X-Cart forums

[machnhed1]

Quote:

Originally Posted by cmtrade

The new top.inc has screwed up a lot of things.

Here's a quick follow up on this issue -

I upgraded Smarty to 2.6.2 using the instructions on this thread. Smarty 2.6.2 now uses $_GET instead of HTTP_GET_VARS. Now, x-cart 3.5.8 does not allow the variable $_GET with the new top.inc.php file, hence {$smarty.get.XXXX} won't work. In fact any call you make to $_GET or $_POST or $_COOKIE will not work.

(The new top.inc.php was written to prevent possible security issues with people running servers with register_global set to "on". If you don't have registered globals turned on, I don't think this new top.inc.php file helps you much, but I am still waiting for a confirmation from x-cart regarding this question. I have posted a modified top.inc.php file at the bottom of this post for anyone who wants to use smarty 2.6.2 with x-cart 3.5.8. UNDERSTAND THAT THIS CODE MAY NOT BE SECURE.)

If you continue to us 2.5.0 you will not encounter this bug because they still use the deprecated variables $HTTP_GET_VARS, $HTTP_POST_VARS, etc..

I emailed x-cart about this an they said they are so far not plannning on updating their code to use $_GET, $_POST, etc., because it would require a lot rewriting. IMHO that reasoning sucks.

You can find out more about these php variables here - http://us3.php.net/manual/en/language.variables.predefined.php.

AGAIN NOTE THAT THIS CODE MAY NOT BE SECURE (ESPECIALLY IF YOU HAVE REGISTER GLOBAL TURNED ON).

Code:

<?php
/*****************************************************************************\
+-----------------------------------------------------------------------------+
| X-Cart                                                                      |
| Copyright (c) 2001-2004 Ruslan R. Fazliev <rrf@rrf.ru>                      |
| All rights reserved.                                                        |
+-----------------------------------------------------------------------------+
| PLEASE READ  THE FULL TEXT OF SOFTWARE LICENSE AGREEMENT IN THE "COPYRIGHT" |
| FILE PROVIDED WITH THIS DISTRIBUTION. THE AGREEMENT TEXT IS ALSO AVAILABLE  |
| AT THE FOLLOWING URL: http://www.x-cart.com/license.php                     |
|                                                                             |
| THIS  AGREEMENT  EXPRESSES  THE  TERMS  AND CONDITIONS ON WHICH YOU MAY USE |
| THIS SOFTWARE   PROGRAM   AND  ASSOCIATED  DOCUMENTATION   THAT  RUSLAN  R. |
| FAZLIEV (hereinafter  referred to as "THE AUTHOR") IS FURNISHING  OR MAKING |
| AVAILABLE TO YOU WITH  THIS  AGREEMENT  (COLLECTIVELY,  THE  "SOFTWARE").   |
| PLEASE   REVIEW   THE  TERMS  AND   CONDITIONS  OF  THIS  LICENSE AGREEMENT |
| CAREFULLY   BEFORE   INSTALLING   OR  USING  THE  SOFTWARE.  BY INSTALLING, |
| COPYING   OR   OTHERWISE   USING   THE   SOFTWARE,  YOU  AND  YOUR  COMPANY |
| (COLLECTIVELY,  "YOU")  ARE  ACCEPTING  AND AGREEING  TO  THE TERMS OF THIS |
| LICENSE   AGREEMENT.   IF  YOU    ARE  NOT  WILLING   TO  BE  BOUND BY THIS |
| AGREEMENT, DO  NOT INSTALL OR USE THE SOFTWARE.  VARIOUS   COPYRIGHTS   AND |
| OTHER   INTELLECTUAL   PROPERTY   RIGHTS    PROTECT   THE   SOFTWARE.  THIS |
| AGREEMENT IS A LICENSE AGREEMENT THAT GIVES  YOU  LIMITED  RIGHTS   TO  USE |
| THE  SOFTWARE   AND  NOT  AN  AGREEMENT  FOR SALE OR FOR  TRANSFER OF TITLE.|
| THE AUTHOR RETAINS ALL RIGHTS NOT EXPRESSLY GRANTED BY THIS AGREEMENT.      |
|                                                                             |
| The Initial Developer of the Original Code is Ruslan R. Fazliev             |
| Portions created by Ruslan R. Fazliev are Copyright (C) 2001-2004           |
| Ruslan R. Fazliev. All Rights Reserved.                                     |
+-----------------------------------------------------------------------------+
\*****************************************************************************/

#
# $Id: top.inc.php,v 1.1.2.8 2004/05/26 12:16:05 mclap Exp $
#


if (!defined('XCART_START')) {

define('XCART_START',1);

#
# Remove results of automatic variables registration then register_globals=on
#

foreach (get_defined_vars() as $__key=>$__val) {
	if (defined('USE_TRUSTED_POST_VARIABLES') && $__key == "trusted_post_variables") continue;

	if (defined('XCART_INSTALL') && $__key == "module_definition") continue;

	if (!in_array($__key, array("HTTP_GET_VARS","HTTP_POST_VARS","HTTP_SERVER_VARS","HTTP_ENV_VARS","HTTP_COOKIE_VARS","HTTP_POST_FILES","__key","__val","$_GET","$_POST"))) {
		unset($$__key);
	}
}

unset($__key);
unset($__val);

#
# Directories structure definitions
#

#
# Real path to the directory where X-Cart is installed
# If you have problems with __FILE__ constant definition on your server
# you can specify path directly. For example:
# $xcart_dir = '/home/user/public_html/xcart';
#
$xcart_dir = realpath(dirname(__FILE__));

# Directories location definition
# Examples:
# Customer's scripts are placed into the X-Cart subdirectory:
# 	define ('DIR_CUSTOMER', '/<name_of_directory>');
# 	define ('DIR_CUSTOMER', '/customer');
# 	define ('DIR_ADMIN', '/admin');
# 	define ('DIR_ADMIN', '/service_area/administration');
#
# (!) Customer's scripts are placed into the root X-Cart directory:
# 	define ('DIR_CUSTOMER', '');
#
define ('DIR_CUSTOMER', '/customer');
define ('DIR_ADMIN', '/admin');
define ('DIR_PROVIDER', '/provider');
define ('DIR_PARTNER', '/partner');

#
# Note: DIR_PARTNER is valid only for installed X-Affiliate module
#
}
?>

[adpboss]

Quote:

Originally Posted by machnhed1

I emailed x-cart about this an they said they are so far not plannning on updating their code to use $_GET, $_POST, etc., because it would require a lot rewriting. IMHO that reasoning sucks.

I agree. That sucks. Especially since I have seen a significant performance increase with Smarty 2.6.2. X-cart seriously needs to do some code cleanup and start working towards compliance. So what if it is a lot of re-writing? That is the software game. Evolve and refine or die.

[machnhed1]

Quote:

Originally Posted by adpboss

X-cart seriously needs to do some code cleanup and start working towards compliance. So what if it is a lot of re-writing? That is the software game. Evolve and refine or die.

Hear, hear. I did a search of the 3.5.8 distribution and there are 472 occrences of the variable $HTTP_%. So in theory you could do a massive find a replace.

By the way, I also checked the 4.0 alpha distribution and it too is using 2.5.0. Seems to me like that would be an ideal time to update the code.

JMO

[adpboss]

This belongs in Rants or something I know, so I apologise in advance for getting off topic.

The irony here is that X-cart expects us to upgrade to fix bugs or to deal with security issues, yet they balk at having to re-code to improve their product and make it compliant?

4.0 would be the ideal time to get the code cleaned up. I will personally be pretty disappointed if they don't. I just finished buying my third licence and have plans for dozens more. A regressive attitude towards development is not a good sales pitch.

[shan]

Quote:

Originally Posted by adpboss

This belongs in Rants or something I know, so I apologise in advance for getting off topic.

The irony here is that X-cart expects us to upgrade to fix bugs or to deal with security issues, yet they balk at having to re-code to improve their product and make it complaint?

4.0 would be the ideal time to get the code cleaned up. I will personally be pretty disappointed if they don't. I just finished buying my third licence and have plans for dozens more. A regressive attitude towards development is not a good sales pitch.

this is exactly why everyone needs to make their point here

http://forum.x-cart.com/viewtopic.php?t=10737&highlight=

lets get all these problems ironed out before the official release of 4.0

I would rather see a delayed release of 4.0 with loads of things fixed even if it caused 1 awkward upgrade rather then having to do 10 upgrades later down the line that only fix things that should have been right in th start

[adpboss]

Thanks Shan. I didn't know about that thread. I assumed the beta test was only for development partners.

I'll post there shortly.

[shan]

as far as i know everyone can have a blast on it and post their bugs / thoughts to the thread i mentioned

[NuAlpha]

Quote:

Originally Posted by machnhed1

I upgraded Smarty to 2.6.2 using the instructions on this thread. Smarty 2.6.2 now uses $_GET instead of HTTP_GET_VARS. Now, x-cart 3.5.8 does not allow the variable $_GET with the new top.inc.php file, hence {$smarty.get.XXXX} won't work. In fact any call you make to $_GET or $_POST or $_COOKIE will not work.

Currently using Smarty 2.5.0 and $smarty.get.mode is used throughout our site. The only current loss of function occurs in PHP in which we have had to switch to $HTTP_WHATEVER instead of $_WHATEVER.

We don't use webmaster mode at all and I would really love to upgrade to Smarty 2.6.2 (without screwing up our .tpl's). Is there any way I can make our site compatible (excepting Webmaster Mode) with Smarty 2.6.2 and Xcart 3.5.8??

[FX]

Quote:

Originally Posted by machnhed1

I did a search of the 3.5.8 distribution and there are 472 occrences of the variable $HTTP_%. So in theory you could do a massive find a replace.
JMO

Does this theory works in practice, anyone? It's not a big deal to do massive find and replace. But it probably will bring a lot more work down the road when it's time to upgrade, almost every file will be affected in upgrade.

[machnhed1]

Quote:

Originally Posted by machnhed1

(The new top.inc.php was written to prevent possible security issues with people running servers with register_global set to "on". If you don't have registered globals turned on, I don't think this new top.inc.php file helps you much, but I am still waiting for a confirmation from x-cart regarding this question.

The following is my question to x-cart support followed by their response:

MY QUESTION:
"If we have register_global=off on our server, would it be ok to at $_GET and $_POST to the array or would this pose a potential security risk?"

THEIR RESPONSE:
"Theoretically, no. There wouldn't be any security risk."

So, it appears that is you have registered globals turned off on your machine you can use the code I previously posted. In hindsight, this makes sense given the fact that these variables are all just aliases anyway.

Hope this helps