hacking or spam attempts ?

[masterunix]

Hello all,

 

Did you also have recently a lot of spam or hack users that are filling up or messing up the DB with fake customers?

 

See the customers from one of our webshop in admin and in phpmyadmin values.

 

 

[Dirty Butter]

This has helped us a lot:

 

http://www.cubecartforums.org/index.php?showtopic=17937

[masterunix]

Hello Dirty Butter,

 

I read the section and i think it should work.

 

However this is not a good solution since you need to change the core files and after every update you need to do all changes again.

 

Is there any other way to deal with this ? Any plugin or hook that can be made for this?

[Dirty Butter]

I have so many core files tweaked that most updates to CC don't bother me any more. I just use Beyond Compare 3 to see the difference between my version and the new CC version and add my changes back into the upgrade version. It's not perfect, but I've come to accept it as what has to be for now. I long for the day when hooks and plugins make all such things a distant memory, the way Wordpress is today.

 

I'm not aware of any current true plugin, but you could always ask if a developer would take this hack and turn it into a plugin for you. It's been working almost 100% ever since that post for me.

[masterunix]

Hello Dirty Buter,

 

Ah well ... i will find a solution for it

 

Thanks for the information.

 

What i more meant is ... if we all have facts about security risks and we have solutions for it why not we can vote on permanent changes in Cubecart so every CC update will be better?

 

For example: Cubecart doesn't allow 12345 phone numbers ... lets implement it and make it permanent?

[Dirty Butter]

There IS a Suggestion section at the bottom of this Forum - honestly don't know how much weight it carries, BUT Al is here in the forum far more than he used to be.

[Al Brookbanks]

You can do this with a code snippet so not to edit the core code. Code snippets are SO handy!

 

1. Go to Admin >> Manage Hooks

2. Click on the "Code Snippets" tab

3. Add data like in the attached screenshot. Please note that this code hasn't been tested but will work in principal.

 

[Dirty Butter]

I modify all my Wordpress theme with a child theme, so theme upgrades do not cause me to lose modifications. And no core WP files are changed, as all that is done with true plugins that are upgraded by the developers soon after each WP upgrade.

 

I would hope that kind of user friendly process is the ultimate goal of CC.

 

People like I am, who need specific help with code, would really benefit by a tutorial on how to take hacks and tweaks and turn them into code snippets!!

[masterunix]

I agree with with Dirty Butter.

[Dirty Butter]

I commented out SemperFi's version of the code you put in the snippet and used it to make my very first snippet - and it worked! The only thing is - the message to the customer requires a phrase being added to the language file - is there a way to do that which will withstand upgrades?

 

Well, I think I celebrated my first snippet too soon. I forgot there is another code change in user.class.php required to get the error message - so to truly make this comparatively simple task upgrade proof - I assume I make a different snippet to add that part of the code? I'll try it and see what happens.

[Al Brookbanks]

I wouldn't bother with the language file bit. Or if you do hard code it in English. The aim of this is to block spam. There can't be many people in the world with same first and last name.

We don't have a way to add language phrases yet. I'll add a github issue for that.

[Dirty Butter]

It's been great for blocking spam when used with the phone number block code. I'll try making a snippet for the phone number hack, but I didn't have any luck getting the error message part of the hack changed to a snippet. Do you mean hard code it in the example you gave?

[Al Brookbanks]

So I mean instead of adding a dictionary entry you can code:

$GLOBALS['gui']->setError("this is the error message");

Instead of;

$GLOBALS['gui']->setError($lang.xxx.yyy);

I've written this on my iphone with no reference so the code will be a bit out of whack but should give you the right idea.

[Dirty Butter]

This is what I have right now:

 {php}
// Check names aren't the same
                if ($_POST['user']['first_name']==$_POST['user']['last_name']) {
                    $error['names'] = true;
                    $error_messages[] = 
$GLOBALS['gui']->setError("First and last names cannot be the same");
                }
{/php}

The warning message shows even if I haven't tried to register - it's there as soon as I go to the Registration page.  And I tried registering anyway, with unlike names. The error message persists to the Account page. So I'm definitely doing something wrong!!

[Al Brookbanks]

I'm not sure where the hook is placed in the code. So it may need to be wrapped in code like;

if(isset($_POST['user'])) {

...

}

Or use another hook. I'm at my future in laws on my iphone without reference right now. Sorrry I can't be more helpful.

[bsmither]

I think the snippet is using the wrong hook. At class.cubecart.construct.register, we are asking CubeCart to display the registration page. At this point, the only relevant POST elements are ['register']. If we have ['register'], we call User->registerUser().

 

But where we are now, in CubeCart->_register(), since POST['user']['first_name'] and POST['user']['last_name'] are both (probably) unset, in that regard they equal each other.

 

And Bam! -- Error message.

 

We need to deal with the situation when we have good, relevant POST elements. I think the most likely place is at the hook class.user.register_user. So, in the snippet settings panel, change the hook.

[Dirty Butter]

That appeared to work correctly, but when I followed the error message and changed to different words, the error message persists. This isn't a very good time for me to be playing with registration, so I'd like to table this until after Christmas - but I definitely want to learn how to do this!!!

 

A thought though - what happens in the future if CC core code changes and I have a snippet in place that "fights" with the new core code - won't it be harder to spot where the trouble is than a file difference compare of modified code vs new version code???? - hope that makes sense!

[bsmither]

"I followed the error message and changed to different words, the error message persists."

 

You mean the error message did not change to show the new words, but rather continues to show the old words?

 

"What happens in the future if CC core code changes and I have a snippet in place that "fights" with the new core code?"

 

That's the major problem I am having with Goober's Dynamic Prices mod. I'm sure it worked in CC50X (haven't tested the mod in that environment), but figuring out what to do about the mod's malfunctions in CC52X is problematic in part because the relevant core variables are re-assigning themselves to the point where they no longer represent what the mod expects them to be.

 

"Won't it be harder to spot where the trouble is?"

 

It will be far easier to implement the process of elimination!

1. Switch off all mods.

2. Upgrade.

3. Test.

4. Switch on one mod.

5. Test.

6. Go to 4.

[Al Brookbanks]

That's the major problem I am having with Goober's Dynamic Prices mod.

 

Oh dear thats not what we want to hear!

[Dirty Butter]

 

"I followed the error message and changed to different words, the error message persists."

 

You mean the error message did not change to show the new words, but rather continues to show the old words?

Well, it made sense to me when I wrote it LOL. What I meant was, I changed to different first and last names, just as a legitimate customer would after seeing that error message. But he error message persisted, even though the names were then different.

 

Will work on this again after the holidays. Thanks for the work so far!

[Dirty Butter]

Revisiting this now that our busy season is over.

 

Instead of trying to make two snippets - one for name and one for phone - I used SemperFi's complete hack as is - the way I had it in the user.class.php code, and it worked just as expected!

 

So Snippets seem to work basically in the same way that Child Theme edits do in Wordpress:

 

Find the section of the original code that I want to change and ??? note what hook precedes it to hopefully get the correct trigger???.

Then copy that whole section over to MY Snippet, with the appropriate changes, with the required [php} and {/php} framing the section.

The Execution Order of 1 tells CC to use my Snippet instead of the stock CC code.

 

I think it would be a good idea to leave a comment in the original code referencing MY Code Snippet by name, in case this edit ever did cause issues with upgraded versions of CC.

 

The main problem, as I see it, is in figuring out which trigger is the appropriate one. I tried to use my own directions on another tweak to code and had to guess with trial and error to figure out what the trigger would be. UGH

[bsmither]

So Snippets seem to work basically in the same way that Child Theme edits do in Wordpress:

Having looked ever so briefly at WordPress, I would say, with all likelihood of being wrong about WordPress, that you are mostly correct.

 

Find the section of the original code that I want to change and ??? note what hook precedes it to hopefully get the correct trigger???.

Change or enhance. However, some hooks happen just a tad too late (you have to undo and redo some things), and some hooks happen just a tad too early (for some purposes). Just depends.

 

Then copy that whole section over to MY Snippet, with the appropriate changes.

Sometimes that is necessary.

 

The Execution Order of 1 tells CC to use my Snippet instead of the stock CC code.

Not really. The CubeCart code will always be executed. Assuming nothing undo-able has happened, you can redo the task. The Execution Order tells CubeCart which of possibly many more than one snippet or plugin using that hook has priority. If your custom code is simple, that is, not dependent on any pre-existing conditions, your priority could be 99.

 

The main problem, as I see it, is in figuring out which trigger is the appropriate one. I tried to use my own directions on another tweak to code and had to guess with trial and error to figure out what the trigger would be.

If your code works inline with existing code, then the next available trigger should suffice. I would like to hear more about that particular exercise.

[Dirty Butter]

I use the AskAbout Mod of SemperFi's, so I thought I would play with a simple edit he made in seo.class.php to see if I could do it all by myself.

Here's the whole now commented out block, with the original commented out and the new SemperFi version near the very top of the file.

// Start SemperFi Addition
	// Old Code:
	// private $_dynamic_sections	= array('prod', 'cat', 'doc');
	/* // MY CODE SNIPPET - add askabout to the doc array in seo.class.php
	private $_dynamic_sections	= array('prod', 'cat', 'doc', 'askabout');
	// End SemperFi Addition */

Right off the bat there was no hook above that, as it is very near the beginning of the file, so I had to try to guess what would work. I knew that it was needed to get the askabout document to work, and the CC comments not far above that mentioned Categories.

 

With that information, and basically not knowing what I was doing, I guessed class.gui.display.documents, which would not load. So I then guessed class.cubecart.display_category, which did work.

 

 

Not really. The CubeCart code will always be executed. Assuming nothing undo-able has happened, you can redo the task. The Execution Order tells CubeCart which of possibly many more than one snippet or plugin using that hook has priority. If your custom code is simple, that is, not dependent on any pre-existing conditions, your priority could be 99.

 

In Wordpress any section of code copied to the Child Theme and then modified will be executed first, and that section of WP will be overridden. I'm understanding you to say that is not the way CC Snippets work. What makes it so great is an upgrade of WP or of my theme keeps all modifications I have in the Child Theme.

 

In the spam blocker Snippet I created from SemperFi's hack AND on the AskAbout Snippet I made, I commented out the corresponding section of code in the core CC. So I should not have done that???

[bsmither]

"In the spam blocker Snippet I created from SemperFi's hack AND on the AskAbout Snippet I made, I commented out the corresponding section of code in the core CC. So I should not have done that???"

 

Creating a snippet or plug-in has as the primary point, to let core code upgrades happen without losing your custom events. If you comment out the core code, you've just negated the primary point to snippets and plug-ins.

 

As you describe WordPress, "If this hook (child code) exists, then do the hook (child code), else do the core code." This is not how CubeCart does snippets.

 

CubeCart hooks are in-line. The code before a hook statement is executed, then the code from any snippet/plug-in that uses that hook is executed, then the code that follows the hook statement is executed.

 

In seo.class.php, this statement:

private $_dynamic_sections = array('prod', 'cat', 'doc');

initializes a class variable. If we were to not disturb that statement, but rely on a snippet to modify it, we would need to find the next available hook.

 

When any class is instantiated (comes into being as in getting assigned to $GLOBALS['seo']), a construct() function is automatically executed. Fortunately, the SEO class has a construct() function - line 94. Unfortunately, there is no hook here. But we can look at all the other functions that are called, and hopefully we can find a hook to use before any other code uses _dynamic_sections: _getCategoryList(), enabled(), and if certain things are true generatePath(). Unfortunately, none of these functions have a hook.

 

Unfortunately, the entire SEO class has no hooks.

 

@Al, maybe have a hook statement in every construct() and destruct() function in every class? (If there isn't a construct or destruct, add them as well.)

 

Plan B is to create another class, SemperFi_SEO, which extends SEO. That is getting into a knowledge-level I am not yet fully versed in, but I know this is done all the time to add functionality to a base class.

 

Plan C is to edit the core code by adding needed hook statements, then notify Devellion about the new hook and hope it appears as standard in the next version.

 

If there was a hook, the array could be modified by:

$_dynamic_sections[] = 'askabout';

which adds a new array element to the end of the existing array.

[Dirty Butter]

OK, I see your point about commenting out. And from the rest of what you wrote, this doesn't seem to be something a person at my entry level understanding is going to be able to create after all. I'll keep trying to use if for ADDED code, such as the spam blocking tests, but leave the rest to better minds. Oh, it was SO easy in WP! Oh well.

 

Thanks for pursuing this, anyway. As always, your patient help is most appreciated, Bsmither!!