X-Cart forums

[albertchui]

there is bug that the register.php do not lockpad because there are insecured url like css and script in var/cache, they can be found in register.php:

<link rel="stylesheet" type="text/css" href="http://www.iphonecasestudio.com/var/cache/1.5be5c1dcd7369459527c2673274386b9.css" />
<script type="text/javascript" src="http://www.iphonecasestudio.com/var/cache/1.009217382cf016b48187804a6b8782e0.js"></script>


when i turn off in Optimization settings:

Use speed-up tool for Javascript & Use speed-up tool for CSS

then it gone and only leave the favicon and canonical

the insecured http: do not exist, so please fix the bug

thanks
albert

[ADDISON]

UPDATE TO MY POST #150: My host said their server is doing fine. It is the latest Apache and I don't need that device urandom! It is integrated in kernel. They suggested to contact Qualiteam to update their code from old dev/urandom to our days code (I don't understand what this really means).

About dev/urandom versus dev/random I read many web resources. Here are a few:

- http://linux.about.com/library/cmd/blcmdl4_urandom.htm
- http://en.wikipedia.org/wiki//dev/random

For sure I need a point of view from Qualiteam about this issue. Interesting in Windows there is other procedure to get random numbers generated.

[random]

Quote:

Originally Posted by ADDISON

UPDATE TO MY POST #150: My host said their server is doing fine. It is the latest Apache and I don't need that device urandom! It is integrated in kernel. They suggested to contact Qualiteam to update their code from old dev/urandom to our days code (I don't understand what this really means).

First of all, you're referring to a file which is not used directly.

We use function from extended class, which code is

Code:

...
    function get_random_bytes($count) { // {{{ /* Must be public used in func_get_secure_random_key*/

        $output = '';

        if (function_exists('openssl_random_pseudo_bytes')) {
            $output = openssl_random_pseudo_bytes($count, $crypto_strong);
            if (!$crypto_strong) {
                $output = '';
            }
        }

        if (
            strlen($output) != $count
            && @is_readable('/dev/urandom')
            && ($fh = @fopen('/dev/urandom', 'rb'))
        ) {
            $output = fread($fh, $count);
            fclose($fh);
        }

        if (
            strlen($output) != $count
            && defined('X_PHP530_COMPAT')
            && function_exists('mcrypt_create_iv')
        ) {
            $output = mcrypt_create_iv($count, MCRYPT_DEV_URANDOM);
        }
...

Generally, this function is used to create random numbers used to in cryptographic hashes for sensitive data.
Usual random numbers are not actually "random" and are not suitable for such operations, so we need to use special commands to get cryptographic random numbers.
One of them (and preferred) is an "openssl_random_pseudo_bytes" - seems that your host doesn't allow it.
Alternative for it is reading from "dev/urandom" - and it seems that your host doesn't allow it as well.
Third - is a PHP 5.3 wrapper for dev/urandom (we still support 5.2 version, so we first check that device directly). Probably this is the only one thing which can be revised - change priority to check 5.3 function first, because all users should be on 5.3 host at least (but unforuntately, they don't).

So, if your host doesn't allow to access these cryptographic numbers - then you should be warned that your store is more vulnerable to hacker attacks.

[ADDISON]

Thank you Vladimir. A well documented post which helps me to approach the host owner.

If you can revised what you mentioned at the end it will be great.

[ADDISON]

ABOUT SPEED.

There is no doubt X-Cart 4.6 is faster than previous versions. Everything is loading immediately, no delays (my localhost is a monster in characteristics).

but ...

Back-end still remains very lazy, like an old man using sticks. Pages are loading in seconds. Not good at all. You improved the Front-end, but left the Back-end the same. I don't want to upset you with my statement, but this must be redesign. Magento still has a faster Back-end than X-Cart.

1 - entering Admin interface: 12.43 seconds
2 - accessing General Settings: 10.12 seconds
3 - accessing Products: 9.43 seconds
4 - searching Products: 8.37 seconds
5 - accesing product Acer TravelMate 212T: 9.12 seconds
6 - saving changes to product Acer TravelMate 212T: 10.32 seconds

So let's do some mathematics: sum for 1 - 3 - 4 - 5 - 6 about 13 + 10 + 8 + 9 + 11 = 51 seconds ~ 1 minute - not goot at all. Doing some tests with different shopping carts I can say for sure X-Cart has the laziest Back-End interface!

Comparing X-Cart's Front-End versus Back-End is like comparing a car with a cart.

Do you have plans to improve this?

[rocky]

Quote:

Originally Posted by ADDISON

ABOUT SPEED.

There is no doubt X-Cart 4.6 is faster than previous versions. Everything is loading immediately, no delays (my localhost is a monster in characteristics).

but ...

Back-end still remains very lazy, like an old man using sticks. Pages are loading in seconds. Not good at all. You improved the Front-end, but left the Back-end the same. I don't want to upset you with my statement, but this must be redesign. Magento still has a faster Back-end than X-Cart.

1 - entering Admin interface: 12.43 seconds
2 - accessing General Settings: 10.12 seconds
3 - accessing Products: 9.43 seconds
4 - searching Products: 8.37 seconds
5 - accesing product Acer TravelMate 212T: 9.12 seconds
6 - saving changes to product Acer TravelMate 212T: 10.32 seconds

So let's do some mathematics: sum for 1 - 3 - 4 - 5 - 6 about 13 + 10 + 8 + 9 + 11 = 51 seconds ~ 1 minute - not goot at all. Doing some tests with different shopping carts I can say for sure X-Cart has the laziest Back-End interface!

Comparing X-Cart's Front-End versus Back-End is like comparing a car with a cart.

Do you have plans to improve this?

Thank you for you report, however, admin area is as fast as a customer front end actually.

I guess an origin of the problem is in the fact that you run it on a localhost (no matter how powerful it is). The thing is that a stock X-Cart store makes requests to external resources to get news feed, information about available security patches and etc. (the feed that you can see on admin home page). Thus, if external connections are closed on your server you might encounter such delays in X-Cart admin area responses (it constantly tries to connect and it slows down the page loading).

This issue is already under consideration of our maintenance team and it will be fixed in future versions so that X-Cart could work on localhosts as fast as on external servers.

Meanwhile, I've PM'ed you a patch which turns off this callbacks. Don't forget to revert the changes back if you move your site to the live server.

Thank you.

[ADDISON]

Thank you Rocky. I will use the patch you sent me and let you know my impression.

[rocky]

Quote:

Originally Posted by ADDISON

Thank you Rocky. I will use the patch you sent me and let you know my impression.

Deal, I'll be waiting for you report.

[costanza]

I feel I need to upgrade my sites. I'm still on 4.4.3, with the "Smart Template" from X-cart mods UK.

I am fine with the functionality of my sites, but I think the cleaner code of 4.6 & the "Reboot template", will be much better for SEO.

Reading through this complete thread on 4.6, am I crazy to go to 4.6 so soon? Or is 4.5.5 a better option? I would appreciate advice from anyone, but would especially be interested in what cflsystems, ADDISON, carpeperdiem & cherie think.

Thanks for any help!

PS. I would agree with everyone else. I feel XC should concentrate more on fixing bugs, rather than on more features. I've been using XC for 3 years and updates seem to be way too frequent & still have too many bugs.

And yes, the upgrade process for XC is daunting!

[ADDISON]

You should wait for October when v4.6.1 will become available. Definitely version 4.6 is a step forward in speed. I had the chance to test 4.5.4 and 4.6.0 and I can say there is a solid improvement in this direction.

Also, looking over Bugtracker the number of issues are decreasing. Qualiteam engineers are doing a great job I never seen before. It could be much better than that. More bugs will be solved with 4.6.1.

I do not contest presence of new features. I like them because the visitors ask for them. A solid company with good programming engineers could deal with both bugs and features. It is not normal to call stop adding features but solve the bugs. Qualiteam is not an apartment company with 5 employees doing a titanic work. Believe me, if they will be more interested to hear our needs this shopping cart will put a shadow over other shopping carts. I hate to see features in other shopping cart, basic ones, XC doesn't have. Especially when Qualiteam has so talented programmers.