security issues with older version of oscmax?

[ridexbuilder]

Well done. The perseverance paid off

[michael_s]

My recommendation for doing a db upgrade manually: Always start with a default version of the stable 2.0.2 configuration table. Never use an old configuration data set, as it will cause problems. Then manually add in your custom records from there to avoid conflicts and omissions.

Other than that, I think you have the manual update process burned into your brain for future reference

The good thing about being up to date with the current 2.0.2, is that there will always be update scripts moving forward to simplify the process of changing the core datbase records and upgrading the files. If you went so far as to check out your install via SVN, future upgrades will be as simple as making a backup of site and datbase, then running the command svn update from the catalog directory, and perhaps running a few sql queries.

[Claymm]

Hi earth-friendly !

Is this manual update fixed the problems about the register_globals ?
Did you turn it to "off" in your php.ini ?

Did you keep some written tracks to this update, that I could use to make mine ?
Do you have some advices for someone which want to do the same ?

Best Regards.

Claym.

[earth-friendly]

Hi Claym. First, let me say the upgrading from the old version that I had before, 2 RC2, to the new version, 2.0.2, was a massive undertaking. I had made many, many changes to the original versions, to fit my needs. Hopefully your site does not have such massive changes.

A tool that I found invaluable was Beyond Compare. If you get the advanced version, for $50, it will do a 3-way merge, where you give it the original file, the 2.0.2 version of the file, and your newest version of the file, and then it will help you merge all the changes. If I didn't have this tool, it would have taken me months, instead of 1-2 weeks. They give you a 30-day trial to see if you like it, and you can use the advanced version during the trial. I liked it so much that even if I didn't need to do comparisons again, I would still pay the $50 for all of the value that I got.

In my old version, I had "register_globals = On" in php.ini.
In my new version, I no longer have a php.ini. It presumably gets the default value from the server, which is Off.

The main kinds of changes I had to make during the merge were to make sure to add my mod changes into the final version. I'll give you a few tips of the other kinds of changes I had to make in order to debug my new version.

Sometimes the mods I had added weren't set up for Register_globals being off.
What this means is that when you have a cgi argument passed in the url, like "payment=cc", or you have a form variable, then in the cgi script that processes the results, with Register_globals on, php would create a variable, like $payment, where you could access the cgi argument or the form variable. But now, you have to get the value by doing $_GET['payment'] or $_POST['payment'].

The other main change is that register_long_arrays is, I think, also off.
So before, $HTTP_POST_VARS and $HTTP_GET_VARS could be used as global variables, and these contained the same contents as $_POST and $_GET. Now you need to use $_GET and $_POST. There is some code in, I think, includes/application_top.php that sets $HTTP_POST_VARS and $HTTP_GET_VARS to $_POST and $_GET, respectively.
(Note: I also added this code to admin/includes/application_top.php.)
But, if these are used inside of a function, you now need to include a global declaration.

I found that I had to fix up a lot of things like this in the admin, while the regular catalog code was in much better shape. Especially for MVS in the admin, I had to make lots of these kinds of changes.

One of the big tips for merging the sql:
Start with the oscmax 2.0.2 version of the sql, and then add your changes into that version. One of the problems I had initially was that I used my version, and then added some oscmax 2.0.2 changes into it. But there were some fields in certain tables, like the configuration table, and they were supposed to be able to be joined with a different field in another table, and things got totally messed up for me.

So, those are the general tips that I can think of. I hope you find this helpful.

Regards,
-Lori-