Wasimasif's Blog

Like every other eCommerce solution CRE Loaded provides a password protected admin area to manage all aspects of the site. Any unauthorized access to admin area can cause damage to site’s important data, any leakage of customer’s payment details can cause more issues and damage to site.

CRE Loaded team has done good job to make this area secure by use of encrypted passwords, https access etc. Recent 6.4.1 release includes password hardening task to further enhance security. Still there is a lot, which you can do to protect admin area.

In this post I will list few guidelines to enhance admin area protection. The post also includes basic methods to apply these guidelines.

So here are the guidelines.

1. Don’t use default http://mycresite.com/admin/ structure
2. Use password protected directories
3. Restrict access to specific IPs only
4. Use secure user names and passwords

1. Don’t use default http://mycresite.com/admin/ structure

In default installation admin area is installed in /admin/ folder and accessible from http://mycresite.com/admin/ URL. As this default location is publicly known hackers can easy launch attempts to break in.

To avoid this issue it is strongly recommended that you don’t install and use admin are on default location. With little effort you can change this location by

• Rename admin folder: One simple way is to rename admin folder to some different name which is not easy to guess. For example 234admin80907. You will need to update this folder path in {new_admin_folder}/includes/configure.php. You will need to update following configurations
  1. DIR_WS_HTTP_ADMIN
  2. DIR_WS_HTTPS_ADMIN
  3. DIR_FS_ADMIN
• Install on different domain: Admin area is completely independent from rest of the site so it can be installed on completely different domain or sub domain. This way makes its location more sure and non guessable.
  To do this move /admin/ folder (or whatever you renamed it to) on separate location (e.g public_html/admin/), and point your separate domain or sub domain to this folder. Using a sub domain is easier than complete new domain as many sub domains are allowed under same hosting.
  Please use non guessable domain or sub domain to make is more secure.
  You will need to update these changes in includes/configure.php of this folder. You will need to change following configurations
  • HTTP_SERVER
  • HTTPS_ADMIN_SERVER
  • DIR_WS_HTTP_ADMIN
  • DIR_WS_HTTPS_ADMIN
  • DIR_FS_ADMIN

  Note: For sub domain you may need high level SSL certificate which can work on main and sub domain without error.

2. Use password protected directories

Always protect your admin folder with additional password. Most of the hosting packages include feature to make some directories password protected from there control panel. This user name and password will be asked by browser even before the login page is displayed so this can be a good weapon to protect your admin area.

3. Restrict access to specific IPs only

You can also restrict access to admin area from specific IPs only easily. By this admin area will only be accessible from specified IPs only. For this you will need to edit .htaccess file under admin/ folder.
To do this download admin/.htaccess file and open it with some text editor. Put following code in .htaccess file

Order Deny,Allow
Deny from all
Allow from 100.100.100.100, 100.100.100.101


and uploaded.

Here 100.100.100.100 is example ips put your list of comma separated IPs. The code tells server to block all requests unless they are from specified IPs.

4. Use secure user names and passwords

No matter if it is password of admin area or password protected directories, use user names and passwords which are not easily guessable. Do not very user names like admin, administrator etc. A good password should mix alphabets, numbers, special characters etc to avoid easy brute force attacks.

Recently found a bug in payment module “Credit Card UK with CVC”. I was using this module with CRE Loaded pro 6.4.0.

This payment module sends middle digits of CC and CVV code in an email to admin. Due to the bug this CVV code value was missing.

To fix the issue open file includes/modules/payment/cc_uk.php in editor and find line

$this->cc_issue = (isset($_POST['cc_issue'])) ? $_POST['cc_issue'] : '';

after this line add line

$this->cc_ccv = (isset($_POST['cc_ccv'])) ? $_POST['cc_ccv'] : '';

and you are done. Save the file and test.

Please be sure to backup your file before editing.

Long awaited release of CRE Loaded 6.4.1 is finally out. Now Google Base feature is back in CRE Loaded. Beside bug fixes and Google Base it also includes some new features like

• Admin log in as customer
• Several PayPal payment modules
  
• Admin Password hardening to satisfy PCI PA-DSS requirements 8.5.10 and 8.5.11
• etc

Right now I did not get chance to look at new release, will get back as soon as I get chance to see.

For last few days worked on performance optimization of CRE Loaded site. Now all major performance measuring tools Yahoo YSlow, Google Page Speed and WebPageTest.org are rating the site as A grade site.

I have been studying and applying performance guidelines for a while. Recent addition of Site Performance stats in Google Webmaster Tools have motivated me to run a full optimization cycle on CRE Loaded.

A number of performance tweaks were applied over a time, like cache, gzip compression, image cache etc. Still few things were missing like proper use of browser cache, http requests, css gzip etc.

Now following are results from performance measuring tools
YSlow

Page Speed

WebPageTest.org

Detailed test results can be seen at http://www.webpagetest.org/result/091228_3WME/

If you want your site to perform as good as A grade site you can contact me by posting a comment for free advice.

While working on some site I came across a bug in Special product page. If we have turned manufacturer name on in product listing, the link generated on the name is missing the manufacturer id value. The invalid link created looks like this http://demos.creloaded.com/creloaded_ce/index.php?manufacturers_id= on page https://demos.creloaded.com/creloaded_ce/specials.php.

I found this in cre loaded Pro 6.4.0, but when confirmed it exists in Community edition as well. I guess this issue may exist on other pages like “new products page”.

The manufacturer name can be turned on from Admin > Configuration > Product Listing > Display Product Manufacturer Name.

If you are using SEO URLs addon this bug can cause you a lot because it will generate unwanted link to your home page.

There are two ways of fixing the issue, one is to wait for fix release of which was expected in August but still not here, i am not sure if this bug will be fixed or not. Second fix is simple one, and can be found at Product listing bug fix in CRE Loaded.

Cache have become an important tool for increasing performance of a website. In this post we will install a famous osCommerce contribution to our CRE Loaded PCI 6.4 for cache.

The contribution is called osC Advanced Cache Class. The contribution will enable us to cache just about every thing like large arrays, data, html, even executable PHP code. More details of the contribution can be found here.

Here we will only install this contribution on cre loaded 6.4 we will use it later some where. For the possible uses please see contribution home page, referred above.

We will be installing it on Pro version and I hope the process will be same for other cre loaded versions. We will use Runtime Code Inclusion (RCI) feature of Cre loaded, to minimize chances of losing our changes during future upgrades. For RCI details refer to cre loaded.

Step One: downloading the contribution

Download the contribution from this page and extract it to some folder. The code includes an install script but please don’t use it as it is made for oscommerce not cre loaded.

Step Two: Adding class file

Copy osC-Cache/osC-Cache/upload/includes/classes/cache.class.php file to your installation of your cre loaded. The file should be copied to /includes/classes/ folder of your installation.

Step Three: Database Changes

You will need to add a new table in you database. Create a new table by executing the following query.

CREATE TABLE cache (
cache_id varchar(32) NOT NULL default '',
cache_language_id tinyint(1) NOT NULL default '0',
cache_name varchar(255) NOT NULL default '',
cache_data mediumtext NOT NULL,
cache_global tinyint(1) NOT NULL default '1',
cache_gzip tinyint(1) NOT NULL default '1',
cache_method varchar(20) NOT NULL default 'RETURN',
cache_date datetime NOT NULL default '0000-00-00 00:00:00',
cache_expires datetime NOT NULL default '0000-00-00 00:00:00',
PRIMARY KEY (cache_id,cache_language_id),
KEY cache_id (cache_id),
KEY cache_language_id (cache_language_id),
KEY cache_global (cache_global)
) TYPE=MyISAM;

Step Four: Implement cache class using RCI

Now create a new empty file named cache_applicationtop_bottom.php in folder includes/runtime/applicationtop/ of your cre loaded installation. Now open the new file and put following code in the file cache_applicationtop_bottom.php

<?php
global $cache, $languages_id;
# include the cache class
include(DIR_WS_CLASSES . ‘cache.class.php’);
$cache = new cache($languages_id,true);
# Get the cache – no parameters will get all GLOBAL cache entries for this language
$cache->get_cache(‘GLOBAL’);
?>

After saving the file try browsing your site, if you have done all steps properly you should not have any problems with it. If you see any problem like blank page is displayed or any thing else please make sure that you followed all steps properly.

May be in some other post we will see how we can use this cache contribution with cre loaded and get maximum advantages of cache.

Today fixed a bug in product listing of cre loaded 6.4.0 pro. Due this bug manufacturer link on certain pages was missing manufacturer id. The bug existed on Special products, New Products and Featured products page.

To fix the issue open file specials.php and find line case 'PRODUCT_LIST_MANUFACTURER':. In line next to it add p.manufacturers_id, after m.manufacturers_name,. This will add manufacturers_id column in selection list. Save the file and test.

You can do same thing in files products_new.php and featured_products.php. Keep following CRE Loaded category to stay updated.

CRE Loaded provides a basic search where a product can be searched by product name, model and manufacturer. If selected search is also performed in product description. This search uses SQL “LIKE” syntax to search in text fields. For example is keyword “test” is search the query will be

select distinct p.products_image ... final_price from ( products p left join specials s using(products_id) ) left join manufacturers m on p.manufacturers_id = m.manufacturers_id , products_description pd, categories c, products_to_categories p2c where p.products_status = '1' and p.products_id = pd.products_id and pd.language_id = '1' and p.products_id = p2c.products_id and p2c.categories_id = c.categories_id and ((pd.products_name like '%test%' or p.products_model like '%test%' or m.manufacturers_name like '%test%' or pd.products_description like '%test%') ) order by pd.products_name

The LIKE search can be very slow with large amount of products and specially when searching in description as well. To avoid this we can make this search to use fulltext searching feature of MySQL. The fulltext search will make searching in description much faster then normal like query. So lets start on fulltext search for CRE Loaded but before we start backup your files and database before you make any changes in case if any thing goes wrong, secondly changes mentioned worked for CRE Loaded pro 6.2 version but it should work with other versions as well.

First we need to create fulltext index on products table by following query.

ALTER TABLE products_description ADD FULLTEXT INDEX idx_name_desc (products_name, products_description);

Now to enable or disable fulltext search we need to add configuration so admin can do it easily. The query to add configuration is following.

INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id

, sort_order, last_modified, date_added, set_function)

VALUES ('Fulltext search', 'ADVANCED_SEARCH_FULLTEXT', 'false', 'Enable/Disable fulltext search', '1', '999', NOW(), NOW(), 'tep_cfg_select_option(array(\'true\',\'false\'),');

Now we need to add code for fulltext searching which will be added in file /templates/content/advanced_search_result.tpl.php. To do this open the above mentioned file and find

if (isset($search_keywords) && (sizeof($search_keywords) > 0)) {

$where_str .= " and (";

and add following code after it.

if(ADVANCED_SEARCH_FULLTEXT == 'true')

{

$ft_keyword = tep_db_input($keywords);

$where_str .= "MATCH(pd.products_name, pd.products_description) AGAINST('".$ft_keyword."' IN BOOLEAN MODE) OR p.products_model like '%".tep_db_input($keywords)."%'";

}

else

{

now find

$where_str .= " )";

and add code

}

before the code found.

Now the query should look like

select distinct p.products_image, ... final_price from ( products p left join specials s using(products_id) ) left join manufacturers m on p.manufacturers_id = m.manufacturers_id , products_description pd, categories c, products_to_categories p2c where p.products_status = '1' and p.products_id = pd.products_id and pd.language_id = '1' and p.products_id = p2c.products_id and p2c.categories_id = c.categories_id and (MATCH(pd.products_name, pd.products_description) AGAINST('test' IN BOOLEAN MODE) OR p.products_model like '%test%' )

In above query fulltext search will be performed in product name and description, the model will still be searched in LIKE mode, and manufacturer name will not be searched. With little effort model and manufacturer name can also be added to fulltext search.

Till version 6.2 cre loaded was only capable of sending emails using sendmail program using php mail() function. Some time it happens that our site is hosted on shared hosting where same server IP is shared between many sites. These sites may include site which send spam emails and in result the server IP get penalized by email servers and messages being sent from this IP are not delivered to recipients, or sent to junk/spam folders directly.

For a site which has to send email notifications and status update emails, this can be a nightmare. Due to this customer don’t feel confident and think the site as fake one. To avoid this situation we can use separate mail hosting services or servers which are not black list to ensure delivery to customer inbox.

Starting from cre loaded 6.3 we can tell which smtp server to be used to send emails. It is also possible to add this feature in old versions.

In this post I will guide you how to add smtp feature, but before start keep these in mind

• None of the code is written by me so the code belongs to its respective owners
• Backup your files and database for in case any thing goes wrong
• The version I am using is 6.2 Pro, I think procedure will be same for simple and B2B version

What you will need

We need SMTP class library (includes/classes/class.smtp.php)available in version 6.3 and 6.4, I got it from 6.4.0 Pro, but i think it will be same for Community addition.
Copy the file includes/classes/class.smtp.php from version 6.3 or 6.4 to includes/classes/ folder. This will be used for sending emails from front end for admin area copy same file in admin/includes/classes/.
So two new files will be includes/classes/class.smtp.php and admin/includes/classes/class.smtp.php

Adding Required Configurations:
Add following configurations in your database, these will allow admins to do settings for SMTP server.

INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, last_modified, date_added, use_function, set_function) VALUES ( 'SMTP Server Host Address', 'EMAIL_SMTP_HOST_SERVER', '', 'The fully qualified host name of the SMTP server.', '12', '10', '0000-00-00 00:00:00', '2009-06-16 20:09:42', '', '');


INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, last_modified, date_added, use_function, set_function) VALUES ('SMTP Server EHLO / HELO Name', 'EMAIL_SMTP_HELO_SERVER', '', 'A name to send as part of the SMTP EHLO / HELO commands. The name is typically the hostname of the machine this web site runs on.', '12', '11', '0000-00-00 00:00:00', '2009-06-16 20:09:42', '', '');


INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, last_modified, date_added, use_function, set_function) VALUES ('SMTP Server Port Number', 'EMAIL_SMTP_PORT_SERVER', '25', 'The SMTP server port number. Port number 25 is typically used by default.', '12', '12', '0000-00-00 00:00:00', '2009-06-16 20:09:42', '', '');


INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, last_modified, date_added, use_function, set_function) VALUES ('SMTP Authentication Required', 'EMAIL_SMTP_ACTIVE_PASSWORD', 'true', 'Set to true when the SMTP Server requires password authentication.', '12', '13', '0000-00-00 00:00:00', '2009-06-16 20:09:42', '', 'tep_cfg_select_option(array(\'true\', \'false\'), ');


INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, last_modified, date_added, use_function, set_function) VALUES ('SMTP Authentication Username', 'EMAIL_SMTP_USERNAME', '', 'The e-mail username sent to the server when SMTP password authentication is required.', '12', '14', '0000-00-00 00:00:00', '2009-06-16 20:09:42', '', '');


INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, last_modified, date_added, use_function, set_function) VALUES ('SMTP Authentication Password', 'EMAIL_SMTP_PASSWORD', '', 'The e-mail password sent to the server when SMTP password authentication is required.', '12', '15', '0000-00-00 00:00:00', '2009-06-16 20:09:42', '', '');

Modifying files:
You will need to modify two files one for front and second for admin. These files will be includes/classes/email.php and admin/includes/classes/email.php

Now open includes/classes/email.php
Find

if (EMAIL_TRANSPORT == 'smtp') {
return mail($to_addr, $subject, $this->output, 'From: ' . $from . $this->lf . 'To: ' . $to . $this->lf . implode($this->lf, $this->headers) . $this->lf . implode($this->lf, $xtra_headers));

Replace line

return mail($to_addr, $subject, $this->output, 'From: ' . $from . $this->lf . 'To: ' . $to . $this->lf . implode($this->lf, $this->headers) . $this->lf . implode($this->lf, $xtra_headers));

With this code

include_once(DIR_WS_CLASSES . ‘class.smtp.php’);

// Build up the SMTP connection parameter list
$params['host'] = EMAIL_SMTP_HOST_SERVER; // The smtp server host/ip
$params['port'] = EMAIL_SMTP_PORT_SERVER; // The smtp server port
$params['helo'] = EMAIL_SMTP_HELO_SERVER; // helo/ehlo command string; typically your domain/hostname
$params['auth'] = EMAIL_SMTP_ACTIVE_PASSWORD; // Whether to use basic authentication or not
$params['user'] = EMAIL_SMTP_USERNAME; // Username for authentication
$params['pass'] = EMAIL_SMTP_PASSWORD; // Password for authentication

// Prepare the recipient names; there can be multiple recipients in the to_addr seperated by a comma.
// Create an array of the recipients and then strip off everything and just leave the internet style
// email address behind. For example: “MyCuteName <me@mydomain.com>” => “me@mydomain.com”
$recipients = explode(‘,’, $to_addr);
for ($i = 0; $i < count($recipients); $i++) {
$recipients[$i] = trim(preg_replace( ‘/(.*)<(.*)>(.*)/’, ‘$2′, $recipients[$i]));
}
$send_params['recipients'] = $recipients;

// Timestamp the message
$date = date(‘r’);

$send_params['headers'] = array_merge($this->headers, array(“From: $from”, “To: $to”, “Subject: $subject”, “Date: $date”));

// This is used as in the MAIL FROM: cmd
// It should end up as the Return-Path: header
$send_params['from'] = $from_addr;

// The body of the email message
$send_params['body'] = $this->output;

//Send the email via SMTP
return (is_object($smtp = smtp::connect($params)) AND $smtp->send($send_params));

For file admin/includes/classes/email.php do the same as above and after that
Find:

case (($text == true) && ($attachments == false) && ($html == false)):

Replace with

case (($text == true) && ($attachments == false)):

and thats it now go to admin area and update smtp settings in Configuration > Email Options. I am using this code in one of my sites so it should work if every thing is done as described.

I was amazed to see that Categories breadcrumb is not working http://demos.creloaded.com/creloaded_pro/index.php?cPath=3_10 on category pages. You can see proper cPath in url still the breadcrumb is missing. This happens on in CRE Loaded 6.4 PRO. Breadcrumb is not only important for visitors, it is also important for SEO aspect.

The issue is due to bug in “runtime override” code. The code is using $cPath_array variable which is not declared global in function. To fix this open file includes/runoverride/applicationtop/CDSlogic_applicationtop_breadcrumb.php and find line global $breadcrumb, $languages_id after the $languages_id variable add, $cPath_array. This will make cPath_array global and the breadcrumb will start working.