[NOT A BUG] SSL in function zen_draw_form wrong code

[truonghoang]

Current, function zen_draw_form in zencart from version begin to 1.51 :

PHP Code:

function zen_draw_form($name, $action, $parameters = '', $method = 'post', $params = '', $usessl = 'false') { 
    $form = '<form name="' . zen_output_string($name) . '" action="'; 
    if (zen_not_null($parameters)) { 
      if ($usessl) { 
        $form .= zen_href_link($action, $parameters, 'NONSSL'); 
      } else { 
        $form .= zen_href_link($action, $parameters, 'NONSSL'); 
      } 
    } else { 
      if ($usessl) { 
        $form .= zen_href_link($action, '', 'NONSSL'); 
      } else { 
        $form .= zen_href_link($action, '', 'NONSSL'); 
      } 
          ........... 
  } 


so need change code to :

PHP Code:

function zen_draw_form($name, $action, $parameters = '', $method = 'post', $params = '', $usessl = 'false') { 
    $form = '<form name="' . zen_output_string($name) . '" action="'; 
    if (zen_not_null($parameters)) { 
      if ($usessl) { 
        $form .= zen_href_link($action, $parameters, 'SSL'); 
      } else { 
        $form .= zen_href_link($action, $parameters, 'NONSSL'); 
      } 
    } else { 
      if ($usessl) { 
        $form .= zen_href_link($action, '', 'SSL'); 
      } else { 
        $form .= zen_href_link($action, '', 'NONSSL'); 
      } 
          ........... 
  } 


Hope this will be update at new version.

[lat9]

I don't know where you got your version of zen_draw_form, but the function in v1.5.1 is

Code:

/*
 *  Output a form
 */
  function zen_draw_form($name, $action, $method = 'post', $parameters = '') {
    $form = '<form name="' . zen_output_string($name) . '" action="' . zen_output_string($action) . '" method="' . zen_output_string($method) . '"';

    if (zen_not_null($parameters)) $form .= ' ' . $parameters;

    $form .= '>';
    if (strtolower($method) == 'post') $form .= '<input type="hidden" name="securityToken" value="' . $_SESSION['securityToken'] . '" />';
    return $form;
  }

No such parameter as $usessl. I looked back to v1.3.8a and ... no such parameter as $usessl.

It might help if you posted the top-most comment line from your version of /includes/functions/html_output.php; here's what's in the v1.5.1 version:

Code:

<?php
/**
 * html_output.php
 * HTML-generating functions used throughout the core
 *
 * @package functions
 * @copyright Copyright 2003-2011 Zen Cart Development Team
 * @copyright Portions Copyright 2003 osCommerce
 * @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0
 * @version $Id: html_output.php 19355 2011-08-21 21:12:09Z drbyte $
 */

[DrByte]

truonghoang's bug report is not well described.

In fact, the code quoted comes from the ADMIN section, where SSL vs NONSSL is not as simple as his proposed fix implies.

In the Admin, SSL is implemented in a way that is admittedly sub-optimal, but was necessary because of a design limitation. This is being worked on for future versions, but the fix is NOT as simple as proposed by truonghoang.

Instead, if you want SSL on ALL admin pages, you simply edit your admin configure.php HTTP_SERVER define to have an https://whatever URL. NO CORE CODE CHANGES REQUIRED.


Thus, this is not being classified as a bug.

[truonghoang]

Yes, this is in admin selection.

You said "if you want SSL on ALL admin pages, you simply edit your admin configure.php HTTP_SERVER define " . Yes, I know about it.

But

I had lost time for found and fixed this issue. That is cannot take $POST from form in zen_draw_form function by wrong ssl .

Ex :

PHP Code:

 zen_draw_form('batch_print', FILENAME_SUPER_BATCH_FORMS, 'action=batch_forms', 'post', 'target="_blank"', ENABLE_SSL_ADMIN) 


if you don't pass ENABLE_SSL_ADMIN , zen_draw_form function will get $usessl = "false" default. => zen_href_link is NONSSL

if you pass ENABLE_SSL_ADMIN and zen_draw_form function not fixed , always as NONSSL.

[DrByte]

No, you misunderstand the PHP code.

The $usessl='false' is ONLY a default, in case you the programmer don't pass an SSL preference to the form.

So, fix your custom code (or your addon code) to pass true for the SSL parameter.

This is NOT a bug in Zen Cart. It's a bug in your custom code.

[truonghoang]

my config for define('ENABLE_SSL_ADMIN', 'true' );

The $usessl='false' is ONLY a default, in case you the programmer don't pass an SSL preference to the form.
same if you don't pass ENABLE_SSL_ADMIN , zen_draw_form function will get $usessl = "false" default. => zen_href_link is NONSSL

PHP Code:

if ($usessl) {  
        $form .= zen_href_link($action, $parameters, 'NONSSL');  
      } else {  
        $form .= zen_href_link($action, $parameters, 'NONSSL');  
      } 


and please look function zen_href_link , maybe you will understand what I say

[DrByte]

I already answered this in a previous post, above.

There is NOT a bug in zen_draw_form. The "bug" is actually a deeper core design flaw inherited from years back. The design flaw will be fixed in a future version.

The CORRECT solution for NOW is to use an https URL in HTTP_SERVER: define('HTTP_SERVER', 'https://your_domain.com');