This fix has worked for several users:
1. Open the catalog/admin/includes/functions/compatibility.php.
2. At the end of the “do_magic_quotes_gpc” routine, add the following code

reset($ar);

It will end up looking like this:

function do_magic_quotes_gpc(&$ar) {
if (!is_array($ar)) return false;
while (list($key, $value) = each($ar)) {
if (is_array($ar[$key])) {
do_magic_quotes_gpc($ar[$key]);
} else {
$ar[$key] = addslashes($value);
}
}
reset($ar);
}

3. Do the same for the compatibility.php file located in catalog/includes/functions/compatibility.php.

this happens in badly customized templates of oscommerce.

quick fix is to delete the functions in the language files in english.php, german.php etc and then define the function in includes/functions/general.php so that is loads all the time irrespective of the language file selected.

If you need support in fixing it you can use the contact us form to get in touch with us.

• Replace ereg functions with preg functions for OSC-999
• Replace ereg functions with preg functions for OSC-999
• Replace split function with preg_split and explode functions for OSC-999
• Commit cleanup and fix some warnings in phplot and typo in banners_infobox for OSC-999
• Fix ereg->preg updates

if you need your oscommerce store to make it work with php5.3 , you can use the contact us form to get in touch with us or call us

A nominal fee of 150USD for the upgrade of the core version of oscommerce. upgradation of other custom features and contributions for php5.3 compatible is extra.

Many oscommerce stores which is not secure are having this issue

Solution

Passoword protect with htaccess

http://code.google.com/p/oscmax2/source/diff?spec=svn169&r=169&format=side&path=/trunk/catalog/admin/includes/application_top.php

For a nominal fee of 50 usd we will secure the site for spam emails from oscommerce store

Find this at line 265:

$http = new httpClient();
if ($http->Connect(‘www.ups.com’, 80)) {
$http->addHeader(‘Host’, ‘www.ups.com’);
$http->addHeader(‘User-Agent’, ‘osCommerce’);
$http->addHeader(‘Connection’, ‘Close’);

And replace with this:

if (!class_exists(‘httpClient’)) {
include(‘includes/classes/http_client.php’);
}
$http = new httpClient();
if ($http->Connect(‘www.ups.com’, 80)) {
$http->addHeader(‘Host’, ‘www.ups.com’);
$http->addHeader(‘User-Agent’, ‘osCommerce’);
$http->addHeader(‘Connection’, ‘Close’);

Please use the contact us form to get in touch with us.

You need to secure oscommerce by doing the following steps

1) Remove admin/file_manager.php
2) Remove admin/define_language.php
3) Make backups of your database and site files, saves a great deal of time & effort cleaning up should anything nasty happen.
4) Install the following useful contributions

Prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

Monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

Block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

htaccess protection http://addons.oscommerce.com/info/6066

Stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

Make sure that all files, except for the two configure.php files have permissions no higher than 644.

The permissions for the two configure.php files will vary according to the server your site is on – it could be 644, 444 or 400 which is correct.

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change host

You can use the contribution at http://addons.oscommerce.com/info/6134 to assist with permission settings.

Other steps to be followed

SECURING THE ADMIN:

By re-naming & password protection

FORMS:

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

after:

CODE
require(‘includes/application_top.php’);

add:
CODE

// clean posted vars
reset($_POST);
while (list($key, $value) = each($_POST)) {
if (!is_array($_POST[$key])) {
$_POST[$key] = preg_replace(“/[^ a-zA-Z0-9@%:{}_.-]/i”, “”, urldecode($_POST[$key]));
} else { unset($_POST[$key]); } // no arrays expected
}

following the above steps makes the store secure

If you need help in doing all the above we charge a nominal rate of 200 USD.

Please use the contact us form to get in touch with us.

Also change the country code to match yours (this example uses GB for UK)

********************************************************************
* Open catalog/includes/languages/english.php (this is for your catalog section)
* The changes are highlighted.
********************************************************************
@setlocale(LC_TIME, ‘en_GB.ISO_8859-1′);

define(‘DATE_FORMAT_SHORT’, ‘%d/%m/%Y’); // this is used for strftime()
define(‘DATE_FORMAT_LONG’, ‘%A %d %B, %Y’); // this is used for strftime()
define(‘DATE_FORMAT’, ‘d/m/Y’); // this is used for date()
define(‘DATE_TIME_FORMAT’, DATE_FORMAT_SHORT . ‘ %H:%M:%S’);

////
// Return date in raw format
// $date should be in format mm/dd/yyyy
// raw date is in format YYYYMMDD, or DDMMYYYY
function tep_date_raw($date, $reverse = false) {
if ($reverse) {
return substr($date, 0, 2) . substr($date, 3, 2) . substr($date, 6, 4);
} else {
return substr($date, 6, 4) . substr($date, 3, 2) . substr($date, 0, 2);
}
}

*********************
Also change the following
*********************

CODE
define(‘ENTRY_DATE_OF_BIRTH_ERROR’, ‘Your Date of Birth must be in this format: MM/DD/YYYY (eg 05/21/1970)’);
to
CODE
define(‘ENTRY_DATE_OF_BIRTH_ERROR’, ‘Your Date of Birth must be in this format: DD/MM/YYYY (eg 21/05/1970)’);

CODE
define(‘ENTRY_DATE_OF_BIRTH_TEXT’, ‘* (eg. 05/21/1970)’);
to
CODE
define(‘ENTRY_DATE_OF_BIRTH_TEXT’, ‘* (eg. 21/05/1970)’);

CODE
define(‘DOB_FORMAT_STRING’, ‘mm/dd/yyyy’);
to
CODE
define(‘DOB_FORMAT_STRING’, ‘dd/mm/yyyy’);

Two database tables need to be modified when changing the length of the product model
field: products, and orders_products.

Using phpMyAdmin

Select the products table on the left side of phpMyAdmin
Select the product_model check box
Click on the Change button
Set the new size value under the Length/Values field, and click on the Save button. The same steps need to be reproduced for the orders_products table.

Using MySQL
alter table products change products_model products_model varchar(255);
alter table orders_products change products_model products_model varchar(255);

Hackers exploit a vulnerability that is usually used for uploading product pictures to the /images directory.

Php files are uploaded in the images directory and executed.

CUstomer and order details are displayed and also emailed to the hackers email address.

Sometimes traces are left by the hacker.
PHP files show up in the images directory (though sometimes they’re deleted after being run).

Gengerally, the following code iframe is added to every product_description and categories_description

We have a process to clean up the database and clean up the images directory

150 USD