Security warning with new upgrade??

[Al Brookbanks]

A patch will be released in the next few hours for this and a couple of other issues with 3.0.13. The security audit made some considerable changes to the code which unfortunately caused a few unseen bugs.

[Al Brookbanks]

Ok the fix it to upgrade to 3.0.14 or upload just the files found in this archive:

http://www.cubecart.com/site/forums/index....post&id=771

You can test it here: http://www.cubecart.com/site/demo/cc3/

[Guest BBUK]

I have upgraded the files as requested AND NOW GET THIS ERROR:

MySQL Error Occured

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '.14' at line 1

QUERY = SELECT CubeCart_options_bot.option_id, CubeCart_options_bot.value_id, option_price, option_symbol, assign_id FROM `CubeCart_options_bot` INNER JOIN `CubeCart_options_mid` ON CubeCart_options_mid.value_id = CubeCart_options_bot.value_id INNER JOIN `CubeCart_options_top` ON CubeCart_options_bot.option_id = CubeCart_options_top.option_id WHERE assign_id = 13.12.14

[convict]

It seems you use the basket content created with 3.0.13 - please do empty basket and try again.

OR

In case huge customer base and big traffic on your store do following in

includes/content/cart.inc.php

includes/boxes/shoppingCart.inc.php

SEARCH FOR

			$options = explode("|",$optionKeys)

ADD BEFORE

			$optionKeys = str_replace(".","|",$optionKeys);

This translates old created options to meet latest code changes.

[Guest estelle]

Al or Convict,

Could one of you guys explain why the period can no longer be used to separate attribute ids? Why are period characters getting caught out by the new security checks?

[convict]

Suppose this is a result of the CubeCart 3 security audit.

[Guest tshells]

Hi all! I just installed version 3.0.14, following much gnashing of teeth over my existing "bumbleware" shopping cart. I got the dreaded "Parsed array keys can not contain illegal characters! Script execution has been halted" error also, even when trying to access the storefront. Clearing cookies did fix the problem, but what customer is going to stick around for that? CubeCart seems to set up and run so smoothly that it made sense to keep configuring while searching for a solution. And there it was, pretty as can be, just commenting out the code in the ini.inc.php file. Works like a charm. The link a few posts back to some upgrade files didn't work for me, and I don't think it would matter anyway since I've got the latest version. But is there a risk worth losing sleep over in leaving that code commented out? Or can I just continue setting up this wonderful, efficient script without much worry?

[Guest Windy Miller]

Don't want to start another thread about a similar problem but I'm have trouble with the old.....

Security Warning

Parsed array keys can not contain illegal characters! Script execution has been halted.

It may be possible to fix this error by deleting your browsers cookies and refresh this page.

I'm getting this error on a fresh(ish) install of .14, no doubt I'm being thick and I'll apologise in advance but I've searched through all the threads on the subject and still not resolved it. Started off with .13 but only added a couple of products to check it over before going the whole hog. Then .14 came out a few days later and I upgraded only to get the above warning. Thinking I'd screwed up somehow I deleted the /store folder with my ftp and uploaded the whole of .14 to start afresh. I've tried clearing the browser of cookies etc., getting rid of everything in the SQL database, calling the folder a different name but whatever I do I keep getting the above warning whatever I do.

I'm new to all this so please be gentle!!!

[convict]

@ tshells, Windy Miller

Please post here the URL to your store. If you prefer to prevent the publicity send me it via PM will have a look.

[Guest tshells]

@ tshells, Windy Miller

Please post here the URL to your store. If you prefer to prevent the publicity send me it via PM will have a look.

Thank you for taking the time to look. Like I said, after edits to ini.inc.php, there aren't error messages (that I see), but maybe you'll notice a security problem or something? That's my main concern right now. It's just the basic install so far, with some tax, shipping, etc. setup done. It's at http://chellsroost.com/shop/.

[convict]

@ tshells, Windy Miller

Please post here the URL to your store. If you prefer to prevent the publicity send me it via PM will have a look.

Thank you for taking the time to look. Like I said, after edits to ini.inc.php, there aren't error messages (that I see), but maybe you'll notice a security problem or something? That's my main concern right now. It's just the basic install so far, with some tax, shipping, etc. setup done. It's at http://chellsroost.com/shop/.

Tested - no security mesage there using IE & FF ;)

[Guest tshells]

@ tshells, Windy Miller

Please post here the URL to your store. If you prefer to prevent the publicity send me it via PM will have a look.

Thank you for taking the time to look. Like I said, after edits to ini.inc.php, there aren't error messages (that I see), but maybe you'll notice a security problem or something? That's my main concern right now. It's just the basic install so far, with some tax, shipping, etc. setup done. It's at http://chellsroost.com/shop/.

Tested - no security mesage there using IE & FF

Thank you so much. I feel better now about going ahead with setup.

[Guest Windy Miller]

@ tshells, Windy Miller

Please post here the URL to your store. If you prefer to prevent the publicity send me it via PM will have a look.

Thanks so much for the offer of help convict. Just PM'd you the link.

[convict]

@ tshells, Windy Miller

Please post here the URL to your store. If you prefer to prevent the publicity send me it via PM will have a look.

Thanks so much for the offer of help convict. Just PM'd you the link.

Solved. :wacko:

[Guest Windy Miller]

Just wanted to say a public thank you to convict.

It's very reassuring for people wanting to use CC that there are talented and helpful people like him around to help out.

Solved.

[convict]

Just wanted to say a public thank you to convict.

It's very reassuring for people wanting to use CC that there are talented and helpful people like him around to help out.

Solved.

You are welcome :)

[Guest keandrews]

I'm evaluating CubeCart as an alternative to ZenCart.

I have just installed the current 3.0.14 zip, downloaded yesterday, as a fresh installation.

In the "Auto Method" installation instructions, I get as far as:

c. Visit the store homepage

e.g. http://www.example.com or http://www.example.com/store/

and I see this "Parsed array keys..." error right away (so I can't even view the auto-install pages).

FYI the browser I'm using is 1.5.0.7 under Linux. It does seem to be my cookies that are causing the problem, because if I view the site under Windows using IE then I *can* see the installation pages.

The discussion in this thread seems to be applying to 3.0.13, so I was assuming that this issue would be fixed in 3.0.14 - is that not the case?

Cheers,

Kona

[Guest omegareport]

Cubecart problems - tried everything here

Sorry for how long this is, but I tried everything in this topic and it seems to have made things worse. I'm new at this and need some help.

Am running Firefox' (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) Gecko/20061025 Firefox/1.5.0.8) on an IBM NetVista with WinXP-SP2, 512Mb RAM on cable connection (Comcast). IE7 is installed, but I try to avoid it - it's awful! Also have Opera and Netscape (because I have to test websites in various browsers) but other than that rarely use them either.

The only mods I have installed are the default mods (3). I use only US dollars for currency and English as language. I've tried to keep everything very basic until I know it works right.

Server is Apache version 1.3.37 (Unix) with Perl 5.8.7 and PHP 4.4.4 and MySQL 4.1.21-standard-log.

I can enter my Cubecart admin panel with this:

http://www.phoenixarchive.com/cubecart/adm...php?homeLang=en

but if I use this:

http://phoenixarchive.com/cubecart/admin/

the login page doesn't come up. Instead, I get this:

Security Warning

Parsed array keys can not contain illegal characters! Script execution has been halted.

It may be possible to fix this error by deleting your browsers cookies and refresh this page.

Likewise, if I try to enter Cubecart through the Fantastico panel onm Bluehost (visit site), I get this:

Security Warning

Parsed array keys can not contain illegal characters! Script execution has been halted.

It may be possible to fix this error by deleting your browsers cookies and refresh this page.

I've printed out the whole 4-page topic on this from the forum and read it, marked what changes are recommended and am going through them one by one.

I have DL'd ansuk's switch.php (from version 3.0.12) - no help there.

I've got all lowercase file/folder names w/o spaces (I've run into that problem before).

I did as Adminitrator said and changed ini.inc.php to:

/* - this was the only change I had to make

$clean = new clean_all($data);

$_GET = $clean->clean_all($_GET);

$_POST = $clean->clean_all($_POST);

$_COOKIE = $clean->clean_all($_COOKIE);

$_REQUEST = $clean->clean_all($_REQUEST);

----------------------

Checked switch.php as convict recommended. It looks OK as is, I think:

/* END INITIAL SECURITY CHECKS */

I haven't tried it yet so I don't know if it will give the loop-back problem Snowbaby mentions.

// detect possible spoofing URL's

if(!eregi("http://",$_GET['r']) && !eregi("ftp://",$_GET['r']) && !eregi("https://",$_GET['r'])){

header("Location: ".str_replace("amp;","",treatGet($_GET['r'])));

} else {

header("Location: index.php");

}

exit;

-----------------

Convict

you mention a change in includes/content/reg.php ... do you mean reg.inc.php? That's the only file like that I find - no reg.php.

Here's what I found in re.inc.php - looks OK to me?

header("Location: ".str_replace("amp;","",$redir));

exit;

} else {

header("Location: index.php");

exit;

--------------

Here's what includes/content/login.inc.php says:

header("Location: ".str_replace("amp;","",treatGet(base64_decode($_GET['redir']))));

exit;

Again, it looks OK to me?

-----------------

RE: includes/content/cart.php (again I find cart.inc.php - but not cart.php), I don't find "." except in this reference:

$view_cart->assign("VAL_STOCK_WARN",$lang['front']['cart']['amount_capped']." ".$product[0]["stock_level"].".");

I didn't change it because I wasn't sure this is what you referred to.

Found no "." in includes/boxes/shoppingCart.inc.php.

Found no "." in classes/cart.php.

------------------

tshells said something about "commenting out the code in the ini.inc.php" file - but what code? I didn't touch it either.

I really found none of the problems addressed in the topic, but did check all of them out. Still no solution.

MADE PROBLEMS WORSE?

Now when I try to log into Cubecart through Fantastico, I get this:

Warning: main(classes/cart.php) [function.main]: failed to open stream: No such file or directory in /home/phoeniy1/public_html/cubecart/includes/boxes/shoppingCart.inc.php on line 41

Fatal error: main() [function.require]: Failed opening required 'classes/cart.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/phoeniy1/public_html/cubecart/includes/boxes/shoppingCart.inc.php on line 41

EDIT:

Somehow I find cart.php in the trash (I haven't dared empty it) and NOT in the classes folder. I cannot seem to get it back into the folder - can't open it, can't copy it, can't move it - nada!

Why did it trash it??? How do I get it back? I'm trying to do a copy and paste to a Notetab file.

OK, that seemed to work - I ftp'd the copy back to classes folder - but the original is still in the trash. If I empty the trash, does it empty the one I just uploaded?

------------------

Multi-store problem

The cart is located in

http://www.phoenixarchive.com/cubecart/index.php

I wanted to set up more than one store (the other for a client or two), but couldn't seem to get it to work at all, setting it up as directed in the Cubecart installation process - had to remove it and start over.

Do I have to delete ALL cookies on my computer? I really need some of them (banking, PayPal, eBay, etc., etc.) Is there any way to delete a specific cookie that might be causing the problem?

---------------

I am trying to set up an online store for e-books and software, with four levels of membership:

free, silver, gold and platinum.

I have created a DL folder with the appropriate subfolders so, hopefully, members can access only their own folder levels or those lower, e.g. gold members have access to free and silver folders as well as gold, to avoid duplication. Anyone have a better idea?

Also, if I protect the DL folders independently (I haven't yet), will this interfere w/orders & DLs?

--------------

PayPal

everything seems to work EXCEPT that the buyer gets no email link to the product after payment. I tested it with a $1.09 purchase; the charge went through, but that's all. I am set up for PayPal IPN (have been for some time).

---------------

Changing copy on pages (HTML)

Whenever I click the HTML button (Source) and try to paste HTML, it crashes my whole browser and connection, and wipes out all the work I've done in that session. It happens without fail...9 times last night.

Also, is there any way to increase the size of the text entry box? It is so small that only 2-3 lines show up. You can't see much of it.

-----------------

Uploading images?

At first I was able to FTP images to the proper directory and they showed up on the images list - but now they don't even tho they ARE in the folder (checking with the FTP program-Filezilla) and even after hitting refresh. When I try to re-upload it manually (one at a time - slow!), it refuses to accept it, saying it's already there.

------------------

[Guest tshells]

tshells said something about "commenting out the code in the ini.inc.php" file - but what code? I didn't touch it either.

I only had the "parsed array keys..." error. And just commenting out some lines as described in this earlier post completely fixed it. Didn't touch anything else for that.

[Guest Waldo J]

I'm evaluating cart software for my employer. So I downloaded Cube Cart. I uploaded it to my server, a stock Red Hat FC6 install. I loaded it into my browser, Safari. "Parsed array keys can not contain illegal characters!" I cleared all cookies in my browser. Same error. I tried again in another clean, newly installed browser, Firefox. Same error.

The mind boggles.

Cube Cart interested me over OS Commerce because I was led to understand that Cube Cart, as a commercial product, has a higher level of professionalism. But a show-stopping error written in meaningless terminology with no debugging information, no useful advice, that even a hearty googling and a study of the vendor's site can't solve? Sweet God, no.

This is a terrible first impression. I expect it'll be my last impression. I don't complain to be an ass, or because I'm seeking any satisfaction, but because I think you should know about this. In fact, the reason that I'm evaluating cart software is because a customer was so kind as to point out how really, really horrible our existing system is -- it throws up show-stopping errors that customers can't solve, drastically reducing the number of people who purchase from us. You know, kind of like this error.

[Guest tshells]

Waldo, I'm very sorry you're having to deal with the frustration. Finding a decent shopping cart is sort of a pain to begin with, and when they don't work right after going through an install, well that's just maddening.

Have you tried editing the ini.inc.php file as noted in an earlier post here? I got the same error as you at first, and pretty much felt the same- lol! But editing that file was all it took, and CubeCart really has turned out to be the best choice. I'd hate to see you pass up a great shopping cart script over what may (or may not, but worth a try) be an easy fix.

[Guest]

I get errors when using IE7, so need to edit also ;)

[Guest pbrcaptain]

I just upgraded to 3.0.14 and now I'm getting the following error when I go to admin ->shipping ->USPS ->configure and attempt to either enable/disable USPS or turn debug on or off (even if I just click the EDIT CONFIG button WITHOUT making any changes!!!!:

Security Warning

Parsed array keys can not contain illegal characters! Script execution has been halted.

It may be possible to fix this error by deleting your browsers cookies and refresh this page.

Has anyone else experienced this? There are so many responses to the above error but they all seem to be store related and not ADMIN side related. If the fix has been posted can someone please direct me there?? I am very frustrated and may have inadvertantly overlooked someone's solution to this problem!

Any help will be greatly appreciated!!!!

George

(posted for pbrcaptain)

[Guest tshells]

George, before changing the code in the one file, the error was occuring for me when trying to get to either admin or the storefront. So it may be the same thing. If you back up any file(s) you edit, and if your fixing doesn't work or if it turns out to be a different problem altogether, no harm done. You could just re-upload the original file(s).

[Guest pbrcaptain]

George, before changing the code in the one file, the error was occuring for me when trying to get to either admin or the storefront. So it may be the same thing. If you back up any file(s) you edit, and if your fixing doesn't work or if it turns out to be a different problem altogether, no harm done. You could just re-upload the original file(s).

Thanks tshells - I assume you are referring to commenting out the security check code mentioned earlier in this post?

Any comments Al?

George