Tag Archives: oscommerce

why do I need a SSL certificate (https connection) on my ecommerce site?

Your ecommerce website needs to have a valid SSL certificate installed and running.
Here’s some background and reasons why:

What’s does a SSL certificate do?

A Secure Socket Layer (SSL) certificate does a couple of things:

1. encrypts information entered into a form (a ‘form’ is exactly what it sounds like – any ‘fill in the box’ type page that requires you to enter in information and click a button on the screen; could be creating an account or sending an email to the store owner or signing up to a newsletter etc)
2. checks the integrity of the connection between the browser and the server (are you connected to the correct server?)

How can I tell it’s working?
The address bar will show a padlock and the word https:// in front of your website name on pages that require SSL encryption.


Note – there is no advantage in making all pages on your site https:// – it works with pages that have forms. Technically, https:// will slow down page loading speeds of your site and also may interfer with indexing by search engines. Most oscommerce-based carts have certain pages where https:// connections will be made, in particular logins, creating accounts and checkout.

But SSL certificates and https:// connections are just for payment pages though right?
Not true – a SSL certificate scrambles data and secures connections when any form is submitted (a form is basically what it sounds like – anytime you type information on a website, you’re probably filling out a form of some sort.)

So this means your admin and customer logins, contact us and create account pages as well all benefit from your server having a SSL certificate.

And if I don’t use one?
All of the data submitted will go as clear text, ie unencrypted. It is possible for unscrupulous people to set up ‘sniffer’ and ‘listening’ scripts and grab those clear text details being sent, which could gain them admin login details, customer address information as well as payment details.

Some payment gateways will not accept your payments without a valid SSL certificate installed and running on your site.

Also, the server may not in fact be the server you or your customers intended on reaching, as the integrity of the link will not have been verified to any extent.

Implications
Customers are now very aware of the https:// symbol in an address and if they don’t see it when they go to complete an order or set up an account, most will leave.

Identity fraud is a major industry around the world, so it is strongly recommended that if you want to get the business, you operate with a good SSL certificate in place and advertise the fact. Really, it’s a bare minimum to be in business online.

Furthermore, some payment gateways and processors require you as a merchant to have a valid SSL certificate installed before you can connect to them and use their services.

How do I get a SSL certificate?
There are a couple of ways – 1) contact your hosting company to set one up, or  2) Do It Yourself (DIY)

Installing a SSL certificate is not difficult as long as you have access to the interface needed. If you use cPanel, you can use the TLS/SSL Manager in the Security box on the right. Create a CRT and private key, go buy the certificate and supply these parts, generate certificate, copy emailed certificate in certificate box, install – done.

If you don’t have access to the necessary interface, contact your hosting company and ask them to install the certificate.

Most SSL resellers like RapidSSL, Geotrust, Verisign, Digicert etc have instruction sheets to assist you as well as online support.

SSL certificate prices range from under USD100 a year through to bank-level EV SSLs with multiple verifications (ie way over the top) costing much more. Get one that fits with your business volume and turnover – but most importantly, get one!

 

If you need help installing a SSL certificate please contact me via my Contact page.

oscommerce – how to upgrade from v2.2 to v2.3.x

Oscommerce version 2.3 has finally been released, and the improvements over the tired old version 2.2 are good. The main advance is how it looks and handles – there aren’t many new features in the frontend. On the admin side, security improvements have been the focus, with a couple of new features added in.

screenshot of osCommerce version 2.3 frontend

  • Looks cleaner, loads faster.
  • Reviews system is tidied up.
  • Includes social bookmark links.
  • Version Tracker – easy to check if you’ve got the latest version.
  • Security improvements, additions
    Password protection of admin folder; timeout and restricted login attempts if incorrect login details used.
    Action Recorder – keeps a log of details of 3 different areas of the Store: Admin login attempts; Contact Us emails; and Tell A Friend emails.
    Folder Permissions checker – with recommendations of what permission settings should be for each folder.
    Various improvements to session and form handling, password encryption, url cleaning, htaccess implementations etc.

If you’re upgrading from an old oCommerce version 2.2 Store, the steps are simple:

  1. Download a copy of the Upgrade Guide from osCommerce
  2. Update your osCommerce v2.2 database by running the several groups of mySQL statements
    These include statements that change field lengths to existing tables, plus the installation of new tables for the Action Recorder, Directory Permissions checker and Password encryption.
  3. Install the latest osCommerce 2.3.x version as a new Store
    The download is available from the osCommerce Download page.

Before upgrading … please consider the template(s) and other modifications you are currently running. There is a chance they might break in a new osCommerce v2.3.x store.

admin security issue (2009) – all oscommerce-based carts

A security loophole was discovered mid-2009 in the Admin code whereby a hacker could manipulate the admin page url to bypass the login / password function. It affected osCommerce and all derivatives of it – Cre Loaded, oscMax etc. Cre Loaded version 6.4.0a applied this patch – if you are running versions prior to 6.4.0a then you should definitely keep reading.

Files to check:
admin/includes/application_top.php around line 56
/includes/application_top.php around line 46

The two lines of code that should be replaced may both occur in each file depending on your version.

This code should be replaced asap (ie bad):

$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] :
$_SERVER['SCRIPT_NAME']);

and / or

$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

This code is the replacement (ie good):

$PHP_SELF = $_SERVER['SCRIPT_NAME'];

One simple change to the code – no need to pay to get this done!