OLD Super Orders 2.0 (See v3.0 thread instead)

[DivaVocals]

DivaVocals had a good idea, there the store phone or name or whatever it is called, find that in you phpMyAdmin database and slot the missing numbers (and db_prefix) into the query, that should then magically appear the missing bits int he right place without me have to try and explain thingys.

Actually the very last part of the Super Orders SQL contains all of the insert statements to add the data into the configuration table.. If the other values from the Super Orders SQL are in the configuration table, then the names phone number and fax data should be there as well as these insert statements precede the others.. (see below)

Code:

-- Store Phone and Fax numbers
INSERT INTO configuration VALUES ('', 'Store Fax', 'STORE_FAX', '', 'Enter the fax number for your store.<br>You can call upon this by using the define <strong>STORE_FAX</strong>.', 1, 4, now(), now(), NULL, NULL);
INSERT INTO configuration VALUES ('', 'Store Phone', 'STORE_PHONE', '', 'Enter the phone number for your store.<br>You can call upon this by using the define <strong>STORE_PHONE</strong>.', 1, 4, now(), now(), NULL, NULL);

-- Purchase Order payment module configs
INSERT INTO configuration VALUES (NULL, 'Enable Purchase Order Module', 'MODULE_PAYMENT_PURCHASE_ORDER_STATUS', 'True', 'Do you want to accept Purchase Order payments?', 6, 1, now(), now(), NULL, 'zen_cfg_select_option(array(\'True\', \'False\'), ');
INSERT INTO configuration VALUES (NULL, 'Make payable to:', 'MODULE_PAYMENT_PURCHASE_ORDER_PAYTO', 'Destination ImagiNation, Inc.', 'Who should payments be made payable to?', 6, 2, now(), now(), NULL, NULL);
INSERT INTO configuration VALUES (NULL, 'Sort order of display.', 'MODULE_PAYMENT_PURCHASE_ORDER_SORT_ORDER', '0', 'Sort order of display. Lowest is displayed first.', 6, 4, now(), now(), NULL, NULL);
INSERT INTO configuration VALUES (NULL, 'Payment Zone', 'MODULE_PAYMENT_PURCHASE_ORDER_ZONE', '0', 'If a zone is selected, only enable this payment method for that zone.', 6, 5, now(), now(), 'zen_get_zone_class_title', 'zen_cfg_pull_down_zone_classes(');
INSERT INTO configuration VALUES (NULL, 'Set Order Status', 'MODULE_PAYMENT_PURCHASE_ORDER_ORDER_STATUS_ID', '2', 'Set the status of orders made with this payment module to this value', 6, 6, now(), now(), 'zen_get_order_status_name', 'zen_cfg_pull_down_order_statuses(');

-- Super Orders configuration group
INSERT INTO configuration_group VALUES (28, 'Super Orders', 'Settings for Super Order features', 100, 1);

-- Super Orders configs (Admin > Configuration > Super Orders)
-- Automatic Status Updating
INSERT INTO configuration VALUES (NULL, 'Auto Status - Purchase Order', 'AUTO_STATUS_PO', '2', 'Number of the status assigned to an order when a purchase order is added to the payment data.', 28, 11, now(), now(), 'zen_get_order_status_name', 'zen_cfg_pull_down_order_statuses(');
INSERT INTO configuration VALUES (NULL, 'Auto Status - Payment', 'AUTO_STATUS_PAYMENT', '2', 'Number of the order status assigned when a payment (<B>not</B> attached to a purchase order) is added to the payment data.', 28, 10, now(), now(), 'zen_get_order_status_name', 'zen_cfg_pull_down_order_statuses(');
INSERT INTO configuration VALUES (NULL, 'Auto Status - P.O. Payment', 'AUTO_STATUS_PO_PAYMENT', '2', 'Number of the order status assigned when a payment <B>attached to a purchase order</B> is added to the payment data.', 28, 10, now(), now(), 'zen_get_order_status_name', 'zen_cfg_pull_down_order_statuses(');
INSERT INTO configuration VALUES (NULL, 'Auto Status - Refund', 'AUTO_STATUS_REFUND', '2', 'Number of the order status assigned when a refund is added to the payment data.', 28, 13, now(), now(), 'zen_get_order_status_name', 'zen_cfg_pull_down_order_statuses(');
INSERT INTO configuration VALUES (NULL, 'Auto Comments - Payment', 'AUTO_COMMENTS_PAYMENT', 'Payment received in our office. Payment ID: %s', 'You''ll have the option of adding these pre-configured comments to an order when a payment is entered.  You can attach the payment number to the comments by typing <strong>%s</strong>.', 28, 14, now(), now(), NULL, NULL);
INSERT INTO configuration VALUES (NULL, 'Auto Comments - P.O. Payment', 'AUTO_COMMENTS_PO_PAYMENT', 'Payment on purchase order received in our office. Payment ID: %s', 'You will have the option of adding these pre-configured comments to an order when a purchase order payment is entered.  You can attach the payment number to the comments by typing <strong>%s</strong>.', 28, 14, now(), now(), NULL, NULL);
INSERT INTO configuration VALUES (NULL, 'Auto Comments - Purchase Order', 'AUTO_COMMENTS_PO', 'Purchase Order #%s received in our office', 'You will have the option of adding these pre-configured comments to an order when a purchase order is entered.  You can attach the payment number to the comments by typing <strong>%s</strong>.', 28, 15, now(), now(), NULL, NULL);
INSERT INTO configuration VALUES (NULL, 'Auto Comments - Refund', 'AUTO_COMMENTS_REFUND', 'Refund #%s has been issued from our office.', 'You will have the option of adding these pre-configured comments to an order when a refund is entered.  You can attach the refund number to the comments by typing <strong>%s</strong>.', 28, 17, now(), now(), NULL, NULL);
INSERT INTO configuration VALUES (NULL, 'Federal Tax Exempt Number', 'FED_TAX_ID_NUMBER', '00-000000', 'If your tax exempt, then you should have a federal tax ID number. Enter the number here and the tax columns will not appear on the invoice. The number will also be displayed at the top of the invoice.', 28, 50, now(), now(), NULL , NULL);
INSERT INTO configuration VALUES (NULL, 'Closed Status - "Cancelled"', 'STATUS_ORDER_CANCELLED', '0', 'Insert the order status ID # you would like to assign to an order when you press the special "Cancelled!" button on super_orders.php.<p>If you do not have a "cancel" status, or do not want assign one automatically, choose <B>default</B> and this option will be ignored.<p><strong>You cannot attach comments or notify the customer using this option.</strong>', 28, 30, now(), now(), 'zen_get_order_status_name', 'zen_cfg_pull_down_order_statuses(');
INSERT INTO configuration VALUES (NULL, 'Closed Status - "Completed"', 'STATUS_ORDER_COMPLETED', '0', 'Insert the order status ID # you would like to assign to an order when you press the special "Completed!" button on super_orders.php.<p>If you do not have a "complete" status, or do not want assign one automatically, choose <B>default</B> and this option will be ignored.<p><strong>You cannot attach comments or notify the customer using this option.</strong>', 28, 30, now(), now(), 'zen_get_order_status_name', 'zen_cfg_pull_down_order_statuses(');
INSERT INTO configuration VALUES (NULL, 'Closed Status - "Reopened"', 'STATUS_ORDER_REOPEN', '0', 'Insert the order status ID # you would like to assign to an order when you undo the cancelled/completed status of an order.<p>If you do not have a "reopened" status, or do not want assign one automatically, choose <B>default</B> and this option will be ignored.<p><strong>You cannot attach comments or notify the customer using this option.</strong>', 28, 30, now(), now(), 'zen_get_order_status_name', 'zen_cfg_pull_down_order_statuses(');

-- Following is for a future release
-- Bar code display
--INSERT INTO configuration VALUES (NULL, 'Display bar codes', 'BC_ENABLE', 'true', 'If enabled, a bar code of the order number will appear on invoices and packing slips.', 28, 99, now(), now(), NULL, 'zen_cfg_select_option(array(''true'', ''false''),');
--INSERT INTO configuration VALUES (NULL, 'Bar Code Height', 'BC_HEIGHT', '60', 'Height of image in pixels.', 28, 99, now(), now(), NULL, NULL);
--INSERT INTO configuration VALUES (NULL, 'Bar Code Width', 'BC_WIDTH', '300', 'Width of image in pixels. The image MUST be wide enough to handle the length of the given value. The default value will probably be able to display about 11 digits. If you get an error message, make it wider!', 28, 99, now(), now(), NULL, NULL);
--INSERT INTO configuration VALUES (NULL, 'Bar Code Quality', 'BC_QUALITY', '100', 'For JPEG only: ranges from 0-100.', 28, 99, now(), now(), NULL, NULL);
--INSERT INTO configuration VALUES (NULL, 'Bar Code Output Format', 'BC_OUTTYPE', 'PNG', 'The graphic format for the barcode.<br />TIP: JPEG is usually the best option. PNG normally dosen''t print well, and GIF is very low-res.', 28, 99, now(), now(), NULL, 'zen_cfg_select_option(array(\'JPEG\', \'PNG\', \'GIF\'),');
--INSERT INTO configuration VALUES (NULL, 'Display text of bar code contents', 'BC_TEXTSHOW', 'true', 'To disable text below barcode = 0. To enable text below barcode = 1.', 28, 99, now(), now(), NULL, 'zen_cfg_select_option(array(\'true\', \'false\'),');

[philip_clarke]

I still have the exact same problems as i stated before.

regards

Andy.

Somewhere you would have an install SQL file for new users, grab the CREATE TABLE statement from that and paste it into the Install SQL Patches but of your ZC configuration., then run the upgrade.

I promised I would not help with this damn module again, it's rubbish, parts date from 2005 it's security sucks and I've never been able to find anyone with the time to fix it even as a project for a kid.

[philip_clarke]

Code:

-- Store Phone and Fax numbers
INSERT INTO configuration VALUES ('', 'Store Fax', 'STORE_FAX', '', 'Enter the fax number for your store.<br>You can call upon this by using the define <strong>STORE_FAX</strong>.', 1, 4, now(), now(), NULL, NULL);

No-one thought to see what would happen if they put the word NULL instead of '' like all the SQL statements that follow ? Just an idea ?

Code:

INSERT INTO configuration VALUES (NULL, 'Enable Purchase Order Module', 'MODULE_PAYMENT_PURCHASE_ORDER_STATUS', 'True', 'Do you want to accept Purchase Order payments?', 6, 1, now(), now(), NULL, 'zen_cfg_select_option(array(\'True\', \'False\'), ');

[DivaVocals]

No-one thought to see what would happen if they put the word NULL instead of '' like all the SQL statements that follow ? Just an idea ?

Code:

INSERT INTO configuration VALUES (NULL, 'Enable Purchase Order Module', 'MODULE_PAYMENT_PURCHASE_ORDER_STATUS', 'True', 'Do you want to accept Purchase Order payments?', 6, 1, now(), now(), NULL, 'zen_cfg_select_option(array(\'True\', \'False\'), ');

I just noticed this.. Wow.. After doing some thinking I realized that I might have added these values to my configuration table manually..

It's been a minute since I've done a full manual install.. I have a fully loaded version of Zen that I install for clients and the script for this full install is complete already..

Somewhere you would have an install SQL file for new users, grab the CREATE TABLE statement from that and paste it into the Install SQL Patches but of your ZC configuration., then run the upgrade.

I promised I would not help with this damn module again, it's rubbish, parts date from 2005 it's security sucks and I've never been able to find anyone with the time to fix it even as a project for a kid.

I don't agree that it's complete rubbish Phillip.. Super Orders provides improved functionality that store owners want/need for improved order management.. This add-on improves on the stock orders.php, but from my perspective I would submit that there are some usability/functional features I'd like to see improved out the box.. For example:

1. The order display, packing list, and invoice all truncate the shipping method. Now I don't know WHY the abbreviated shipping method would be an out the box feature, but IMO all of these areas should display the full shipping method. If there is a need for showing the short description of the shipping method, it should be an admin configurable feature and not hard coded into the app..
2. For orders paid with Paypal, Authorize.net (and probably Linkpoint as well) the store owner should not be required to manually enter the payment in Super Orders. Super Orders should display the updated payment information for all of these methods.
3. Edit orders needs to be re-worked. It does not correctly re-calculate the "master order" of the new order created.
4. For fully paid orders, the edit orders function should bring forward the payment information from the "master order" or indicate that the payment was applied to the "master order" when splitting off items to a new order or the best solution would be if it just re-calculated BOTH orders when an order is split (paid or not).
5. Split order packing list needs to be re-worked. It should only display when an order has been split -- otherwise it should NOT display.. (Currently it displays when the order includes multiple items) Currently it shows each item on the order flagged as "Product(s) will ship separately". I think it should show the FULL original order and flag only those items on the split order with the "Product(s) will ship separately" flag
6. Under "Close Order": When clicking the "Completed" button the order status should also update to a status that indicates the order is complete. Currently the store owner must first update the status, then mark the order complete. IMO, this should be ONE step.
7. Under "Close Order": When clicking the "Cancelled" button the order status should also update to a status that indicates the order is cancelled. Currently the store owner must first update the status, then mark the order cancelled. IMO, this should be ONE step.
8. "Edit Status History" IMO should be completely different. If you are going to allow store owners to edit previously entered comments they should be limited to store admin comments that were NOT sent/copied to the customer.
9. Enter Payment function - If you check the "Notify the customer?" checkbox, the customer is notified, but the "Status History" for the order indicates that the customer was not.
10. Enter Purchase Order function - Same issue as item 6.
11. When no orders are selected for Batch Printing function, the error message should be a user friendly on-screen error message versus the very unfriendly message it shows now (which scares end-users): "Warning: Invalid argument supplied for foreach() in /home/content/o/v/e/overthehill/html/testsite.overthehillweb.com/zentest1/admin/super_batch_forms.php on line 341
    Error: No orders selected!"
12. Batch Status Updating throws errors when you search for orders using the following options:
    = (equals)
    < (less than)
    "1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''50' ORDER BY o.orders_id DESC' at line 4
    in:
    [SELECT o.orders_id, o.customers_id, o.customers_name, o.payment_method, o.date_purchased, o.order_total, s.orders_status_name FROM zen_orders o LEFT JOIN zen_orders_status s ON o.orders_status = s.orders_status_id WHERE s.language_id = '1' AND o.order_total '50' ORDER BY o.orders_id DESC]
    If you were entering information, press the BACK button in your browser and re-check the information you had entered to be sure you left no blank fields."
    
    "1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '== '13' ORDER BY o.orders_id DESC' at line 4
    in:
    [SELECT o.orders_id, o.customers_id, o.customers_name, o.payment_method, o.date_purchased, o.order_total, s.orders_status_name FROM zen_orders o LEFT JOIN zen_orders_status s ON o.orders_status = s.orders_status_id WHERE s.language_id = '1' AND o.order_total == '13' ORDER BY o.orders_id DESC]
    If you were entering information, press the BACK button in your browser and re-check the information you had entered to be sure you left no blank fields."

Now for a few of these items, there are workarounds/corrections posted in this thread. I use most if not all of them (the shipping method truncation for SURE I use)

For items 6-8, very few of my clients use the batch print or update features, but I fully disclose the issues (especially items 6 & 7). For item #8 in particular, I explain how the error occurs and train the heck out of my clients so they never see it..
For Item 9, I only recently discovered this issue, and will just remove the order total search elements from the super_batch_status.php page. (It's not an entirely NEED TO HAVE feature IMO..)

But Phillip is right... This is largely an abandoned add-on and apparently we all choose to use it at our own risk.. (I guess for many of us the benefits outweigh the risks.. For me the issues and shortcomings have lots of workarounds to still make this app worthwhile..

I have paid for Zencart mods and fixes before.. Frankly for someone like me who knows HTML, and not PHP, I need to outsource work which requires PHP knowledge.. I am giving some very serious thought into paying to get my list of observations/issues with Super Orders addressed..

Phillip -- I have read you talk about the security issues with Super Orders, and I just did a search to see what those might be.. I can't find any threads which cover the full detail list of security issues with this mod. Would you be willing to share your observations of security issues with this mod.. and if you could explain it to me as a non programming end user of the app.. (to quote a line from the movie Philadelphia "Explain it to me like I'm a 3 year old!")

[DivaVocals]

Bug Reports/Fixes:



This is an old post but I ran into the same problem this week and couldn't find a reply. I noticed rev47 just came out with the same bug. The packing slip image is distorted because there is an error in the code around line 200 in super_packingslip.php that gives the incorrect order of SMALL_IMAGE WIDTH and SMALL_IMAGE_HEIGHT. (For those who want to know, the values of SMALL_IMAGE WIDTH and SMALL_IMAGE_HEIGHT in the packing slip thumbnails are set in Admin-->Configuration-->Images.)

old incorrect code in catalog/admin/super_packingslip.php:

echo ' <td class="dataTableContent" align="left">' . zen_image(DIR_WS_CATALOG . DIR_WS_IMAGES . $products->fields['products_image'] , $order->products[$i]['name'], SMALL_IMAGE_HEIGHT, SMALL_IMAGE_WIDTH) . '</a>&nbsp;</td>';

Code should be:

echo ' <td class="dataTableContent" align="left">' . zen_image(DIR_WS_CATALOG . DIR_WS_IMAGES . $products->fields['products_image'] , $order->products[$i]['name'], SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT) . '</a>&nbsp;</td>';


Another potential problem -- catalog/admin/includes/super_stylesheet.CSS is missing # signs before a number of the color hex value assignments.

Glad I decided to do a tiptoe through this thread.. I asked how to fix this about a year ago.. I have bookmarked this post and will update my stock Zen install to incorporate these changes.. Anyway.. thanks!

[philip_clarke]

Number 12 on your list, is something I mentioned before. What happened is that once upon a time the creators of super orders decided that they wouldn't filter any data going into the database so on a batch they would go "SHOW ORDERS WITH A VALUE <= 200" and they have in that select box "<=".

HTML code begins with < and in my particular field of knowledge

http://www.theregister.co.uk/2009/08...mail_xss_flaw/

you can do seriously dangerous things with unfiltered data and a <script> tag. One of the version of zencart 1.3.7 (I think), DrByte put in some cod that translates anything coming through as "<=" into html "&lt;=" to protect from having malicious code injected into the website. That broke that part of super orders. A lot of the data in zencart is filtered now, but super orders doesn't so for exampled <script src="badguy.com" /> could be put into an address field, the website administrator would look at the order and not see anything because browsers don't display HTML tags to the user. The bad guy could then steal user data, in theory hijack the adminsitrators session, go in change the password and lock them out and steall all the credit card details and inject code into the database that would display pronorgraphic adverts (that's very very easy). All because the design of super orders is old "rubbish".

The ZC team have done an excellent job in filtering data all over the place, but the fundamental code underneath super orders is very flawed. The security problems are all over the whole set of pages, too many to list. But not only are there the XSS problems (that's what I just described) but there is also the possiblity that a malicious customer could inject code into the database from something like the payment details field combined with another module, because super orders does not do any filtering of the data it looks for in the database. Which would be the same result as described above, if the adminisitrators session was hijacked.

ZC does have additional security measures in place to stop session hijacking, they filter a lot of the data, if not all of the input. But they still can't do anything about porrly written add-ons from the days when attacks were theoretical rather than everyday. I'm not actually a hacker, I spend some time in the forums and I know some techniques, but most of the time I am repairing the damage done by 15 year old vandals who hijack a server and then don't know what to do with it.

The batch processing code in super_orders is really quite unusual someone had a strange idea that may be on the far edge of genius (seriously) because to get it to work is stunning as it uses insane code that is preposterous, it's also really dangerous to explore the possibility of being able to include a batch file a hundred times to do a job, because if some hijacked of altered that file then you have a page that could launch a denial of service attack that your clients wouldn't even know about.

There are just so many things wrong with the module that it needs a total rewrite, I just don't have the time what with the other modules and work to do.

Philip.

[DivaVocals]

Number 12 on your list, is something I mentioned before. What happened is that once upon a time the creators of super orders decided that they wouldn't filter any data going into the database so on a batch they would go "SHOW ORDERS WITH A VALUE <= 200" and they have in that select box "<=".

HTML code begins with < and in my particular field of knowledge

http://www.theregister.co.uk/2009/08...mail_xss_flaw/

you can do seriously dangerous things with unfiltered data and a <script> tag. One of the version of zencart 1.3.7 (I think), DrByte put in some cod that translates anything coming through as "<=" into html "&lt;=" to protect from having malicious code injected into the website. That broke that part of super orders. A lot of the data in zencart is filtered now, but super orders doesn't so for exampled <script src="badguy.com" /> could be put into an address field, the website administrator would look at the order and not see anything because browsers don't display HTML tags to the user. The bad guy could then steal user data, in theory hijack the adminsitrators session, go in change the password and lock them out and steall all the credit card details and inject code into the database that would display pronorgraphic adverts (that's very very easy). All because the design of super orders is old "rubbish".

The ZC team have done an excellent job in filtering data all over the place, but the fundamental code underneath super orders is very flawed. The security problems are all over the whole set of pages, too many to list. But not only are there the XSS problems (that's what I just described) but there is also the possiblity that a malicious customer could inject code into the database from something like the payment details field combined with another module, because super orders does not do any filtering of the data it looks for in the database. Which would be the same result as described above, if the adminisitrators session was hijacked.

ZC does have additional security measures in place to stop session hijacking, they filter a lot of the data, if not all of the input. But they still can't do anything about porrly written add-ons from the days when attacks were theoretical rather than everyday. I'm not actually a hacker, I spend some time in the forums and I know some techniques, but most of the time I am repairing the damage done by 15 year old vandals who hijack a server and then don't know what to do with it.

The batch processing code in super_orders is really quite unusual someone had a strange idea that may be on the far edge of genius (seriously) because to get it to work is stunning as it uses insane code that is preposterous, it's also really dangerous to explore the possibility of being able to include a batch file a hundred times to do a job, because if some hijacked of altered that file then you have a page that could launch a denial of service attack that your clients wouldn't even know about.

There are just so many things wrong with the module that it needs a total rewrite, I just don't have the time what with the other modules and work to do.

Philip.

Thanks Phillip I'll make a note of this post.. When I am ready to go to my developer resources for a bid on updating Super Orders I want to be able to provide them with a thorough and complete specification document. This will help..

You SURE you don't want to send me a bid too?? I know.. I know.. "bugger off"

[philip_clarke]

A 15 year old could sanitize the data, it's not a complex job - so should be cheap. The batch thing needs a look at though as it's just plain weird, but sanitizing it needs nothing more than converting ' " / < > and & to html entities (not using the php function html_entities as it doesn't do all the characters. With regards to point 12, all that is need is a switch statement or "If else" statment and then turing the <= into predefined sql that is run through a mysql_escape_string function first (there's one built into zen cart.

Tops, you are looking at $50 for a couple of hours to clean and secure it by a kid, anything else is a rip off and that's way way below what I charge.

[DivaVocals]

A 15 year old could sanitize the data, it's not a complex job - so should be cheap. The batch thing needs a look at though as it's just plain weird, but sanitizing it needs nothing more than converting ' " / < > and & to html entities (not using the php function html_entities as it doesn't do all the characters. With regards to point 12, all that is need is a switch statement or "If else" statment and then turing the <= into predefined sql that is run through a mysql_escape_string function first (there's one built into zen cart.

Tops, you are looking at $50 for a couple of hours to clean and secure it by a kid, anything else is a rip off and that's way way below what I charge.

I figured as much.. I know (for someone who knows what they are doing) that most of the items on my list are not complex things.. That said, it still doesn't mean I could tackle 'em myself.. So I totally appreciate your input..


Are ya SURE you don't wanna PM me a bid to do this work??? I know that the generally accepted guiding principal for most folks on open source forums is to pay for nothing, but since I work on a software dev team in my day job, my perspective very is different..

[philip_clarke]

No, the last thing on earth I want to do is to get stuck with yet another module. The results would be GPL'd I'd get even more questions, I don't even know why I hang around this thread anyway. Then I'd feel obligated to do it properly, change the SQL, and your $50 would result in me spending $10,000 in man hours.

now bugger off.