Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Improve Shopping Cart ID Detection (bug #473)

* With a specific checkout routine it is possible for the shipping selection page to not detect a change in shopping cart contents and can present a list of outdated shipping options to the customer. Thanks to Wojtek Ruszczewski (wrwrwr) for bringing this to our attention.

* Also reset the shopping cart ID in the shopping cart class update_quantity() method (this method is used by Add-Ons).
  • Loading branch information...
commit 86a1f7f44fd2fe37e9e3fde33cbd0b34415a3ae9 1 parent 2c9216a
Harald Ponce de Leon authored August 01, 2012
11  catalog/checkout_shipping.php
@@ -5,7 +5,7 @@
5 5
   osCommerce, Open Source E-Commerce Solutions
6 6
   http://www.oscommerce.com
7 7
 
8  
-  Copyright (c) 2010 osCommerce
  8
+  Copyright (c) 2012 osCommerce
9 9
 
10 10
   Released under the GNU General Public License
11 11
 */
@@ -46,8 +46,13 @@
46 46
 
47 47
 // register a random ID in the session to check throughout the checkout procedure
48 48
 // against alterations in the shopping cart contents
49  
-  if (!tep_session_is_registered('cartID')) tep_session_register('cartID');
50  
-  $cartID = $cart->cartID;
  49
+  if (!tep_session_is_registered('cartID')) {
  50
+    tep_session_register('cartID');
  51
+  } elseif (($cartID != $cart->cartID) && tep_session_is_registered('shipping')) {
  52
+    tep_session_unregister('shipping');
  53
+  }
  54
+
  55
+  $cartID = $cart->cartID = $cart->generate_cart_id();
51 56
 
52 57
 // if the order contains only virtual products, forward the customer to the billing page as
53 58
 // a shipping address is not needed
5  catalog/includes/classes/shopping_cart.php
@@ -5,7 +5,7 @@
5 5
   osCommerce, Open Source E-Commerce Solutions
6 6
   http://www.oscommerce.com
7 7
 
8  
-  Copyright (c) 2003 osCommerce
  8
+  Copyright (c) 2012 osCommerce
9 9
 
10 10
   Released under the GNU General Public License
11 11
 */
@@ -178,6 +178,9 @@ function update_quantity($products_id, $quantity = '', $attributes = '') {
178 178
             if (tep_session_is_registered('customer_id')) tep_db_query("update " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . " set products_options_value_id = '" . (int)$value . "' where customers_id = '" . (int)$customer_id . "' and products_id = '" . tep_db_input($products_id_string) . "' and products_options_id = '" . (int)$option . "'");
179 179
           }
180 180
         }
  181
+
  182
+// assign a temporary unique ID to the order contents to prevent hack attempts during the checkout procedure
  183
+        $this->cartID = $this->generate_cart_id();
181 184
       }
182 185
     }
183 186
 

0 notes on commit 86a1f7f

Please sign in to comment.
Something went wrong with that request. Please try again.