Wasimasif's Blog

Recently had issue where customer complained that discount coupon amount was not being deducted during checkout. This issue was causing many customers to loss as amount on PayPal page was shown without discount.

What I found out that issue was due to a configuration which dose not cater the discount coupon amount. One configuration called “Shopping Cart Method” was set to “Itemized”. This setting shows item wise detail on PayPal checkout page. As discount coupons are applied on an order not on any particular item, so the total amount charged is without discount.

When the option was set to “Aggregate” mode the issue resolved. This does not show much detail for items purchased, on PayPal page but shows the correct amount to charge. So this works for me.

So if you want to do the same, login to your admin area and go to Modules > Payment and select the PayPal module. Now click on Edit button and find Shopping Cart Method and select “Aggregate” option. Click “update” button to save this change. The should be gone.

I have tried this on CRE Loaded pro 6.2 but it should also work for other version of CRE Loaded and OSCommerce as well.

For more updates and fix in CRE Loaded keep visiting CRE Loaded section on my blog.

Search feature in OSCommerce and CRE Loaded provide an important functionality for visitors to perform custom search. Its important to know what visitors are searching on your site. Luckily Google Ananlytics (GA) provides and easy way to track these searches.

To enable this tracking your need to login to your GA account and goto Analytics Settings > Profile Settings > Edit Profile Information. Under Site Search select Do Track Site Search. Now you need to tell what parameter contains the search term. As internal search is provided on this page advanced_search_result.php?keywords=test, here we have to track keywords parameter. So put keywords in Query Parameter (required): field.

This will enable tracking for searches performed on your site. Many useful reports are provided by GA telling for example what people are searching and many other things.

Like every other eCommerce solution CRE Loaded provides a password protected admin area to manage all aspects of the site. Any unauthorized access to admin area can cause damage to site’s important data, any leakage of customer’s payment details can cause more issues and damage to site.

CRE Loaded team has done good job to make this area secure by use of encrypted passwords, https access etc. Recent 6.4.1 release includes password hardening task to further enhance security. Still there is a lot, which you can do to protect admin area.

In this post I will list few guidelines to enhance admin area protection. The post also includes basic methods to apply these guidelines.

So here are the guidelines.

1. Don’t use default http://mycresite.com/admin/ structure
2. Use password protected directories
3. Restrict access to specific IPs only
4. Use secure user names and passwords

1. Don’t use default http://mycresite.com/admin/ structure

In default installation admin area is installed in /admin/ folder and accessible from http://mycresite.com/admin/ URL. As this default location is publicly known hackers can easy launch attempts to break in.

To avoid this issue it is strongly recommended that you don’t install and use admin are on default location. With little effort you can change this location by

• Rename admin folder: One simple way is to rename admin folder to some different name which is not easy to guess. For example 234admin80907. You will need to update this folder path in {new_admin_folder}/includes/configure.php. You will need to update following configurations
  1. DIR_WS_HTTP_ADMIN
  2. DIR_WS_HTTPS_ADMIN
  3. DIR_FS_ADMIN
• Install on different domain: Admin area is completely independent from rest of the site so it can be installed on completely different domain or sub domain. This way makes its location more sure and non guessable.
  To do this move /admin/ folder (or whatever you renamed it to) on separate location (e.g public_html/admin/), and point your separate domain or sub domain to this folder. Using a sub domain is easier than complete new domain as many sub domains are allowed under same hosting.
  Please use non guessable domain or sub domain to make is more secure.
  You will need to update these changes in includes/configure.php of this folder. You will need to change following configurations
  • HTTP_SERVER
  • HTTPS_ADMIN_SERVER
  • DIR_WS_HTTP_ADMIN
  • DIR_WS_HTTPS_ADMIN
  • DIR_FS_ADMIN

  Note: For sub domain you may need high level SSL certificate which can work on main and sub domain without error.

2. Use password protected directories

Always protect your admin folder with additional password. Most of the hosting packages include feature to make some directories password protected from there control panel. This user name and password will be asked by browser even before the login page is displayed so this can be a good weapon to protect your admin area.

3. Restrict access to specific IPs only

You can also restrict access to admin area from specific IPs only easily. By this admin area will only be accessible from specified IPs only. For this you will need to edit .htaccess file under admin/ folder.
To do this download admin/.htaccess file and open it with some text editor. Put following code in .htaccess file

Order Deny,Allow
Deny from all
Allow from 100.100.100.100, 100.100.100.101


and uploaded.

Here 100.100.100.100 is example ips put your list of comma separated IPs. The code tells server to block all requests unless they are from specified IPs.

4. Use secure user names and passwords

No matter if it is password of admin area or password protected directories, use user names and passwords which are not easily guessable. Do not very user names like admin, administrator etc. A good password should mix alphabets, numbers, special characters etc to avoid easy brute force attacks.

Recently found a bug in payment module “Credit Card UK with CVC”. I was using this module with CRE Loaded pro 6.4.0.

This payment module sends middle digits of CC and CVV code in an email to admin. Due to the bug this CVV code value was missing.

To fix the issue open file includes/modules/payment/cc_uk.php in editor and find line

$this->cc_issue = (isset($_POST['cc_issue'])) ? $_POST['cc_issue'] : '';

after this line add line

$this->cc_ccv = (isset($_POST['cc_ccv'])) ? $_POST['cc_ccv'] : '';

and you are done. Save the file and test.

Please be sure to backup your file before editing.

Long awaited release of CRE Loaded 6.4.1 is finally out. Now Google Base feature is back in CRE Loaded. Beside bug fixes and Google Base it also includes some new features like

• Admin log in as customer
• Several PayPal payment modules
  
• Admin Password hardening to satisfy PCI PA-DSS requirements 8.5.10 and 8.5.11
• etc

Right now I did not get chance to look at new release, will get back as soon as I get chance to see.

For last few days worked on performance optimization of CRE Loaded site. Now all major performance measuring tools Yahoo YSlow, Google Page Speed and WebPageTest.org are rating the site as A grade site.

I have been studying and applying performance guidelines for a while. Recent addition of Site Performance stats in Google Webmaster Tools have motivated me to run a full optimization cycle on CRE Loaded.

A number of performance tweaks were applied over a time, like cache, gzip compression, image cache etc. Still few things were missing like proper use of browser cache, http requests, css gzip etc.

Now following are results from performance measuring tools
YSlow

Page Speed

WebPageTest.org

Detailed test results can be seen at http://www.webpagetest.org/result/091228_3WME/

If you want your site to perform as good as A grade site you can contact me by posting a comment for free advice.

While working on some site I came across a bug in Special product page. If we have turned manufacturer name on in product listing, the link generated on the name is missing the manufacturer id value. The invalid link created looks like this http://demos.creloaded.com/creloaded_ce/index.php?manufacturers_id= on page https://demos.creloaded.com/creloaded_ce/specials.php.

I found this in cre loaded Pro 6.4.0, but when confirmed it exists in Community edition as well. I guess this issue may exist on other pages like “new products page”.

The manufacturer name can be turned on from Admin > Configuration > Product Listing > Display Product Manufacturer Name.

If you are using SEO URLs addon this bug can cause you a lot because it will generate unwanted link to your home page.

There are two ways of fixing the issue, one is to wait for fix release of which was expected in August but still not here, i am not sure if this bug will be fixed or not. Second fix is simple one, and can be found at Product listing bug fix in CRE Loaded.

Cache have become an important tool for increasing performance of a website. In this post we will install a famous osCommerce contribution to our CRE Loaded PCI 6.4 for cache.

The contribution is called osC Advanced Cache Class. The contribution will enable us to cache just about every thing like large arrays, data, html, even executable PHP code. More details of the contribution can be found here.

Here we will only install this contribution on cre loaded 6.4 we will use it later some where. For the possible uses please see contribution home page, referred above.

We will be installing it on Pro version and I hope the process will be same for other cre loaded versions. We will use Runtime Code Inclusion (RCI) feature of Cre loaded, to minimize chances of losing our changes during future upgrades. For RCI details refer to cre loaded.

Step One: downloading the contribution

Download the contribution from this page and extract it to some folder. The code includes an install script but please don’t use it as it is made for oscommerce not cre loaded.

Step Two: Adding class file

Copy osC-Cache/osC-Cache/upload/includes/classes/cache.class.php file to your installation of your cre loaded. The file should be copied to /includes/classes/ folder of your installation.

Step Three: Database Changes

You will need to add a new table in you database. Create a new table by executing the following query.

CREATE TABLE cache (
cache_id varchar(32) NOT NULL default '',
cache_language_id tinyint(1) NOT NULL default '0',
cache_name varchar(255) NOT NULL default '',
cache_data mediumtext NOT NULL,
cache_global tinyint(1) NOT NULL default '1',
cache_gzip tinyint(1) NOT NULL default '1',
cache_method varchar(20) NOT NULL default 'RETURN',
cache_date datetime NOT NULL default '0000-00-00 00:00:00',
cache_expires datetime NOT NULL default '0000-00-00 00:00:00',
PRIMARY KEY (cache_id,cache_language_id),
KEY cache_id (cache_id),
KEY cache_language_id (cache_language_id),
KEY cache_global (cache_global)
) TYPE=MyISAM;

Step Four: Implement cache class using RCI

Now create a new empty file named cache_applicationtop_bottom.php in folder includes/runtime/applicationtop/ of your cre loaded installation. Now open the new file and put following code in the file cache_applicationtop_bottom.php

<?php
global $cache, $languages_id;
# include the cache class
include(DIR_WS_CLASSES . ‘cache.class.php’);
$cache = new cache($languages_id,true);
# Get the cache – no parameters will get all GLOBAL cache entries for this language
$cache->get_cache(‘GLOBAL’);
?>

After saving the file try browsing your site, if you have done all steps properly you should not have any problems with it. If you see any problem like blank page is displayed or any thing else please make sure that you followed all steps properly.

May be in some other post we will see how we can use this cache contribution with cre loaded and get maximum advantages of cache.

Today fixed a bug in product listing of cre loaded 6.4.0 pro. Due this bug manufacturer link on certain pages was missing manufacturer id. The bug existed on Special products, New Products and Featured products page.

To fix the issue open file specials.php and find line case 'PRODUCT_LIST_MANUFACTURER':. In line next to it add p.manufacturers_id, after m.manufacturers_name,. This will add manufacturers_id column in selection list. Save the file and test.

You can do same thing in files products_new.php and featured_products.php. Keep following CRE Loaded category to stay updated.

CRE Loaded provides a basic search where a product can be searched by product name, model and manufacturer. If selected search is also performed in product description. This search uses SQL “LIKE” syntax to search in text fields. For example is keyword “test” is search the query will be

select distinct p.products_image ... final_price from ( products p left join specials s using(products_id) ) left join manufacturers m on p.manufacturers_id = m.manufacturers_id , products_description pd, categories c, products_to_categories p2c where p.products_status = '1' and p.products_id = pd.products_id and pd.language_id = '1' and p.products_id = p2c.products_id and p2c.categories_id = c.categories_id and ((pd.products_name like '%test%' or p.products_model like '%test%' or m.manufacturers_name like '%test%' or pd.products_description like '%test%') ) order by pd.products_name

The LIKE search can be very slow with large amount of products and specially when searching in description as well. To avoid this we can make this search to use fulltext searching feature of MySQL. The fulltext search will make searching in description much faster then normal like query. So lets start on fulltext search for CRE Loaded but before we start backup your files and database before you make any changes in case if any thing goes wrong, secondly changes mentioned worked for CRE Loaded pro 6.2 version but it should work with other versions as well.

First we need to create fulltext index on products table by following query.

ALTER TABLE products_description ADD FULLTEXT INDEX idx_name_desc (products_name, products_description);

Now to enable or disable fulltext search we need to add configuration so admin can do it easily. The query to add configuration is following.

INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id

, sort_order, last_modified, date_added, set_function)

VALUES ('Fulltext search', 'ADVANCED_SEARCH_FULLTEXT', 'false', 'Enable/Disable fulltext search', '1', '999', NOW(), NOW(), 'tep_cfg_select_option(array(\'true\',\'false\'),');

Now we need to add code for fulltext searching which will be added in file /templates/content/advanced_search_result.tpl.php. To do this open the above mentioned file and find

if (isset($search_keywords) && (sizeof($search_keywords) > 0)) {

$where_str .= " and (";

and add following code after it.

if(ADVANCED_SEARCH_FULLTEXT == 'true')

{

$ft_keyword = tep_db_input($keywords);

$where_str .= "MATCH(pd.products_name, pd.products_description) AGAINST('".$ft_keyword."' IN BOOLEAN MODE) OR p.products_model like '%".tep_db_input($keywords)."%'";

}

else

{

now find

$where_str .= " )";

and add code

}

before the code found.

Now the query should look like

select distinct p.products_image, ... final_price from ( products p left join specials s using(products_id) ) left join manufacturers m on p.manufacturers_id = m.manufacturers_id , products_description pd, categories c, products_to_categories p2c where p.products_status = '1' and p.products_id = pd.products_id and pd.language_id = '1' and p.products_id = p2c.products_id and p2c.categories_id = c.categories_id and (MATCH(pd.products_name, pd.products_description) AGAINST('test' IN BOOLEAN MODE) OR p.products_model like '%test%' )

In above query fulltext search will be performed in product name and description, the model will still be searched in LIKE mode, and manufacturer name will not be searched. With little effort model and manufacturer name can also be added to fulltext search.