This has to be one of the most irritating issues I've come across in some time. Using any of the Authorize.net AIM modules for osCommerce 2.2 the customer would consistently be sent back to the Payment Details page with an error:

There has been an error processing your credit card

It seems that many people have been having this issue and there are many different possible solutions to the problem. The solution to this problem was found in this post: http://forums.oscommerce.com/index.php?showtopic=293398&pid=1309060&start=&st=#entry1309060

Basically, the MD5 Hash needs to be 80 bits and not 128 bits. I generated the MD5 hash as I normally do and pasted it into Authorize.net without realizing that the text was truncated and only the first 20 characters of my hash was actually stored. Authorize.net does not display this hash so you won't ever notice it in there. This is a VERY simple fix that has given me a headache for a couple of days. Hope this is helpful to someone.

I recently upgraded to PHP 5.3.0 after having some issues with FASTCGI and 5.2.x on Windows but the moment I did this I started getting numerous warnings. The one that appeared the most was:

Assigning the return value of new by reference is deprecated

Apparently in PHP5 all objects are passed as reference and 5.3.0 formally deprecated the feature, which has forced me to turn off error reporting until I can update my code (including WordPress!).

So basically the problem is that traditionally objects would be passed by value and you had to explicitly declare when you wanted the object to be passed by reference. So for instance, an overly simplified example would be:

class myClass{
    public $temp = array();

    function __construct(){
         $this->temp = array[1,2,3,4];
    }
}

$someArray = & new myClass();

The & sign tells PHP to return the value as a reference. In PHP 5.3.0 you don't need to specify the &.

It's a small change but it has HUGE impact!

My recent experiences with several hacking attacks has made me think more about application and data security on the web. In today's world nothing can be taken for granted and security should be of the highest concern, no mater how simple you think your application or trivial the data you store. Many web applications are hosted on shared servers or virtual private servers where the first line of defense is often left to the hosting provider. The first line of defense is perimeter security such as hardware firewalls and other network related prevention. You are also at the hands of the hosting provider when it comes to software security, that is, your operating system, web server, application servers and scripting languages and ftp patches.

The first thing that and good security plan should have is a proper review of these basic things. Contact your hosting provider and find out about patch management and other security options that may be their responsibility. If you manage your own server then you need to be aware of firewalls (software or hardware), antivirus, patch management and user security.

Now, on to your web application security. In my previous article on preventing sql injection attacks in coldfusion  there are quite a few tips for securing the applications. One other place developers tend to ignore is the transmission of data to and storage of data in the database. So let's look at some of the options for securing data.

Database access:

If your budget supports it, the first thing that should be implemented would be to have your database on a separate physical machine from your application server or public web server. This has two positive effects. Firstly, moving the database server to another machine will take the load off the web server or application server which can only be a good thing. Secondly, you public web server would be the first machine to be attacked, thus if a breach were to occur having the database on another machine would add some level of defense.

Ensure that the web application database user has the bare minimum rights to the database. That is, if the web application has no need to add tables or drop tables then the user should not have CREATE or DROP rights. Ensure, under no circumstances that your web application uses ROOT, SA or any other master login to access your database. Create a separate user for each application and give it the required rights.

One other thing I like to do is limit remote access to the database, if you can get SSH/RDP access to the server limit that to specific IP addresses. This causes remote administration to be a pain but the security benefits outweight the inconvenience.

Data storage:

Now, once you have the correct rights on your database and secured it from web access the next step would be to secure the actual data being stored. You will want to ensure that the forms that submit information are secured with a valid strong SSL certificate. Now, you may not be interested in using SSL encryption for all forms on  your site but it is a good practice to secure forms such as registration, login, shopping carts and checkout forms. Basically, any form that has any user information should be secured.

This same thinking should extend to storing the data in the database. Many developers encrypt passwords and store them in the database, but I think other things like usernames, email addresses and any other information that can potential be regarded as sensitive information should be encrypted and stored in the database. There are two options for this. Let the database encrypt the data for you or let your application encrypt the data before it is inserted in the database.

In SQL Server 2005, you can achieve this using some special functions. You can read more about this method in the following articles:

http://www.sql-server-performance.com/articles/dev/encryption_2005_1_p1.aspx

http://www.sql-server-performance.com/articles/dev/encryption_2005_2_p1.aspx

Other popular databases would have similar features.

The other option would be to encrypt the data before storing it in the database and then decrypting it when it needs to be used. In ColdFusion, this can be achieved using the encrypt and decrypt functions. These functions allow you to choose and encryption algorithm (SHA1, Blowfish etc) and a security key. The major drawback to this method is speed. This would slow down the communication of data between the web application and the user, however I think this is a fair trade off for the security concious.

Let me start off by saying, Magento is an EXTREMELY powerful and well built ecommerce platform. It contains all of the features necessary to deliver a stable and scalable solution for ecommerce (and more). That being said, I do have a few issues. So far, I find the system quite slow. Maybe it is just the current hardware but it does seem a bit sluggish. The next issue is documentation or lack thereof. The system documentation is VERY sparse and you rely mostly on community support and google. Of course, you can get premium support and Varien is well within their rights to charge for support but I think a bit more on the way of documentation would be a good way to gain more users.

I am attempting to implement this system and have had some success so far. Let me start by covering what has worked to this point.

• Installation of Magento on a Windows 2003, IIS 6 platform.
• Addition of inventory

The installation was a bit scary since I couldn't get it to work locally using the wizard. Eventually I got it working using a manual install. The site works for the most part but does not use url rewrites at this point. I have installed ISAPI Rewrite Lite but couldn't get it to work. I honestly haven't put enough time into it so I can't say if there is a bug or not.

Inventory takes a bit of getting used to. The interface is quite good however, it is a complex system and it can be a bit daunting for first time users. One thing I find quite annoying is the fact that the stock level defaults to Out Of Stock, which is a bit counter intuitive especially when you are adding products. I am sure that there is a global override somewhere, when I find it I'll make the change!

Now, the most important thing (and most difficult thing by far) is implementing a new design. This really takes some dedication to put all the pieces together. The designers guide offers some help in this area and you really have to sit back and digest it. Read ALL of it before you attempt to look at the code and ensure that you have some sort of understanding about how the system is designed and what each element does.

After doing some research I've noticed that what most people do is to simply change the styles for the default design that comes with Magento. The entire front end is governed by one stylesheet that can be customised as need be. I however don't want to simply change the look of it, I want to put things where I want them and really shake things up!

At the core of the design or theme is the layout. The layout is an xml file that defines the structure of any page. The layout references templates which contain the actual logic and markup to be displayed. This is an extremely flexible implementation. It gives you the ability to create custom content blocks and use them in multiple places. The only problem though is getting things to work the way you want them is quite another story. One very invaluable setting is the Template Path Hint which highlights on the screen and well, shows the template paths so you can fiddle with them as necessary. To turn this on follow the instructions found here. Another tip is to set all caching to off. This was extremely frustrating when I first started. To do this:

• Go to System > Cache Management
• Select Disable from the All Cache drop down
• Save Settings

It would be wise to also Refresh Layered Navigation Indices, which are found at the bottom of the Cache Management page.

I'll continue to work on this and post more about my success or failures as I go along.

Scenario:

The web application has two components, a private upload area and a public download area. To upload a file you must be logged in via HTTP Authentication in IIS (v6 on Windows 2003). The file is uploaded to a non-web accessible uploads folder. Downloads are public and are allowed for anyone who has the unique file key that identifies a specific uploaded file. The IIS web user (the account that PHP uses) has full access to the uploads directory.

Problem:

Files that are uploaded by authorised users cannot be downloaded in the public area.

Analysis:

After close examination, it was noticed that the IIS user has no access to the uploaded files even though the user has full access to the uploads directory.

Resolution:

By default PHP uploads all files to a directory identified by the upload_tmp_dir entry in php.ini, which on Windows systems defaults to C:\Windows\Temp, when the upload is completed the file is then moved to the target directory as specified by the upload script. The problem is actually with the way Windows handles security, the uploaded file gets the permissions of the Temp directory, when copied to the final directory, it keeps the permissions of the Temp directory and not the permissions of the final directory. That is, if the file is uploaded to Temp and the IIS web user does not have permissions on the Temp folder, when the file is copied to the uploads directory the IIS web user will still NOT have permissions on the file. The solution to the problem is actually quite simple, give the IIS web user the required permissions on the directory specified by upload_tmp_dir.

I cannot take credit for this solution, however, I can't find the post that had this solution again. I will keep looking and post the link to the original post when I find it again.

Happy Coding!

I absolutely love Adobe ColdFusion. I have been using it since version 3 and fell head over heals the first day I saw how easy it was to create a search directory, or send an email, or just about anything the average web application developer could want back in those days. It has matured tremendously in the past few years and with the release of version 8.01 can no longer be ignored as a fully featured web application platform. In my day job we use CF as our plaform for a site that gets a lot of traffic and since it is an integral part of the business we spent the money for CF Enterprise, but it was A LOT! As a small business owner as well, I am faced with the problem of developing with CF because of the pricing issue. Sure, shared hosting is an alternative and the prices have been coming down slightly but who wants to use shared hosting? We are real developers! The current movement to grid hosting has not engulfed the CF community thus far with no hosts that I know of making this offering. Again, I believe it is the licensing issue that is preventing this.

Another issue is the lack of affordable talent (or lack of talent in general) for ColdFusion development. Now, I am not saying that people shouldn't be paid adequately for their talent but on average CF developers are quite a bit more expensive than say a PHP or Ruby developer and from a business standpoint it makes sense to use the more affordable option. The pricing point for ColdFusion Standard is not that bad but in my experience it is much better to use Enterprise in a J2EE deployment to achieve maximum stability on high demand systems.

So where does this leave me? PHP is a solid option, huge developer pool, it's free, it works. Ruby is excellent as well. Companies such as 37 Signals have shown that Ruby can drive high demand applications. Java, is always an option but probably costs as much as ColdFusion to implement and support. I am really torn on this issue but financially I may have to move away from ColdFusion and focus on one of the free tools that will enable me to generate income and end with a positive bottom line. Adobe, please help us!