”<product_name>”>
<input type=”hidden” name=”item_number_1″ value=”<product_number>”>
<input type=”hidden” name=”quantity_1″ value=”<product_quantity>”>
<input type=”hidden” name=”amount_1″ value=”<product_amount>”>
<input type=”hidden” name=”notify_url” value=”<notification_url>”>
<input type=”hidden” name=”return” value=”<success_page_url>”>
<input type=”hidden” name=”cancel_return” value=”<failure_page_url>”>
</form>

You may notice the notify_url field name in the form above. This is the URL which PayPal will call to verify that the information passed to it is correct and genuine. Please note that this URL must be accessible other wise PayPal IPN will not work. You can use the following code snippet as is. The following code receives the information posted by PayPal, saves the information to a text file and then opens a socket to PayPal and notifies it.

<?php
$req = ‘cmd=_notify-validate’;

$path=”;
$timestamp=date(‘y-m-d–H-i-s’);
$strFileName = ‘payapl_ipn_return_’. $timestamp.’.txt’;
$FILE=fopen($strFileName,’a’);
if (is_writable($strFileName)) {
foreach ($_POST as $key=>$value)
{
fwrite($FILE, $key.”: “.$value.”\n”);
}
}
else {
echo “File could not be written”;
exit;
}

// post back to PayPal system to validate
$header .= “POST /cgi-bin/webscr HTTP/1.0\r\n”;
$header .= “Content-Type: application/x-www-form-urlencoded\r\n”;
$header .= “Content-Length: ” . strlen($req) . “\r\n\r\n”;
$fp = fsockopen(‘<Secure_PayPal_URL>’, 443, $errno, $errstr, 30);

if (!$fp) {
// HTTP ERROR
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, “VERIFIED”) == 0) {
// check the payment_status is Completed
// check that txn_id has not been previously processed
// check that receiver_email is your Primary PayPal email
// check that payment_amount/payment_currency are correct
// process payment
}
else if (strcmp ($res, “INVALID”) == 0) {
// log for manual investigation
}
}
fclose ($fp);
}
?>

Once PayPal is notified and all other payment related matters are checked the customer is sent to the success page otherwise to the failure page.

Hope the above helps

PHP error messages while uploading file

Some times while uploading a file through PHP you may encounter some errors. These errors can be accessed by the $_FILES[<field_name>][‘error’].

The $_FILES[<field_name>][‘error’] returns the error number i.e. from 0-8. If you receive 0 then all is fine and the file has uploaded successfully. If other than 0 then most probably it is an issue with hosting and nothing to do with coding.

Please see following error codes and their descriptions as provided by the PHP manual

UPLOAD_ERR_OK
Value: 0; There is no error, the file uploaded with success.

UPLOAD_ERR_INI_SIZE
Value: 1; The uploaded file exceeds the upload_max_filesize directive in php.ini.

UPLOAD_ERR_FORM_SIZE
Value: 2; The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form.

UPLOAD_ERR_PARTIAL
Value: 3; The uploaded file was only partially uploaded.

UPLOAD_ERR_NO_FILE
Value: 4; No file was uploaded.

UPLOAD_ERR_NO_TMP_DIR
Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and PHP 5.0.3.

UPLOAD_ERR_CANT_WRITE
Value: 7; Failed to write file to disk. Introduced in PHP 5.1.0.

UPLOAD_ERR_EXTENSION
Value: 8; File upload stopped by extension. Introduced in PHP 5.2.0.

Hope the above helps