Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Improve Shopping Cart ID Detection (bug #473)

* With a specific checkout routine it is possible for the shipping selection page to not detect a change in shopping cart contents and can present a list of outdated shipping options to the customer. Thanks to Wojtek Ruszczewski (wrwrwr) for bringing this to our attention.

* Also reset the shopping cart ID in the shopping cart class update_quantity() method (this method is used by Add-Ons).
  • Loading branch information...
commit 86a1f7f44fd2fe37e9e3fde33cbd0b34415a3ae9 1 parent 2c9216a
Harald Ponce de Leon haraldpdl authored
11 catalog/checkout_shipping.php
View
@@ -5,7 +5,7 @@
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com
- Copyright (c) 2010 osCommerce
+ Copyright (c) 2012 osCommerce
Released under the GNU General Public License
*/
@@ -46,8 +46,13 @@
// register a random ID in the session to check throughout the checkout procedure
// against alterations in the shopping cart contents
- if (!tep_session_is_registered('cartID')) tep_session_register('cartID');
- $cartID = $cart->cartID;
+ if (!tep_session_is_registered('cartID')) {
+ tep_session_register('cartID');
+ } elseif (($cartID != $cart->cartID) && tep_session_is_registered('shipping')) {
+ tep_session_unregister('shipping');
+ }
+
+ $cartID = $cart->cartID = $cart->generate_cart_id();
// if the order contains only virtual products, forward the customer to the billing page as
// a shipping address is not needed
5 catalog/includes/classes/shopping_cart.php
View
@@ -5,7 +5,7 @@
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com
- Copyright (c) 2003 osCommerce
+ Copyright (c) 2012 osCommerce
Released under the GNU General Public License
*/
@@ -178,6 +178,9 @@ function update_quantity($products_id, $quantity = '', $attributes = '') {
if (tep_session_is_registered('customer_id')) tep_db_query("update " . TABLE_CUSTOMERS_BASKET_ATTRIBUTES . " set products_options_value_id = '" . (int)$value . "' where customers_id = '" . (int)$customer_id . "' and products_id = '" . tep_db_input($products_id_string) . "' and products_options_id = '" . (int)$option . "'");
}
}
+
+// assign a temporary unique ID to the order contents to prevent hack attempts during the checkout procedure
+ $this->cartID = $this->generate_cart_id();
}
}
Please sign in to comment.
Something went wrong with that request. Please try again.