X-Cart forums

[Asiaplay]

Hi All,

I was looking into "wordpress integration" with X-Cart and came across a couple of additional options
(i.e. to those previously discussed within the forums)...
So I wanted peoples thoughts on what they think is best approach to integrating wordpress...

A) FREE MODULE (ARS Community Website)
I spotted this free x-cart module, from the Arrscommunity.com guys - please see http://www.arscommunity.com/wiki/articles-cart-wordpress-integration

B) PAID MODULE (X-Cart Extras Website)
I came across the X-Cart mods site offering Extras module...
- please see http://mods.x-cart.com/home.php (wordpress integration $329 up).


It seemed to me that both of these mods, offer basically the same final end result for customers
i.e. integration of Wordpress into X-Cart... yes?

So would people here recommend, just going with this free mod version and forgetting the paid X-Cart one?
(or am I missing something here?)

Cheers and thanks for comments - Asiaplay

[balinor]

Moving to Third Party Add-Ons

[xim]

As far as I can see the solution from ARS Community Website doesn't support one profile for customer in X-Cart and WP.

[Ene]

Quote:

Originally Posted by Asiaplay

Hi All,

I was looking into "wordpress integration" with X-Cart and came across a couple of additional options
(i.e. to those previously discussed within the forums)...
So I wanted peoples thoughts on what they think is best approach to integrating wordpress...

A) FREE MODULE (ARS Community Website)
I spotted this free x-cart module, from the Arrscommunity.com guys - please see http://www.arscommunity.com/wiki/articles-cart-wordpress-integration

B) PAID MODULE (X-Cart Extras Website)
I came across the X-Cart mods site offering Extras module...
- please see http://mods.x-cart.com/home.php (wordpress integration $329 up).


It seemed to me that both of these mods, offer basically the same final end result for customers
i.e. integration of Wordpress into X-Cart... yes?

So would people here recommend, just going with this free mod version and forgetting the paid X-Cart one?
(or am I missing something here?)

Cheers and thanks for comments - Asiaplay

1. Their module will affect your store/server`s perfomance, because it launches a PHP script each time your browser needs to download a CSS or JS file.

2. Their module is potentially insecure:

HTML Code:

 if ($_GET['incl_file']) {
    $incl_file = preg_replace('/\.\./', '', $_GET['incl_file']);
    $file = $xcart_dir.'/blog/'.$_GET['incl_file'];

..

echo file_get_contents($file);

[Asiaplay]

@xim,

Thanks for your feedback and clarification
Yes, it seems you are right (I wasn't clear on that the blog posters, were using same login as for x-cart customers in order to post).
I guess for us, limiting it to only signed up X-Cart customers is probably not great (as we allow anoynomous checkout) and therefore a good % of our customers / potential blog comments can come from unregistered customers.
So perhaps for us a better approach for us is to use "captcha" to avoid robot comments... and either excluding or "no follow" of html comments (as google does not count "no follow"links as spam apparently)?

@Ene,

Thanks for your reply - happy to get some feedback from you as well .

My understanding after talking to some wordpress friends, is as follows (I would appreciate some clarification):-

a) Load Speed / performance
That this will be a very, very small load on the server we use and basically un-noticeable time difference for customers.

b) Security
This point concerned me more (as security is always an important issue), so I discussed this point in more detail with the wordpress guys.
My understanding is that for there to be any "risk", a hack file would have to be preinstalled on the server, and within the "wordpress" blog directory.
i.e. injection is not possible (but the execute of a preinstalled file using something like "domain.com/blog.php?incl_file=hack.js" would be possible).
Also that using the GET operator, that only limited file types are possible to be included i.e. js/css/gif/png/jpg/html (not php etc.)

However the same guys informed me that the way the X-Cart mod is done, really is the same risk level (except that basically any file could be included)
i.e. the hacking file would also need to be preinstalled and could be executed using something like http://mods.x-cart.com/wp/hack.php
Therefore in both ways this integration mod has been done, ONLY if a preinstalled hacking file is installed in the "wordpress" directory, on the server, then it could be executed (and there be any risk).

c) Clean URLs
We use "Clean URLs" e.g. mydomain.com/my-keyword-url/ (i.e. not only links using parameters e.g. mydomain.com/blog.php?p=3)
One of my wordpress friend notes that they are allowed for the Free Mod and asked me to check that they are also for the X-Cart mod as well.
I guess they are - but can you please confirm?


Thanks again for comments and cheers, Asiaplay

[effour]

Hi Asiaplay,

I'm currently using the ARS mod on my site: http://www.lifetimecollective.com/blog/ (we've stripped alot of the wordpress functionality, like widgets, etc, but i assure you they all work with the mod)

It's a great mod, no speed issues at all, in fact, it performs really well. I've actually been using ARS for custom mods and development for a while and they are awesome, so even if you run into any issues, they will give you help you out, and form my experience within a day.

In regards to clean URL's this was a big factor for our site as wll, it displays them as declared in wordpress, so no issues there.

Anyways, I can't say enough about the ARS team, and if there are security issues with the mod, i'm sure they would resolve them immediately.

Cheers,

Ryan

Quote:

Originally Posted by Asiaplay

Hi All,

I was looking into "wordpress integration" with X-Cart and came across a couple of additional options
(i.e. to those previously discussed within the forums)...
So I wanted peoples thoughts on what they think is best approach to integrating wordpress...

A) FREE MODULE (ARS Community Website)
I spotted this free x-cart module, from the Arrscommunity.com guys - please see http://www.arscommunity.com/wiki/articles-cart-wordpress-integration

B) PAID MODULE (X-Cart Extras Website)
I came across the X-Cart mods site offering Extras module...
- please see http://mods.x-cart.com/home.php (wordpress integration $329 up).


It seemed to me that both of these mods, offer basically the same final end result for customers
i.e. integration of Wordpress into X-Cart... yes?

So would people here recommend, just going with this free mod version and forgetting the paid X-Cart one?
(or am I missing something here?)

Cheers and thanks for comments - Asiaplay

[Ene]

1. This mod doesn't have a security hole. If it were the case, I'd have contacted the mod`s author first privately to get it fixed and to have a security patch released.

However the code is potentially insecure. Let me explain.

If you include any file the name and path of which you get from the GET variables, you're in danger. You should be as paranoid as you can and verify/sanitize the variables thoroughly.

What's the correct way? We create a white-list of possible symbols and remove all the symbols which are not in this list. If somebody (e.g. curious hacker) inserts something wrong, we should:

1) Log his request, IP and notify the store owner.
2) die() immediatly


What's happens in the ARS` mod at this moment? They use the another approach: the black list. I.e. they remove the dangerous symbols only ("..") and leave the rest unchanged.
This way is much less secure than the white-list one.

Many things may happen: PHP can get a bug with file including, you can move your blog to another place, your web developer may re-use this code for another project. And potentially this code can play a bad game.

When developer creates a code for an e-commerce site, which works with sensitive customer data, he/she must think about these things.

2. Showing static resources using dynamic scripts is a big no-no.
For example such resources will have no caching headers.

Well, if you don't have many customers, maybe it will work. However as soon as you get some traffic, it will be necessary to optimize it.

[Asiaplay]

@Ryan,

Thanks for the comments and thumbs up Ryan - really appreciated!]

Your website and blog both look "awesome" and the way you have integrated the wordpress blog is seamless and very professional.

Always very helpful to hear from actual users of a mod (and positive things about the company behind a mod as well, is important ).

@Ene,

Thanks for clarifying this Ene - it is nice to know that the free mod doesn't have a security hole.
Hehe - yes, I know you are very responsible and would have helped out making sure anything was corrected out there that you come across if a security hole exists

In regards to speed... I agree that cache headers would be nice - I will keep this in mind.

In regards to "clean urls"...
Do you or XIM know if the X-Cart Integration Mod accepts Clean URLs?

Thanks again ALL and cheers, Asiaplay

[xim]

Our solution supports "WordPress Permalinks" feature which allows to create SEO links in WP.

[Asiaplay]

Hi xim,

Thanks for the clarification - cheers, Asiaplay