Announcement

Collapse
No announcement yet.

m5 old links

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    m5 old links



    I swore I sent this earlier but it seems I didn't.

    You don't need an SFL program to allow old SFL type links to work
    with MIVA Merchant 5, all you need are some good rewrite rules
    written.

    Generating the urls in that style in the store is where you need
    a module, or code changes, or template changes, or whatever.

    For example:

    Normal url generated something like this:

    "{ g.someglobalvar $ 'screen=3DCTGY&Category_Code=3D' g.category_code
    }"

    Results in something like this:

    somesite.com/mm5/merchant.mvc?store_code=3Dmystore&screen=3DCTGY&Ca te
    gory_Code=3Ddvds

    SFL style link is something like this:

    somesite.com/page/mystore/CTGY/dvds

    rewrite rule is something like this:

    .*/page/(.*)/CTGY/(.*)/$
    /mm5/merchant.mvc?store_code=3D$1&screen=3DCTGY&categor y_code=3D$2

    An SFL style url to a product page is something like this

    somesite.com/page/mystore/PROD/DA001

    rewrite rule needs to be something like this:

    .*/page/(.*)/PROD/(.*)/(.*)/$
    /mm5/merchant.mvc?store_code=3D$1&screen=3DPROD&product _code=3D$3&categ
    ory_code=3D$2

    But to make all your pages generate urls like that you need to
    edit the templates containing the urls.

    For the product list for example the code is like this:

    <a
    href=3D"&mvt:global:sessionurl;Screen=3DPROD&Store _Code=3D&mvta:global:
    Store_Code;&Product_Code=3D&mvta:product:code;&Cat egory_Code=3D&mvta:
    global:Category_Code;">&mvt:product:code;</a>

    You need to change it to something like this:

    <a
    href=3D"http://yoursite.com/page/&mvta:global:Store_Code;/PROD/&mvt
    a:global:Category_Code;/&mvta:product:code;">&mvt:product:code;</
    a>

    If you were going to do such editing there are much better styles
    of urls to use than the SFL style, having urls with full names of
    categories and products is much better from an SEO stand point.
    For example we have made manual changes to clients' 4.x MMUI
    stores very quickly and easily that allows urls like:

    site.com/some-descriptive-category-code-here.html
    site.com/some-long-programaticly-altered-to-add-dashes-product-na
    me-here_sku.html

    The rewrite rules to convert such urls to Miva Merchant pages are
    simple.

    But anyway back to MM5, there are some challenges in that certain
    urls aren't readily available in the templates, most notably the
    category tree, but you can either replace the module that
    controls the category tree, use a hard coded one, or there may be
    other options that could be come up with after a bit of thinking.
    Also there are limitations in the token language in that you
    can't use Miva script directly so for fancy rewritten urls the
    creation of a small module that does the rewrite that can be
    loaded as an item and then referenced on the pages would probably
    be the way to go for fancy urls like the ones we normally do in
    old 4.x MMUI stores.

    Anyway I hope these thoughts help.

    - Jeff Huber
    President, 4TheBest eCommerce Solutions
    http://4TheBest.com
    [email protected]
    Office: 760-742-1469
    Cell: 760-445-8454
    =20


    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]] On Behalf Of Jen
    Ferraz
    Sent: Tuesday, May 03, 2005 9:23 AM
    To: [email protected]
    Subject: RE: [m5u] m5 old links


    John:

    You can create new Pages with the same
    codes as you have used in the Viking module.
    The SFL links will be dependent on the availability
    of a similar module for MM5.



    Jen
    Hostasaurus.Com
    Miva Premier Hosting Partner
    813.971.8772
    [email protected]


    -----Original Message-----
    From: [email protected]
    [mailto:[email protected]] On Behalf Of John
    Fischer
    Sent: Tuesday, May 03, 2005 12:22 PM
    To: [email protected]
    Subject: [m5u] m5 old links


    Group-
    I have a store that depends on the millions of links scattered
    all over
    the
    internet. For example, Google alone has over 90,000 pages indexed
    in my
    site
    these are Merchant style links, and SFL links as well as static
    pages
    and
    Viking coders additional screens pages with SFL link styles and
    Merchant
    links.

    When I migrate how can I ensure all of these links will still
    work?

    Cheers,
    John


    Comment


      #17
      m5 old links



      This is very true, but some users will be saved from hell if they have the
      upgrade to account for possibly thousands of sfl links already indexed by
      the search engines. Purchasing a $40 upgrade would be well worth it. When
      we take on new clients with sfl already, we don't remove sfl if we implement
      a new link style. We simply add it in addition to sfl. Unlike the
      misinformation that goes around sometimes, having two different styles going
      to the same content is not going to kill you.

      Jason


      I swore I sent this earlier but it seems I didn't.

      You don't need an SFL program to allow old SFL type links to work
      with MIVA Merchant 5, all you need are some good rewrite rules
      written.

      Generating the urls in that style in the store is where you need
      a module, or code changes, or template changes, or whatever.

      For example:

      Normal url generated something like this:

      "{ g.someglobalvar $ 'screen=CTGY&Category_Code=' g.category_code
      }"

      Results in something like this:

      somesite.com/mm5/merchant.mvc?store_code=mystore&screen=CTGY&Cate
      gory_Code=dvds

      SFL style link is something like this:

      somesite.com/page/mystore/CTGY/dvds

      rewrite rule is something like this:

      .*/page/(.*)/CTGY/(.*)/$
      /mm5/merchant.mvc?store_code=$1&screen=CTGY&category_co de=$2

      An SFL style url to a product page is something like this

      somesite.com/page/mystore/PROD/DA001

      rewrite rule needs to be something like this:

      .*/page/(.*)/PROD/(.*)/(.*)/$
      /mm5/merchant.mvc?store_code=$1&screen=PROD&product_cod e=$3&categ
      ory_code=$2

      But to make all your pages generate urls like that you need to
      edit the templates containing the urls.

      For the product list for example the code is like this:

      <a
      href="&mvt:global:sessionurl;Screen=PROD&Store_Cod e=&mvta:global:
      Store_Code;&Product_Code=&mvta:product:code;&Categ ory_Code=&mvta:
      global:Category_Code;">&mvt:product:code;</a>

      You need to change it to something like this:

      <a
      href="http://yoursite.com/page/&mvta:global:Store_Code;/PROD/&mvt
      a:global:Category_Code;/&mvta:product:code;">&mvt:product:code;</
      a>

      If you were going to do such editing there are much better styles
      of urls to use than the SFL style, having urls with full names of
      categories and products is much better from an SEO stand point.
      For example we have made manual changes to clients' 4.x MMUI
      stores very quickly and easily that allows urls like:

      site.com/some-descriptive-category-code-here.html
      site.com/some-long-programaticly-altered-to-add-dashes-product-na
      me-here_sku.html

      The rewrite rules to convert such urls to Miva Merchant pages are
      simple.

      But anyway back to MM5, there are some challenges in that certain
      urls aren't readily available in the templates, most notably the
      category tree, but you can either replace the module that
      controls the category tree, use a hard coded one, or there may be
      other options that could be come up with after a bit of thinking.
      Also there are limitations in the token language in that you
      can't use Miva script directly so for fancy rewritten urls the
      creation of a small module that does the rewrite that can be
      loaded as an item and then referenced on the pages would probably
      be the way to go for fancy urls like the ones we normally do in
      old 4.x MMUI stores.

      Anyway I hope these thoughts help.

      - Jeff Huber
      President, 4TheBest eCommerce Solutions
      http://4TheBest.com
      [email protected]
      Office: 760-742-1469
      Cell: 760-445-8454



      -----Original Message-----
      From: [email protected]
      [mailto:[email protected]] On Behalf Of Jen
      Ferraz
      Sent: Tuesday, May 03, 2005 9:23 AM
      To: [email protected]
      Subject: RE: [m5u] m5 old links


      John:

      You can create new Pages with the same
      codes as you have used in the Viking module.
      The SFL links will be dependent on the availability
      of a similar module for MM5.



      Jen
      Hostasaurus.Com
      Miva Premier Hosting Partner
      813.971.8772
      [email protected]


      -----Original Message-----
      From: [email protected]
      [mailto:[email protected]] On Behalf Of John
      Fischer
      Sent: Tuesday, May 03, 2005 12:22 PM
      To: [email protected]
      Subject: [m5u] m5 old links


      Group-
      I have a store that depends on the millions of links scattered
      all over
      the
      internet. For example, Google alone has over 90,000 pages indexed
      in my
      site
      these are Merchant style links, and SFL links as well as static
      pages
      and
      Viking coders additional screens pages with SFL link styles and
      Merchant
      links.

      When I migrate how can I ensure all of these links will still
      work?

      Cheers,
      John


      Comment


        #18
        m5 old links



        Hi Markus,

        As with all things legal, there is more complexity to things than
        there sometimes seems.

        You may be right that there is an issue but what one part of
        their site says seems to contradict what the other says.

        Specifically to your point though, Miva doesn't require MySQL to
        be installed to use their software it is one of the OPTIONS.

        The word MUST carries a lot of weight in legal documents, and I
        think it is clear that people are not required to install MySQL
        to use Miva Merchant.

        I am not a lawyer, and I don't KNOW what the case is, but my
        reading of the licenses makes me feel safe that end-users don't
        need a commercial license.

        I certainly am interested in hearing more of your, or other
        peoples thoughts on this issue though, because I would hate to be
        wrong:)



        - Jeff Huber
        President, 4TheBest eCommerce Solutions
        http://4TheBest.com
        [email protected]
        Office: 760-742-1469
        Cell: 760-445-8454
        =20


        -----Original Message-----
        From: MvMarkus [mailto:[email protected]]=20
        Sent: Tuesday, May 03, 2005 2:06 PM
        To: 'Jeff Huber - Listmail'; 'David Hubbard';
        [email protected]
        Subject: RE: [m5u] m5 old links


        Hi Jeff,

        I hate to contradict you, but the MySQL-terms when a commercial
        license is
        required are quite clear:

        =20
        <A HREF ="http://www.mysql.com/company/legal/licensing/commercial-license.h">http://www.mysql.com/company/legal/licensing/commercial-license.h</A>
        tml

        Among others, this states that a commercial license is required
        for "Selling
        software that requires customers to install MySQL themselves on
        their own
        machines."=20

        or

        "If you develop and distribute a commercial application and as
        part of
        utilizing your application, the end-user must download a copy of
        MySQL; for
        each derivative work, you (or, in some cases, your end-user) need
        a
        commercial license for the MySQL server and/or MySQL client
        libraries."



        The point is that neither you, nor I, nor anybody else except
        Miva and MySQL
        ABE can clearly answer this question, and this is the EXACTLY
        reason why I
        posted it as "questions to be answered by Miva Corp". I think it
        is indeed
        very important (and only fair) to know exactly who is supposed to
        get such
        license - the user, the ISP, Miva Corp? It might very well be
        possible (yet
        quite unlikely) that they have some kind of agreement in place
        that releaves
        endusers or ISPs from a commercial license (NuSphere for example
        bought
        distribution rights and paid 3/4 of a million dollars), and there
        are also
        special provisions for PHP apps or ISPs, and some operating
        systems might
        even have a commercial MySQL in their package.=20

        I'm quite certain that Miva's position is "if you want to use
        MySQL, it's
        your responsibility to be in compliance with any third party
        software" -
        which is okay, I just want to know to have some clarity on this
        issue.=20

        markus

        If I misunderstood what you were trying to say than I apologize.





        -----Original Message-----
        From: [email protected]
        [mailto:[email protected]] On Behalf Of Jeff
        Huber -
        Listmail
        Sent: Tuesday, May 03, 2005 4:39 PM
        To: 'David Hubbard'; [email protected]
        Subject: RE: [m5u] m5 old links

        Whether MIVA may or may not need a license is something we
        naturally can't
        KNOW, but I would assume that they crossed all the t's and dotted
        all i's
        before releasing their stuff.

        As for the end user of MIVA Merchant this is a complete non-issue
        because
        MySQL makes it clear that: "Free use for those who never copy,
        modify or
        distribute. As long as you never distribute the MySQL Software in
        any way,
        you are free to use it for powering your application,
        irrespective of
        whether your application is under GPL license or not."

        So if you are an end user of MIVA Merchant there is no license
        needed to
        choose the MySQL option over the Mivasql option.

        You have to remember that the GPL is more about source code
        modification
        access than use access. They want to make sure people don't take
        the MySQL
        source code and incorporate it into an application if that
        application isn't
        a GPL application.

        End user are not doping anything at all even vaguely like that,
        all they are
        doing is using it.

        Now, if SuperServers.com offers to sell a server to you that
        includes a
        fancy control panel they wrote that integrates with MySQL built
        in then they
        need to read carefully the GPL and see if they need a commercial
        license
        before they start selling that server, or they need to make sure
        the release
        all their source code and license everything under GPL

        Two totally different types of things.

        - Jeff Huber
        President, 4TheBest eCommerce Solutions
        http://4TheBest.com
        [email protected]
        Office: 760-742-1469
        Cell: 760-445-8454
        =20

        -----Original Message-----
        From: [email protected]
        [mailto:[email protected]] On Behalf Of
        David Hubbard
        Sent: Tuesday, May 03, 2005 11:59 AM
        To: [email protected]
        Subject: RE: [m5u] m5 old links


        From: [email protected]=20
        >=20
        =20
        >=20
        > 1.) Compiler: When will a new compiler be released (if at all)?
        Will=20
        > there be any costs involved?

        There is one, but I don't know if that's what Miva is currently
        shipping
        people who buy it.

        > 2.) MM5/MySQL licensing issues: Do we need to purchase our own=20
        > commercial license of MySQL, do ISPs have to offer commercial
        license,=20
        > or has Miva Corp. an agreement with MySQL ABE in place that
        covers the=20
        > end-users?

        If Miva has used code from MySQL in Empresa 5 then they need to
        license it;
        I haven't seen a response on whether that is the case though.
        Empresa 5 can
        talk to mysql natively without client libraries on the system so
        it
        definitely has someone's code internal to it that allows
        communications with
        mysql servers. If the code draws on MySQL's client code in any
        way, they
        need to commercially license it.

        On the server side, the way the license is worded, it says "If
        you include
        the MySQL server with an application that is not licensed under
        the GPL or
        GPL-compatible license, you need a commercial license for the
        MySQL server."
        So it's best to contact them to see how your intended use would
        be
        interpreted.

        =20
        > 3.) A statement (confirmation) reg. bug reports only being
        accepted=20
        > from members of Miva's support plan, and in such case clear=20
        > instructions how to submit critical bugs (like security issues)
        if one=20
        > is not a member of such a support plan. Obviously, I'd like to
        see=20
        > that Miva is still committed to listen to those issues without=20
        > requiring any upfront payments.

        I don't agree with charging for bug reporting but at the same
        time, knowing
        Miva's size and configuration, I think they do need a way to have
        support
        staff chasing what people would likely report as bugs all day,
        especially
        with Merchant 5 since a bug could easily be introduced by a
        customer
        modifying a template in some way. It could take extensive time
        per bug
        report just to determine that the issue is not a bug, and there
        is no way
        Miva could deal with that. So having a policy that requires bugs
        be
        filtered through hosts could work, and most who buy retail
        licenses often
        buy support anyway so they'd be covered too. I think this bug
        reporting fee
        will not be a major issue even though it sounds ugly when reading
        it.
        =20
        > 4.) Does the new template mechanism in MM5 require a compiler
        on the=20
        > server, does Empresa handle the precompilation or are these=20
        > interpreted scripts that don't require real compilation?

        It recompiles them on the server internally, no extra software
        other than
        mm5 and Empresa 5.

        > 5.) Will there be an upgrade pricing for MM5 for existing users
        of MM4=20
        > and earlier or will it only be sold as a completely new
        product?

        I believe Miva's upgrade license price is not changing from what
        it
        currently is for upgrading to 4.24 from a prior major release;
        $400 from
        mivacentral. We're offering our customers lower cost options as
        I'm sure
        the other hosts are too.
        =20
        >=20
        > Most MM5 related questions (changes, new features, availability
        of=20
        > payment gateways) are probably covered by the docs and your
        webpages,=20
        > or, since the official release date is only on May 16 ( which I
        just=20
        > learned today from David), will be addressed at that occasion
        or by=20
        > the module developers themselves.

        Most of the default Miva modules are still present so there is
        not a huge
        change there.

        David


        Comment


          #19
          m5 old links



          Markus,

          I haven't dug into the MivaSQL too much yet but since it uses the same old
          native file locking routine that it used to use my guess is that it will be
          as secure as it used to be. The SQL it uses is just another way of talking
          to its databases (laymans).

          Speculating.... any "Injection Hacks" as you state would only be related to
          the use of MySQL with Miva Merchant. I would have to do some reading but my
          hacker educated guess tells me that this would require an open MySQL port
          and other tools.

          Let me sum this up.... there should never be an open MySQL port to the
          outside world. Miva and other scripts should be required to connect to
          localhost for connectivity. Yes, most hosts have this port open and not
          blocked at the firewall. I can't speak for the others but we do not as it
          isn't allowed through the firewall.


          Wil Hatfield
          HyperConX Customer Care

          HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
          1.800.894.3613 - Toll Free in the US and Canada

          Check out the all new Miva Pages:
          <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

          Premium e-commerce hosting, 24/7 technical support, toll free
          support lines for your convenience, great low cost packages to
          choose from, Authorize.Net Direct retailer, need high-speed
          connectivity well we have that too. Everything a business
          needs to succeed. Host with the Pros and sell like one too!




          -----Original Message-----
          From: MvMarkus [mailto:[email protected]]
          Sent: Tuesday, May 03, 2005 1:09 PM
          To: 'Wil Hatfield'; [email protected]
          Subject: RE: [m5u] m5 old links


          Dear Wil, David,

          Thanks a lot for these answers, they're very helpful.

          A last word to the bug reports: As you suggested, Wil, I certainly won't
          hesitate to send a report to bugs@... if I ever detect one, but of course
          I'd like to know that they are taken into consideration, especially since
          with v5 there are new potential vulernabilities through SQL injection hacks
          that we have never faced before. Considering that most major problems in
          PHP/ASP scripts originate right there (and lack of input sanitation, which
          then often allows for a SQL hack), I believe that an aggressive and "open"
          stance from Miva's side to address those issues is the only way
          Miva/Merchant's database layer can remain as secure as we knew it for years.


          For that reason, the recent posting about "paying to report bugs" troubled
          me quite a bit. But again, I am really only talking about real bugs and
          vulnerabilities; not templating/usability issues, and I agree with David
          that there will be cases where it's not going to be clear how to interpret a
          reported problem.

          So I still have my hopes up that the people in San Diego will not ignore a
          message that indicates some nasty SQL injection through a cookie... I
          certainly don't want to find the public posting of an exploit of such
          vulernability during my weekly readings of @RISK (SANS Institute).

          markus






          -----Original Message-----
          From: [email protected]
          [mailto:[email protected]] On Behalf Of Wil Hatfield
          Sent: Tuesday, May 03, 2005 3:23 PM
          To: MvMarkus; [email protected]
          Subject: RE: [m5u] m5 old links

          Well David already did a great job answering. My additions follow:

          3. Now that Miva has some money and more proactive staff they have been
          being very good about keeping on top of the bugs. They even hired in James
          one of the best guys for the job who will be in charge of many things and I
          believe making sure those bugs get fixed is one of them even if through
          deligation. Here is a good resource... [email protected].

          4. In laymans terms, when you modify the "pages" aka "screen layout" in MIVA
          Merchant 5 Admin and click the Update button the "page" is compiled directly
          into the MM5 software. No compiler required unless you are building your own
          external applications or modules.

          5. Special upgrade pricing will be available to existing customers. New
          customers already get a new MM5 capable license key when they come to us, so
          everyone is covered.

          Thanks for your perspective and questions. I am going to put together an
          "Inside MIVA Merchant 5" page shortly and am glad to have the input so I
          know what kind of questions are out there.


          Wil Hatfield
          HyperConX Customer Care

          HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
          1.800.894.3613 - Toll Free in the US and Canada

          Check out the all new Miva Pages:
          <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

          Premium e-commerce hosting, 24/7 technical support, toll free support lines
          for your convenience, great low cost packages to choose from, Authorize.Net
          Direct retailer, need high-speed connectivity well we have that too.
          Everything a business needs to succeed. Host with the Pros and sell like one
          too!




          -----Original Message-----
          From: [email protected]
          [mailto:[email protected]]On Behalf Of MvMarkus
          Sent: Tuesday, May 03, 2005 11:28 AM
          To: 'Wil Hatfield'; [email protected]
          Subject: RE: [m5u] m5 old links


          Hi Wil,

          Thanks for the links. The questions that I referred to regard mainly issues
          that are only indirectly related to MM5:

          (I'm just putting together some that I remember right out of the back of my
          mind, others will certainly have many others, and probably more MM or module
          specific questions. The purpose is not to start another public discussion,
          but simply to get some straight and simple answers from official side).

          1.) Compiler: When will a new compiler be released (if at all)? Will there
          be any costs involved?

          2.) MM5/MySQL licensing issues: Do we need to purchase our own commercial
          license of MySQL, do ISPs have to offer commercial license, or has Miva
          Corp. an agreement with MySQL ABE in place that covers the end-users?

          3.) A statement (confirmation) reg. bug reports only being accepted from
          members of Miva's support plan, and in such case clear instructions how to
          submit critical bugs (like security issues) if one is not a member of such a
          support plan. Obviously, I'd like to see that Miva is still committed to
          listen to those issues without requiring any upfront payments.

          4.) Does the new template mechanism in MM5 require a compiler on the server,
          does Empresa handle the precompilation or are these interpreted scripts that
          don't require real compilation?

          5.) Will there be an upgrade pricing for MM5 for existing users of MM4 and
          earlier or will it only be sold as a completely new product?


          Most MM5 related questions (changes, new features, availability of payment
          gateways) are probably covered by the docs and your webpages, or, since the
          official release date is only on May 16 ( which I just learned today from
          David), will be addressed at that occasion or by the module developers
          themselves.

          Thanks,

          Markus






          -----Original Message-----
          From: [email protected]
          [mailto:[email protected]] On Behalf Of Wil Hatfield
          Sent: Tuesday, May 03, 2005 1:27 PM
          To: MvMarkus; [email protected]
          Subject: RE: [m5u] m5 old links

          What questions did you have that weren't covered in the docs?

          <A HREF ="http://www.hyperconx.com/software/miva-merchant-5.phtml">http://www.hyperconx.com/software/miva-merchant-5.phtml</A>


          Wil Hatfield
          HyperConX Customer Care

          HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
          1.800.894.3613 - Toll Free in the US and Canada

          Check out the all new Miva Pages:
          <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

          Premium e-commerce hosting, 24/7 technical support, toll free support lines
          for your convenience, great low cost packages to choose from, Authorize.Net
          Direct retailer, need high-speed connectivity well we have that too.
          Everything a business needs to succeed. Host with the Pros and sell like one
          too!




          -----Original Message-----
          From: [email protected]
          [mailto:[email protected]]On Behalf Of MvMarkus
          Sent: Tuesday, May 03, 2005 9:44 AM
          To: 'David Hubbard'; [email protected]
          Subject: RE: [m5u] m5 old links


          I still have the hope that yesterday wasn't the official release... Meaning:
          I hope they'd at least make a public and official annoucement and answer
          some of the questions that were asked here over the past weeks, to set an
          end to all the FUD and speculations.

          Markus




          -----Original Message-----
          From: [email protected]
          [mailto:[email protected]] On Behalf Of David Hubbard
          Sent: Tuesday, May 03, 2005 12:37 PM
          To: [email protected]
          Subject: RE: [m5u] m5 old links

          It was just released yesterday, I would suspect they will eventually be
          releasing many things like that which store owners consider mandatory.

          David

          > -----Original Message-----
          > From: [email protected]
          > [mailto:[email protected]] On Behalf Of John
          > Fischer
          > Sent: Tuesday, May 03, 2005 12:35 PM
          > To: [email protected]
          > Subject: RE: [m5u] m5 old links
          >
          > Well I can't migrate to Miva till a M5 SFL is released
          >
          > Anybody else in that boat?
          >
          > Is Miva going to ignore us on this issue?
          >
          >
          >
          >

          Comment


            #20
            m5 old links



            IMHO: The main place SFL is needed is in the category tree since there is no
            way to edit the category tree yet except by replacing it. And then you don't
            get a category tree just a static menu. But I believe this too will become
            a thing of the past since and editable category tree is already being
            considered by Miva Dev.


            Wil Hatfield
            HyperConX Customer Care

            HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
            1.800.894.3613 - Toll Free in the US and Canada

            Check out the all new Miva Pages:
            <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

            Premium e-commerce hosting, 24/7 technical support, toll free
            support lines for your convenience, great low cost packages to
            choose from, Authorize.Net Direct retailer, need high-speed
            connectivity well we have that too. Everything a business
            needs to succeed. Host with the Pros and sell like one too!




            -----Original Message-----
            From: [email protected]
            [mailto:[email protected]]On Behalf Of Jeff Huber -
            Listmail
            Sent: Tuesday, May 03, 2005 2:24 PM
            To: 'Jen Ferraz'; [email protected]
            Subject: RE: [m5u] m5 old links


            I swore I sent this earlier but it seems I didn't.

            You don't need an SFL program to allow old SFL type links to work
            with MIVA Merchant 5, all you need are some good rewrite rules
            written.

            Generating the urls in that style in the store is where you need
            a module, or code changes, or template changes, or whatever.

            For example:

            Normal url generated something like this:

            "{ g.someglobalvar $ 'screen=CTGY&Category_Code=' g.category_code
            }"

            Results in something like this:

            somesite.com/mm5/merchant.mvc?store_code=mystore&screen=CTGY&Cate
            gory_Code=dvds

            SFL style link is something like this:

            somesite.com/page/mystore/CTGY/dvds

            rewrite rule is something like this:

            .*/page/(.*)/CTGY/(.*)/$
            /mm5/merchant.mvc?store_code=$1&screen=CTGY&category_co de=$2

            An SFL style url to a product page is something like this

            somesite.com/page/mystore/PROD/DA001

            rewrite rule needs to be something like this:

            .*/page/(.*)/PROD/(.*)/(.*)/$
            /mm5/merchant.mvc?store_code=$1&screen=PROD&product_cod e=$3&categ
            ory_code=$2

            But to make all your pages generate urls like that you need to
            edit the templates containing the urls.

            For the product list for example the code is like this:

            <a
            href="&mvt:global:sessionurl;Screen=PROD&Store_Cod e=&mvta:global:
            Store_Code;&Product_Code=&mvta:product:code;&Categ ory_Code=&mvta:
            global:Category_Code;">&mvt:product:code;</a>

            You need to change it to something like this:

            <a
            href="http://yoursite.com/page/&mvta:global:Store_Code;/PROD/&mvt
            a:global:Category_Code;/&mvta:product:code;">&mvt:product:code;</
            a>

            If you were going to do such editing there are much better styles
            of urls to use than the SFL style, having urls with full names of
            categories and products is much better from an SEO stand point.
            For example we have made manual changes to clients' 4.x MMUI
            stores very quickly and easily that allows urls like:

            site.com/some-descriptive-category-code-here.html
            site.com/some-long-programaticly-altered-to-add-dashes-product-na
            me-here_sku.html

            The rewrite rules to convert such urls to Miva Merchant pages are
            simple.

            But anyway back to MM5, there are some challenges in that certain
            urls aren't readily available in the templates, most notably the
            category tree, but you can either replace the module that
            controls the category tree, use a hard coded one, or there may be
            other options that could be come up with after a bit of thinking.
            Also there are limitations in the token language in that you
            can't use Miva script directly so for fancy rewritten urls the
            creation of a small module that does the rewrite that can be
            loaded as an item and then referenced on the pages would probably
            be the way to go for fancy urls like the ones we normally do in
            old 4.x MMUI stores.

            Anyway I hope these thoughts help.

            - Jeff Huber
            President, 4TheBest eCommerce Solutions
            http://4TheBest.com
            [email protected]
            Office: 760-742-1469
            Cell: 760-445-8454



            -----Original Message-----
            From: [email protected]
            [mailto:[email protected]] On Behalf Of Jen
            Ferraz
            Sent: Tuesday, May 03, 2005 9:23 AM
            To: [email protected]
            Subject: RE: [m5u] m5 old links


            John:

            You can create new Pages with the same
            codes as you have used in the Viking module.
            The SFL links will be dependent on the availability
            of a similar module for MM5.



            Jen
            Hostasaurus.Com
            Miva Premier Hosting Partner
            813.971.8772
            [email protected]


            -----Original Message-----
            From: [email protected]
            [mailto:[email protected]] On Behalf Of John
            Fischer
            Sent: Tuesday, May 03, 2005 12:22 PM
            To: [email protected]
            Subject: [m5u] m5 old links


            Group-
            I have a store that depends on the millions of links scattered
            all over
            the
            internet. For example, Google alone has over 90,000 pages indexed
            in my
            site
            these are Merchant style links, and SFL links as well as static
            pages
            and
            Viking coders additional screens pages with SFL link styles and
            Merchant
            links.

            When I migrate how can I ensure all of these links will still
            work?

            Cheers,
            John


            Comment


              #21
              m5 old links



              Injection attacks occur when scripts don't
              validate input correctly and allow a malformed user=20
              MySQL statement to be passed to the database.
              This was a recent problem with phpBB. The
              only port it requires to be open is 80.

              Here's an article you can read the explains it
              <A HREF ="http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/">http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/</A>



              Jen
              Hostasaurus.Com
              Miva Premier Hosting Partner
              813.971.8772
              [email protected]


              -----Original Message-----
              From: [email protected]
              [mailto:[email protected]] On Behalf Of Wil
              Hatfield
              Sent: Tuesday, May 03, 2005 6:34 PM
              To: MvMarkus; [email protected]
              Subject: RE: [m5u] m5 old links


              Markus,

              I haven't dug into the MivaSQL too much yet but since it uses the same
              old
              native file locking routine that it used to use my guess is that it will
              be
              as secure as it used to be. The SQL it uses is just another way of
              talking
              to its databases (laymans).

              Speculating.... any "Injection Hacks" as you state would only be related
              to
              the use of MySQL with Miva Merchant. I would have to do some reading but
              my
              hacker educated guess tells me that this would require an open MySQL
              port
              and other tools.

              Let me sum this up.... there should never be an open MySQL port to the
              outside world. Miva and other scripts should be required to connect to
              localhost for connectivity. Yes, most hosts have this port open and not
              blocked at the firewall. I can't speak for the others but we do not as
              it
              isn't allowed through the firewall.


              Wil Hatfield
              HyperConX Customer Care

              HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
              1.800.894.3613 - Toll Free in the US and Canada

              Check out the all new Miva Pages:
              <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

              Premium e-commerce hosting, 24/7 technical support, toll free
              support lines for your convenience, great low cost packages to
              choose from, Authorize.Net Direct retailer, need high-speed
              connectivity well we have that too. Everything a business
              needs to succeed. Host with the Pros and sell like one too!




              -----Original Message-----
              From: MvMarkus [mailto:[email protected]]
              Sent: Tuesday, May 03, 2005 1:09 PM
              To: 'Wil Hatfield'; [email protected]
              Subject: RE: [m5u] m5 old links


              Dear Wil, David,

              Thanks a lot for these answers, they're very helpful.

              A last word to the bug reports: As you suggested, Wil, I certainly won't
              hesitate to send a report to bugs@... if I ever detect one, but of
              course
              I'd like to know that they are taken into consideration, especially
              since
              with v5 there are new potential vulernabilities through SQL injection
              hacks
              that we have never faced before. Considering that most major problems in
              PHP/ASP scripts originate right there (and lack of input sanitation,
              which
              then often allows for a SQL hack), I believe that an aggressive and
              "open"
              stance from Miva's side to address those issues is the only way
              Miva/Merchant's database layer can remain as secure as we knew it for
              years.


              For that reason, the recent posting about "paying to report bugs"
              troubled
              me quite a bit. But again, I am really only talking about real bugs and
              vulnerabilities; not templating/usability issues, and I agree with David
              that there will be cases where it's not going to be clear how to
              interpret a
              reported problem.

              So I still have my hopes up that the people in San Diego will not ignore
              a
              message that indicates some nasty SQL injection through a cookie... I
              certainly don't want to find the public posting of an exploit of such
              vulernability during my weekly readings of @RISK (SANS Institute).

              markus






              -----Original Message-----
              From: [email protected]
              [mailto:[email protected]] On Behalf Of Wil
              Hatfield
              Sent: Tuesday, May 03, 2005 3:23 PM
              To: MvMarkus; [email protected]
              Subject: RE: [m5u] m5 old links

              Well David already did a great job answering. My additions follow:

              3. Now that Miva has some money and more proactive staff they have been
              being very good about keeping on top of the bugs. They even hired in
              James
              one of the best guys for the job who will be in charge of many things
              and I
              believe making sure those bugs get fixed is one of them even if through
              deligation. Here is a good resource... [email protected].

              4. In laymans terms, when you modify the "pages" aka "screen layout" in
              MIVA
              Merchant 5 Admin and click the Update button the "page" is compiled
              directly
              into the MM5 software. No compiler required unless you are building your
              own
              external applications or modules.

              5. Special upgrade pricing will be available to existing customers. New
              customers already get a new MM5 capable license key when they come to
              us, so
              everyone is covered.

              Thanks for your perspective and questions. I am going to put together an
              "Inside MIVA Merchant 5" page shortly and am glad to have the input so I
              know what kind of questions are out there.


              Wil Hatfield
              HyperConX Customer Care

              HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
              1.800.894.3613 - Toll Free in the US and Canada

              Check out the all new Miva Pages:
              <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

              Premium e-commerce hosting, 24/7 technical support, toll free support
              lines
              for your convenience, great low cost packages to choose from,
              Authorize.Net
              Direct retailer, need high-speed connectivity well we have that too.
              Everything a business needs to succeed. Host with the Pros and sell like
              one
              too!




              -----Original Message-----
              From: [email protected]
              [mailto:[email protected]]On Behalf Of MvMarkus
              Sent: Tuesday, May 03, 2005 11:28 AM
              To: 'Wil Hatfield'; [email protected]
              Subject: RE: [m5u] m5 old links


              Hi Wil,

              Thanks for the links. The questions that I referred to regard mainly
              issues
              that are only indirectly related to MM5:

              (I'm just putting together some that I remember right out of the back of
              my
              mind, others will certainly have many others, and probably more MM or
              module
              specific questions. The purpose is not to start another public
              discussion,
              but simply to get some straight and simple answers from official side).

              1.) Compiler: When will a new compiler be released (if at all)? Will
              there
              be any costs involved?

              2.) MM5/MySQL licensing issues: Do we need to purchase our own
              commercial
              license of MySQL, do ISPs have to offer commercial license, or has Miva
              Corp. an agreement with MySQL ABE in place that covers the end-users?

              3.) A statement (confirmation) reg. bug reports only being accepted from
              members of Miva's support plan, and in such case clear instructions how
              to
              submit critical bugs (like security issues) if one is not a member of
              such a
              support plan. Obviously, I'd like to see that Miva is still committed to
              listen to those issues without requiring any upfront payments.

              4.) Does the new template mechanism in MM5 require a compiler on the
              server,
              does Empresa handle the precompilation or are these interpreted scripts
              that
              don't require real compilation?

              5.) Will there be an upgrade pricing for MM5 for existing users of MM4
              and
              earlier or will it only be sold as a completely new product?


              Most MM5 related questions (changes, new features, availability of
              payment
              gateways) are probably covered by the docs and your webpages, or, since
              the
              official release date is only on May 16 ( which I just learned today
              from
              David), will be addressed at that occasion or by the module developers
              themselves.

              Thanks,

              Markus






              -----Original Message-----
              From: [email protected]
              [mailto:[email protected]] On Behalf Of Wil
              Hatfield
              Sent: Tuesday, May 03, 2005 1:27 PM
              To: MvMarkus; [email protected]
              Subject: RE: [m5u] m5 old links

              What questions did you have that weren't covered in the docs?

              <A HREF ="http://www.hyperconx.com/software/miva-merchant-5.phtml">http://www.hyperconx.com/software/miva-merchant-5.phtml</A>


              Wil Hatfield
              HyperConX Customer Care

              HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
              1.800.894.3613 - Toll Free in the US and Canada

              Check out the all new Miva Pages:
              <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

              Premium e-commerce hosting, 24/7 technical support, toll free support
              lines
              for your convenience, great low cost packages to choose from,
              Authorize.Net
              Direct retailer, need high-speed connectivity well we have that too.
              Everything a business needs to succeed. Host with the Pros and sell like
              one
              too!




              -----Original Message-----
              From: [email protected]
              [mailto:[email protected]]On Behalf Of MvMarkus
              Sent: Tuesday, May 03, 2005 9:44 AM
              To: 'David Hubbard'; [email protected]
              Subject: RE: [m5u] m5 old links


              I still have the hope that yesterday wasn't the official release...
              Meaning:
              I hope they'd at least make a public and official annoucement and answer
              some of the questions that were asked here over the past weeks, to set
              an
              end to all the FUD and speculations.

              Markus




              -----Original Message-----
              From: [email protected]
              [mailto:[email protected]] On Behalf Of David
              Hubbard
              Sent: Tuesday, May 03, 2005 12:37 PM
              To: [email protected]
              Subject: RE: [m5u] m5 old links

              It was just released yesterday, I would suspect they will eventually be
              releasing many things like that which store owners consider mandatory.

              David

              > -----Original Message-----
              > From: [email protected]
              > [mailto:[email protected]] On Behalf Of John
              > Fischer
              > Sent: Tuesday, May 03, 2005 12:35 PM
              > To: [email protected]
              > Subject: RE: [m5u] m5 old links
              >
              > Well I can't migrate to Miva till a M5 SFL is released
              >
              > Anybody else in that boat?
              >
              > Is Miva going to ignore us on this issue?
              >
              >
              >
              >

              Comment


                #22
                m5 old links



                From: [email protected]=20
                > [mailto:[email protected]] On Behalf Of=20
                > Wil Hatfield
                > Sent: Tuesday, May 03, 2005 6:34 PM
                > To: MvMarkus; [email protected]
                > Subject: RE: [m5u] m5 old links
                >=20
                >=20
                > Speculating.... any "Injection Hacks" as you state would only=20
                > be related to the use of MySQL with Miva Merchant. I would
                > have to do some reading but my hacker educated guess tells
                > me that this would require an open MySQL port and other tools.

                SQL injection attacks are not designed to compromise the mysql
                server so open ports are unrelated, they're designed to
                compromise the application or data. For example, writing a
                carefully crafted category URL with added SQL passed in the
                URL or posted with the intent of running a select (*) against
                the orders database to get all the names and credit card
                numbers; or to run an update and give oneself an admin=20
                account in the store. Hopefully though Miva has done their
                security homework while writing Empresa 5 and none of that
                kind of stuff, which phpbb seems to be susceptible to on a
                weekly basis for example, will be possible.

                David

                > Let me sum this up.... there should never be an open MySQL port to the
                > outside world. Miva and other scripts should be required to connect to
                > localhost for connectivity. Yes, most hosts have this port=20
                > open and not
                > blocked at the firewall. I can't speak for the others but we=20
                > do not as it
                > isn't allowed through the firewall.
                >=20
                >=20
                > Wil Hatfield
                > HyperConX Customer Care
                >=20
                > HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                > 1.800.894.3613 - Toll Free in the US and Canada
                >=20
                > Check out the all new Miva Pages:
                > <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>
                >=20
                > Premium e-commerce hosting, 24/7 technical support, toll free
                > support lines for your convenience, great low cost packages to
                > choose from, Authorize.Net Direct retailer, need high-speed
                > connectivity well we have that too. Everything a business
                > needs to succeed. Host with the Pros and sell like one too!
                >=20
                >=20
                >=20
                >=20
                > -----Original Message-----
                > From: MvMarkus [mailto:[email protected]]
                > Sent: Tuesday, May 03, 2005 1:09 PM
                > To: 'Wil Hatfield'; [email protected]
                > Subject: RE: [m5u] m5 old links
                >=20
                >=20
                > Dear Wil, David,
                >=20
                > Thanks a lot for these answers, they're very helpful.
                >=20
                > A last word to the bug reports: As you suggested, Wil, I=20
                > certainly won't
                > hesitate to send a report to bugs@... if I ever detect one,=20
                > but of course
                > I'd like to know that they are taken into consideration,=20
                > especially since
                > with v5 there are new potential vulernabilities through SQL=20
                > injection hacks
                > that we have never faced before. Considering that most major=20
                > problems in
                > PHP/ASP scripts originate right there (and lack of input=20
                > sanitation, which
                > then often allows for a SQL hack), I believe that an=20
                > aggressive and "open"
                > stance from Miva's side to address those issues is the only way
                > Miva/Merchant's database layer can remain as secure as we=20
                > knew it for years.
                >=20
                >=20
                > For that reason, the recent posting about "paying to report=20
                > bugs" troubled
                > me quite a bit. But again, I am really only talking about=20
                > real bugs and
                > vulnerabilities; not templating/usability issues, and I agree=20
                > with David
                > that there will be cases where it's not going to be clear how=20
                > to interpret a
                > reported problem.
                >=20
                > So I still have my hopes up that the people in San Diego will=20
                > not ignore a
                > message that indicates some nasty SQL injection through a cookie... I
                > certainly don't want to find the public posting of an exploit of such
                > vulernability during my weekly readings of @RISK (SANS Institute).
                >=20
                > markus
                >=20
                >=20
                >=20
                >=20
                >=20
                >=20
                > -----Original Message-----
                > From: [email protected]
                > [mailto:[email protected]] On Behalf Of=20
                > Wil Hatfield
                > Sent: Tuesday, May 03, 2005 3:23 PM
                > To: MvMarkus; [email protected]
                > Subject: RE: [m5u] m5 old links
                >=20
                > Well David already did a great job answering. My additions follow:
                >=20
                > 3. Now that Miva has some money and more proactive staff they=20
                > have been
                > being very good about keeping on top of the bugs. They even=20
                > hired in James
                > one of the best guys for the job who will be in charge of=20
                > many things and I
                > believe making sure those bugs get fixed is one of them even=20
                > if through
                > deligation. Here is a good resource... [email protected].
                >=20
                > 4. In laymans terms, when you modify the "pages" aka "screen=20
                > layout" in MIVA
                > Merchant 5 Admin and click the Update button the "page" is=20
                > compiled directly
                > into the MM5 software. No compiler required unless you are=20
                > building your own
                > external applications or modules.
                >=20
                > 5. Special upgrade pricing will be available to existing=20
                > customers. New
                > customers already get a new MM5 capable license key when they=20
                > come to us, so
                > everyone is covered.
                >=20
                > Thanks for your perspective and questions. I am going to put=20
                > together an
                > "Inside MIVA Merchant 5" page shortly and am glad to have the=20
                > input so I
                > know what kind of questions are out there.
                >=20
                >=20
                > Wil Hatfield
                > HyperConX Customer Care
                >=20
                > HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                > 1.800.894.3613 - Toll Free in the US and Canada
                >=20
                > Check out the all new Miva Pages:
                > <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>
                >=20
                > Premium e-commerce hosting, 24/7 technical support, toll free=20
                > support lines
                > for your convenience, great low cost packages to choose from,=20
                > Authorize.Net
                > Direct retailer, need high-speed connectivity well we have that too.
                > Everything a business needs to succeed. Host with the Pros=20
                > and sell like one
                > too!
                >=20
                >=20
                >=20
                >=20
                > -----Original Message-----
                > From: [email protected]
                > [mailto:[email protected]]On Behalf Of MvMarkus
                > Sent: Tuesday, May 03, 2005 11:28 AM
                > To: 'Wil Hatfield'; [email protected]
                > Subject: RE: [m5u] m5 old links
                >=20
                >=20
                > Hi Wil,
                >=20
                > Thanks for the links. The questions that I referred to regard=20
                > mainly issues
                > that are only indirectly related to MM5:
                >=20
                > (I'm just putting together some that I remember right out of=20
                > the back of my
                > mind, others will certainly have many others, and probably=20
                > more MM or module
                > specific questions. The purpose is not to start another=20
                > public discussion,
                > but simply to get some straight and simple answers from=20
                > official side).
                >=20
                > 1.) Compiler: When will a new compiler be released (if at=20
                > all)? Will there
                > be any costs involved?
                >=20
                > 2.) MM5/MySQL licensing issues: Do we need to purchase our=20
                > own commercial
                > license of MySQL, do ISPs have to offer commercial license,=20
                > or has Miva
                > Corp. an agreement with MySQL ABE in place that covers the end-users?
                >=20
                > 3.) A statement (confirmation) reg. bug reports only being=20
                > accepted from
                > members of Miva's support plan, and in such case clear=20
                > instructions how to
                > submit critical bugs (like security issues) if one is not a=20
                > member of such a
                > support plan. Obviously, I'd like to see that Miva is still=20
                > committed to
                > listen to those issues without requiring any upfront payments.
                >=20
                > 4.) Does the new template mechanism in MM5 require a compiler=20
                > on the server,
                > does Empresa handle the precompilation or are these=20
                > interpreted scripts that
                > don't require real compilation?
                >=20
                > 5.) Will there be an upgrade pricing for MM5 for existing=20
                > users of MM4 and
                > earlier or will it only be sold as a completely new product?
                >=20
                >=20
                > Most MM5 related questions (changes, new features,=20
                > availability of payment
                > gateways) are probably covered by the docs and your webpages,=20
                > or, since the
                > official release date is only on May 16 ( which I just=20
                > learned today from
                > David), will be addressed at that occasion or by the module developers
                > themselves.
                >=20
                > Thanks,
                >=20
                > Markus
                >=20
                >=20
                >=20
                >=20
                >=20
                >=20
                > -----Original Message-----
                > From: [email protected]
                > [mailto:[email protected]] On Behalf Of=20
                > Wil Hatfield
                > Sent: Tuesday, May 03, 2005 1:27 PM
                > To: MvMarkus; [email protected]
                > Subject: RE: [m5u] m5 old links
                >=20
                > What questions did you have that weren't covered in the docs?
                >=20
                > <A HREF ="http://www.hyperconx.com/software/miva-merchant-5.phtml">http://www.hyperconx.com/software/miva-merchant-5.phtml</A>
                >=20
                >=20
                > Wil Hatfield
                > HyperConX Customer Care
                >=20
                > HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                > 1.800.894.3613 - Toll Free in the US and Canada
                >=20
                > Check out the all new Miva Pages:
                > <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>
                >=20
                > Premium e-commerce hosting, 24/7 technical support, toll free=20
                > support lines
                > for your convenience, great low cost packages to choose from,=20
                > Authorize.Net
                > Direct retailer, need high-speed connectivity well we have that too.
                > Everything a business needs to succeed. Host with the Pros=20
                > and sell like one
                > too!
                >=20
                >=20
                >=20
                >=20
                > -----Original Message-----
                > From: [email protected]
                > [mailto:[email protected]]On Behalf Of MvMarkus
                > Sent: Tuesday, May 03, 2005 9:44 AM
                > To: 'David Hubbard'; [email protected]
                > Subject: RE: [m5u] m5 old links
                >=20
                >=20
                > I still have the hope that yesterday wasn't the official=20
                > release... Meaning:
                > I hope they'd at least make a public and official annoucement=20
                > and answer
                > some of the questions that were asked here over the past=20
                > weeks, to set an
                > end to all the FUD and speculations.
                >=20
                > Markus
                >=20
                >=20
                >=20
                >=20
                > -----Original Message-----
                > From: [email protected]
                > [mailto:[email protected]] On Behalf Of=20
                > David Hubbard
                > Sent: Tuesday, May 03, 2005 12:37 PM
                > To: [email protected]
                > Subject: RE: [m5u] m5 old links
                >=20
                > It was just released yesterday, I would suspect they will=20
                > eventually be
                > releasing many things like that which store owners consider mandatory.
                >=20
                > David
                >=20
                > > -----Original Message-----
                > > From: [email protected]
                > > [mailto:[email protected]] On Behalf Of John
                > > Fischer
                > > Sent: Tuesday, May 03, 2005 12:35 PM
                > > To: [email protected]
                > > Subject: RE: [m5u] m5 old links
                > >
                > > Well I can't migrate to Miva till a M5 SFL is released
                > >
                > > Anybody else in that boat?
                > >
                > > Is Miva going to ignore us on this issue?
                > >
                > >
                > >
                > >

                Comment


                  #23
                  m5 old links



                  Hi Wil,

                  SQL injection hacks are -as far as I understand- pretty simple hacks, but
                  they don't necessarily require any ports or telnet or whatever access. You
                  have for example a cookie with a username (or session id), and the attacker
                  then injects into the cookievalue an SQL string. So if the value should be
                  something like "abcdsc" he submits a page with the cookie value "DELETE
                  TABLE products ..." or "GRANT user ...." (give him admi rights) and similar.
                  The error in this case is that the SQL server queries the database, using
                  the string DELETE TABLE... instead of a regular value and may then actually
                  execute the string in a subquery, if for example the permissions are not
                  properly set.

                  This is of course just a simplistic example - which actually requires that
                  the permissions are not properly set AND that user input is not correctly
                  sanitized.... But you see how can easily it can lead to quite annoying
                  problems.

                  On the other hand, the "classic" Miva dbIII architecture doesn't allow for
                  such a problem simply because it doesn't let you execute commands through
                  the command line. MvFILTER has some potential (because it has some
                  interpreting functionality), and therefore probably needs a bit of care, but
                  at least in the case of older Merchant's authentication schemes I don't
                  recall that MvFILTER is actually used anywhere except the searches, and I am
                  not aware that anybody has ever successfully hacked his way into a dbIII
                  table through it.

                  Markus



                  -----Original Message-----
                  From: [email protected]
                  [mailto:[email protected]] On Behalf Of Wil Hatfield
                  Sent: Tuesday, May 03, 2005 6:34 PM
                  To: MvMarkus; [email protected]
                  Subject: RE: [m5u] m5 old links

                  Markus,

                  I haven't dug into the MivaSQL too much yet but since it uses the same old
                  native file locking routine that it used to use my guess is that it will be
                  as secure as it used to be. The SQL it uses is just another way of talking
                  to its databases (laymans).

                  Speculating.... any "Injection Hacks" as you state would only be related to
                  the use of MySQL with Miva Merchant. I would have to do some reading but my
                  hacker educated guess tells me that this would require an open MySQL port
                  and other tools.

                  Let me sum this up.... there should never be an open MySQL port to the
                  outside world. Miva and other scripts should be required to connect to
                  localhost for connectivity. Yes, most hosts have this port open and not
                  blocked at the firewall. I can't speak for the others but we do not as it
                  isn't allowed through the firewall.


                  Wil Hatfield
                  HyperConX Customer Care

                  HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                  1.800.894.3613 - Toll Free in the US and Canada

                  Check out the all new Miva Pages:
                  <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

                  Premium e-commerce hosting, 24/7 technical support, toll free support lines
                  for your convenience, great low cost packages to choose from, Authorize.Net
                  Direct retailer, need high-speed connectivity well we have that too.
                  Everything a business needs to succeed. Host with the Pros and sell like one
                  too!




                  -----Original Message-----
                  From: MvMarkus [mailto:[email protected]]
                  Sent: Tuesday, May 03, 2005 1:09 PM
                  To: 'Wil Hatfield'; [email protected]
                  Subject: RE: [m5u] m5 old links


                  Dear Wil, David,

                  Thanks a lot for these answers, they're very helpful.

                  A last word to the bug reports: As you suggested, Wil, I certainly won't
                  hesitate to send a report to bugs@... if I ever detect one, but of course
                  I'd like to know that they are taken into consideration, especially since
                  with v5 there are new potential vulernabilities through SQL injection hacks
                  that we have never faced before. Considering that most major problems in
                  PHP/ASP scripts originate right there (and lack of input sanitation, which
                  then often allows for a SQL hack), I believe that an aggressive and "open"
                  stance from Miva's side to address those issues is the only way
                  Miva/Merchant's database layer can remain as secure as we knew it for years.


                  For that reason, the recent posting about "paying to report bugs" troubled
                  me quite a bit. But again, I am really only talking about real bugs and
                  vulnerabilities; not templating/usability issues, and I agree with David
                  that there will be cases where it's not going to be clear how to interpret a
                  reported problem.

                  So I still have my hopes up that the people in San Diego will not ignore a
                  message that indicates some nasty SQL injection through a cookie... I
                  certainly don't want to find the public posting of an exploit of such
                  vulernability during my weekly readings of @RISK (SANS Institute).

                  markus






                  -----Original Message-----
                  From: [email protected]
                  [mailto:[email protected]] On Behalf Of Wil Hatfield
                  Sent: Tuesday, May 03, 2005 3:23 PM
                  To: MvMarkus; [email protected]
                  Subject: RE: [m5u] m5 old links

                  Well David already did a great job answering. My additions follow:

                  3. Now that Miva has some money and more proactive staff they have been
                  being very good about keeping on top of the bugs. They even hired in James
                  one of the best guys for the job who will be in charge of many things and I
                  believe making sure those bugs get fixed is one of them even if through
                  deligation. Here is a good resource... [email protected].

                  4. In laymans terms, when you modify the "pages" aka "screen layout" in MIVA
                  Merchant 5 Admin and click the Update button the "page" is compiled directly
                  into the MM5 software. No compiler required unless you are building your own
                  external applications or modules.

                  5. Special upgrade pricing will be available to existing customers. New
                  customers already get a new MM5 capable license key when they come to us, so
                  everyone is covered.

                  Thanks for your perspective and questions. I am going to put together an
                  "Inside MIVA Merchant 5" page shortly and am glad to have the input so I
                  know what kind of questions are out there.


                  Wil Hatfield
                  HyperConX Customer Care

                  HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                  1.800.894.3613 - Toll Free in the US and Canada

                  Check out the all new Miva Pages:
                  <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

                  Premium e-commerce hosting, 24/7 technical support, toll free support lines
                  for your convenience, great low cost packages to choose from, Authorize.Net
                  Direct retailer, need high-speed connectivity well we have that too.
                  Everything a business needs to succeed. Host with the Pros and sell like one
                  too!




                  -----Original Message-----
                  From: [email protected]
                  [mailto:[email protected]]On Behalf Of MvMarkus
                  Sent: Tuesday, May 03, 2005 11:28 AM
                  To: 'Wil Hatfield'; [email protected]
                  Subject: RE: [m5u] m5 old links


                  Hi Wil,

                  Thanks for the links. The questions that I referred to regard mainly issues
                  that are only indirectly related to MM5:

                  (I'm just putting together some that I remember right out of the back of my
                  mind, others will certainly have many others, and probably more MM or module
                  specific questions. The purpose is not to start another public discussion,
                  but simply to get some straight and simple answers from official side).

                  1.) Compiler: When will a new compiler be released (if at all)? Will there
                  be any costs involved?

                  2.) MM5/MySQL licensing issues: Do we need to purchase our own commercial
                  license of MySQL, do ISPs have to offer commercial license, or has Miva
                  Corp. an agreement with MySQL ABE in place that covers the end-users?

                  3.) A statement (confirmation) reg. bug reports only being accepted from
                  members of Miva's support plan, and in such case clear instructions how to
                  submit critical bugs (like security issues) if one is not a member of such a
                  support plan. Obviously, I'd like to see that Miva is still committed to
                  listen to those issues without requiring any upfront payments.

                  4.) Does the new template mechanism in MM5 require a compiler on the server,
                  does Empresa handle the precompilation or are these interpreted scripts that
                  don't require real compilation?

                  5.) Will there be an upgrade pricing for MM5 for existing users of MM4 and
                  earlier or will it only be sold as a completely new product?


                  Most MM5 related questions (changes, new features, availability of payment
                  gateways) are probably covered by the docs and your webpages, or, since the
                  official release date is only on May 16 ( which I just learned today from
                  David), will be addressed at that occasion or by the module developers
                  themselves.

                  Thanks,

                  Markus






                  -----Original Message-----
                  From: [email protected]
                  [mailto:[email protected]] On Behalf Of Wil Hatfield
                  Sent: Tuesday, May 03, 2005 1:27 PM
                  To: MvMarkus; [email protected]
                  Subject: RE: [m5u] m5 old links

                  What questions did you have that weren't covered in the docs?

                  <A HREF ="http://www.hyperconx.com/software/miva-merchant-5.phtml">http://www.hyperconx.com/software/miva-merchant-5.phtml</A>


                  Wil Hatfield
                  HyperConX Customer Care

                  HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                  1.800.894.3613 - Toll Free in the US and Canada

                  Check out the all new Miva Pages:
                  <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

                  Premium e-commerce hosting, 24/7 technical support, toll free support lines
                  for your convenience, great low cost packages to choose from, Authorize.Net
                  Direct retailer, need high-speed connectivity well we have that too.
                  Everything a business needs to succeed. Host with the Pros and sell like one
                  too!




                  -----Original Message-----
                  From: [email protected]
                  [mailto:[email protected]]On Behalf Of MvMarkus
                  Sent: Tuesday, May 03, 2005 9:44 AM
                  To: 'David Hubbard'; [email protected]
                  Subject: RE: [m5u] m5 old links


                  I still have the hope that yesterday wasn't the official release... Meaning:
                  I hope they'd at least make a public and official annoucement and answer
                  some of the questions that were asked here over the past weeks, to set an
                  end to all the FUD and speculations.

                  Markus




                  -----Original Message-----
                  From: [email protected]
                  [mailto:[email protected]] On Behalf Of David Hubbard
                  Sent: Tuesday, May 03, 2005 12:37 PM
                  To: [email protected]
                  Subject: RE: [m5u] m5 old links

                  It was just released yesterday, I would suspect they will eventually be
                  releasing many things like that which store owners consider mandatory.

                  David

                  > -----Original Message-----
                  > From: [email protected]
                  > [mailto:[email protected]] On Behalf Of John
                  > Fischer
                  > Sent: Tuesday, May 03, 2005 12:35 PM
                  > To: [email protected]
                  > Subject: RE: [m5u] m5 old links
                  >
                  > Well I can't migrate to Miva till a M5 SFL is released
                  >
                  > Anybody else in that boat?
                  >
                  > Is Miva going to ignore us on this issue?
                  >
                  >
                  >
                  >

                  Comment


                    #24
                    m5 old links



                    Just to illustrate how often these SQL injection holes occur, look at the
                    list of Web app vulnerabilities published by SANS's @RISK newsletter of this
                    week:

                    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from
                    Qualys (www.qualys.com)

                    -- Web Application
                    05.17.37 - Ocean12 Calendar Manager Admin Form SQL Injection
                    05.17.38 - PHPBB-Auction Module SQL Injection
                    05.17.39 - PHP Labs proFile Dir URI Variable Cross-Site Scripting
                    05.17.40 - DUportal Pro Multiple SQL Injection Vulnerabilities
                    05.17.41 - Coppermine Photo Gallery Favs SQL Injection
                    05.17.42 - PHProjekt Chatroom Text Submission HTML Injection
                    05.17.43 - DUportal Multiple SQL Injection Vulnerabilities
                    05.17.44 - Coppermine Photo Gallery ZipDownload.PHP SQL Injection
                    05.17.45 - AZ Bulletin Board Remote File Include Vulnerability
                    05.17.46 - AZ Bulletin Board Remote Directory Traversal
                    05.17.47 - AZ Bulletin Board Directory Traversal
                    05.17.48 - FlexPHPNews News.PHP SQL Injection
                    05.17.49 - PayProCart Username Cross-Site Scripting
                    05.17.50 - ProfitCode PayProCart ChckOutAction Cross-Site Scripting
                    05.17.51 - PayProCart Ckprvd Cross-Site Scripting
                    05.17.52 - PayProCart PageID Cross-Site Scripting
                    05.17.53 - PayProCart AdminShop HDoc Cross-Site Scripting
                    05.17.54 - ASPNuke Comments.ASP SQL Injection
                    05.17.55 - ASPNuke Detail.ASP SQL Injection
                    05.17.56 - PixySoft E-Cart Remote Command Execution Vulnerability
                    05.17.57 - ProfitCode Software PayProCart AdminShop ModID Cross-Site
                    Scripting
                    05.17.58 - ProfitCode PayProCart Cross-Site Scripting
                    05.17.59 - ProfitCode PayProCart AdminShop ProMod Cross-Site Scripting
                    05.17.60 - ProfitCode PayProCart Cross-Site Scripting
                    05.17.61 - MediaWiki Unspecified HTML Tidy Cross-Site Scripting
                    05.17.62 - OneWorldStore chksettings.asp Denial of Service
                    05.17.63 - ASPNuke Profile.ASP Cross-Site Scripting
                    05.17.64 - WoltLab Burning Board Thread.PHP Cross-Site Scripting
                    05.17.65 - Black Knight Forum Member.ASP SQL Injection
                    05.17.66 - Black Knight Forum Forum.ASP SQL Injection
                    05.17.67 - Black Knight Forum Register.ASP SQL Injection
                    05.17.68 - CartWIZ ProductCatalogSubCats.ASP SQL Injection
                    05.17.69 - CartWIZ SearchResults.ASP Cross-Site Scripting
                    05.17.70 - phpBB Profile.PHP Cross-Site Scripting
                    05.17.71 - phpBB Viewtopic.PHP Cross Site Scripting
                    05.17.72 - ACS Blog Administrative Access Authentication Bypass
                    05.17.73 - SWSoft Confixx Change User SQL Injection
                    05.17.74 - PHPMyVisites Cross-Site Scripting
                    05.17.75 - PHPMyVisites Index.PHP Cross Site Scripting
                    05.17.76 - PHPMyVisites Site Variable Cross-Site Scripting
                    05.17.77 - CartWIZ SearchResults.ASP PriceTo Argument SQL Injection
                    05.17.78 - CartWIZ SearchResults.ASP PriceFrom SQL Injection
                    05.17.79 - CartWIZ SearchResults.ASP IDCategory Argument SQL Injection
                    05.17.80 - CartWIZ Multiple SQL Injection and Cross-Site Scripting
                    Vulnerabilities
                    05.17.81 - CartWIZ Access.ASP Cross-Site Scripting
                    05.17.82 - CartWIZ Login.ASP Redirect Argument Cross-Site Scripting
                    05.17.83 - CartWIZ Searchresults.ASP SKU Argument Cross-Site Scripting
                    05.17.84 - Horde Nag Remote Cross-Site Scripting
                    05.17.85 - Horde Chora Remote Cross-Site Scripting
                    05.17.86 - Horde Accounts Module Remote Cross-Site Scripting
                    05.17.87 - OneWorldStore IDOrder Information Disclosure
                    05.17.88 - MetaCart2 IntCatalogID Parameter Remote SQL Injection
                    05.17.89 - MetaCart2 StrSubCatalogID Parameter SQL Injection
                    05.17.90 - MetaCart2 CurCatalogID Parameter Remote SQL Injection
                    05.17.91 - MetaCart2 strSubCatalog_NAME Parameter Remote SQL Injection
                    05.17.92 - MetaCart E-Shop V-8 Remote SQL Injection
                    05.17.93 - Invision Power Board QPid Parameter SQL Injection
                    05.17.94 - SqWebmail HTTP Response Splitting
                    05.17.95 - WoltLab Burning Board PMS.PHP Cross-Site Scripting
                    05.17.96 - MetaCart e-Shop Remote SQL Injection
                    05.17.97 - StorePortal Default.ASP Multiple SQL Injection Vulnerabilities
                    05.17.98 - Horde Vacation Remote Cross-Site Scripting
                    05.17.99 - Horde MNemo Remote Cross-Site Scripting
                    05.17.100 - phpMyVisites Set_Lang File Include
                    05.17.101 - yappa-ng Unspecified Remote File Include
                    05.17.102 - yappa-ng Cross-Site Scripting
                    05.17.103 - GrayCMS Error.PHP Remote File Include
                    05.17.104 - MetaCart2 Searchaction.ASP Multiple SQL Injection
                    Vulnerabilities
                    05.17.105 - bBlog Index.PHP HTML Injection Vulnerability
                    05.17.106 - MetaBid Auctions intAuctionID Parameter SQL Injection
                    05.17.107 - bBlog PostID Parameter SQL Injection
                    05.17.108 - BEA WebLogic Server and WebLogic Express Cross-Site Scripting
                    05.17.109 - ABCZone.IT WWWGuestBook SQL Injection
                    05.17.110 - PHP-Calendar Search.PHP SQL Injection
                    __________________________________________________ _______




                    Markus















                    -----Original Message-----
                    From: Wil Hatfield [mailto:[email protected]]
                    Sent: Tuesday, May 03, 2005 6:34 PM
                    To: MvMarkus; [email protected]
                    Subject: RE: [m5u] m5 old links

                    Markus,

                    I haven't dug into the MivaSQL too much yet but since it uses the same old
                    native file locking routine that it used to use my guess is that it will be
                    as secure as it used to be. The SQL it uses is just another way of talking
                    to its databases (laymans).

                    Speculating.... any "Injection Hacks" as you state would only be related to
                    the use of MySQL with Miva Merchant. I would have to do some reading but my
                    hacker educated guess tells me that this would require an open MySQL port
                    and other tools.

                    Let me sum this up.... there should never be an open MySQL port to the
                    outside world. Miva and other scripts should be required to connect to
                    localhost for connectivity. Yes, most hosts have this port open and not
                    blocked at the firewall. I can't speak for the others but we do not as it
                    isn't allowed through the firewall.


                    Wil Hatfield
                    HyperConX Customer Care

                    HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                    1.800.894.3613 - Toll Free in the US and Canada

                    Check out the all new Miva Pages:
                    <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

                    Premium e-commerce hosting, 24/7 technical support, toll free support lines
                    for your convenience, great low cost packages to choose from, Authorize.Net
                    Direct retailer, need high-speed connectivity well we have that too.
                    Everything a business needs to succeed. Host with the Pros and sell like one
                    too!




                    -----Original Message-----
                    From: MvMarkus [mailto:[email protected]]
                    Sent: Tuesday, May 03, 2005 1:09 PM
                    To: 'Wil Hatfield'; [email protected]
                    Subject: RE: [m5u] m5 old links


                    Dear Wil, David,

                    Thanks a lot for these answers, they're very helpful.

                    A last word to the bug reports: As you suggested, Wil, I certainly won't
                    hesitate to send a report to bugs@... if I ever detect one, but of course
                    I'd like to know that they are taken into consideration, especially since
                    with v5 there are new potential vulernabilities through SQL injection hacks
                    that we have never faced before. Considering that most major problems in
                    PHP/ASP scripts originate right there (and lack of input sanitation, which
                    then often allows for a SQL hack), I believe that an aggressive and "open"
                    stance from Miva's side to address those issues is the only way
                    Miva/Merchant's database layer can remain as secure as we knew it for years.


                    For that reason, the recent posting about "paying to report bugs" troubled
                    me quite a bit. But again, I am really only talking about real bugs and
                    vulnerabilities; not templating/usability issues, and I agree with David
                    that there will be cases where it's not going to be clear how to interpret a
                    reported problem.

                    So I still have my hopes up that the people in San Diego will not ignore a
                    message that indicates some nasty SQL injection through a cookie... I
                    certainly don't want to find the public posting of an exploit of such
                    vulernability during my weekly readings of @RISK (SANS Institute).

                    markus






                    -----Original Message-----
                    From: [email protected]
                    [mailto:[email protected]] On Behalf Of Wil Hatfield
                    Sent: Tuesday, May 03, 2005 3:23 PM
                    To: MvMarkus; [email protected]
                    Subject: RE: [m5u] m5 old links

                    Well David already did a great job answering. My additions follow:

                    3. Now that Miva has some money and more proactive staff they have been
                    being very good about keeping on top of the bugs. They even hired in James
                    one of the best guys for the job who will be in charge of many things and I
                    believe making sure those bugs get fixed is one of them even if through
                    deligation. Here is a good resource... [email protected].

                    4. In laymans terms, when you modify the "pages" aka "screen layout" in MIVA
                    Merchant 5 Admin and click the Update button the "page" is compiled directly
                    into the MM5 software. No compiler required unless you are building your own
                    external applications or modules.

                    5. Special upgrade pricing will be available to existing customers. New
                    customers already get a new MM5 capable license key when they come to us, so
                    everyone is covered.

                    Thanks for your perspective and questions. I am going to put together an
                    "Inside MIVA Merchant 5" page shortly and am glad to have the input so I
                    know what kind of questions are out there.


                    Wil Hatfield
                    HyperConX Customer Care

                    HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                    1.800.894.3613 - Toll Free in the US and Canada

                    Check out the all new Miva Pages:
                    <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

                    Premium e-commerce hosting, 24/7 technical support, toll free support lines
                    for your convenience, great low cost packages to choose from, Authorize.Net
                    Direct retailer, need high-speed connectivity well we have that too.
                    Everything a business needs to succeed. Host with the Pros and sell like one
                    too!




                    -----Original Message-----
                    From: [email protected]
                    [mailto:[email protected]]On Behalf Of MvMarkus
                    Sent: Tuesday, May 03, 2005 11:28 AM
                    To: 'Wil Hatfield'; [email protected]
                    Subject: RE: [m5u] m5 old links


                    Hi Wil,

                    Thanks for the links. The questions that I referred to regard mainly issues
                    that are only indirectly related to MM5:

                    (I'm just putting together some that I remember right out of the back of my
                    mind, others will certainly have many others, and probably more MM or module
                    specific questions. The purpose is not to start another public discussion,
                    but simply to get some straight and simple answers from official side).

                    1.) Compiler: When will a new compiler be released (if at all)? Will there
                    be any costs involved?

                    2.) MM5/MySQL licensing issues: Do we need to purchase our own commercial
                    license of MySQL, do ISPs have to offer commercial license, or has Miva
                    Corp. an agreement with MySQL ABE in place that covers the end-users?

                    3.) A statement (confirmation) reg. bug reports only being accepted from
                    members of Miva's support plan, and in such case clear instructions how to
                    submit critical bugs (like security issues) if one is not a member of such a
                    support plan. Obviously, I'd like to see that Miva is still committed to
                    listen to those issues without requiring any upfront payments.

                    4.) Does the new template mechanism in MM5 require a compiler on the server,
                    does Empresa handle the precompilation or are these interpreted scripts that
                    don't require real compilation?

                    5.) Will there be an upgrade pricing for MM5 for existing users of MM4 and
                    earlier or will it only be sold as a completely new product?


                    Most MM5 related questions (changes, new features, availability of payment
                    gateways) are probably covered by the docs and your webpages, or, since the
                    official release date is only on May 16 ( which I just learned today from
                    David), will be addressed at that occasion or by the module developers
                    themselves.

                    Thanks,

                    Markus






                    -----Original Message-----
                    From: [email protected]
                    [mailto:[email protected]] On Behalf Of Wil Hatfield
                    Sent: Tuesday, May 03, 2005 1:27 PM
                    To: MvMarkus; [email protected]
                    Subject: RE: [m5u] m5 old links

                    What questions did you have that weren't covered in the docs?

                    <A HREF ="http://www.hyperconx.com/software/miva-merchant-5.phtml">http://www.hyperconx.com/software/miva-merchant-5.phtml</A>


                    Wil Hatfield
                    HyperConX Customer Care

                    HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                    1.800.894.3613 - Toll Free in the US and Canada

                    Check out the all new Miva Pages:
                    <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

                    Premium e-commerce hosting, 24/7 technical support, toll free support lines
                    for your convenience, great low cost packages to choose from, Authorize.Net
                    Direct retailer, need high-speed connectivity well we have that too.
                    Everything a business needs to succeed. Host with the Pros and sell like one
                    too!




                    -----Original Message-----
                    From: [email protected]
                    [mailto:[email protected]]On Behalf Of MvMarkus
                    Sent: Tuesday, May 03, 2005 9:44 AM
                    To: 'David Hubbard'; [email protected]
                    Subject: RE: [m5u] m5 old links


                    I still have the hope that yesterday wasn't the official release... Meaning:
                    I hope they'd at least make a public and official annoucement and answer
                    some of the questions that were asked here over the past weeks, to set an
                    end to all the FUD and speculations.

                    Markus




                    -----Original Message-----
                    From: [email protected]
                    [mailto:[email protected]] On Behalf Of David Hubbard
                    Sent: Tuesday, May 03, 2005 12:37 PM
                    To: [email protected]
                    Subject: RE: [m5u] m5 old links

                    It was just released yesterday, I would suspect they will eventually be
                    releasing many things like that which store owners consider mandatory.

                    David

                    > -----Original Message-----
                    > From: [email protected]
                    > [mailto:[email protected]] On Behalf Of John
                    > Fischer
                    > Sent: Tuesday, May 03, 2005 12:35 PM
                    > To: [email protected]
                    > Subject: RE: [m5u] m5 old links
                    >
                    > Well I can't migrate to Miva till a M5 SFL is released
                    >
                    > Anybody else in that boat?
                    >
                    > Is Miva going to ignore us on this issue?
                    >
                    >
                    >
                    >

                    Comment


                      #25
                      m5 old links



                      As stated "I would have to do some reading" and now I have. Thanks for the
                      link Jen.

                      I SERIOUSLY doubt that those vulnerabilities would be present in a Merchant
                      release. Frankly the vulnerabilites are caused by some really stupid coding
                      mistakes. Seems to lean more towards ASP and that is probably why the author
                      there on the page really uses ASP as his examples. Perl and PHP aren't going
                      to accept misguided variable inputs so easily and I very much doubt that C++
                      will either. Maybe one day I can add C++ to my list. Now on the MivaScript
                      side it could but with all the new "validation" taking place in VM & MM5 I
                      am pretty comfortable with it.

                      Good information though. I will continue to strip() chop() chomp() my way to
                      clean inputs.


                      Wil Hatfield
                      HyperConX Customer Care

                      HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                      1.800.894.3613 - Toll Free in the US and Canada

                      Check out the all new Miva Pages:
                      <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

                      Premium e-commerce hosting, 24/7 technical support, toll free
                      support lines for your convenience, great low cost packages to
                      choose from, Authorize.Net Direct retailer, need high-speed
                      connectivity well we have that too. Everything a business
                      needs to succeed. Host with the Pros and sell like one too!




                      -----Original Message-----
                      From: [email protected]
                      [mailto:[email protected]]On Behalf Of Jen Ferraz
                      Sent: Tuesday, May 03, 2005 3:53 PM
                      To: [email protected]
                      Subject: RE: [m5u] m5 old links


                      Injection attacks occur when scripts don't
                      validate input correctly and allow a malformed user
                      MySQL statement to be passed to the database.
                      This was a recent problem with phpBB. The
                      only port it requires to be open is 80.

                      Here's an article you can read the explains it
                      <A HREF ="http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/">http://www.devarticles.com/c/a/MySQL/SQL-Injection-Attacks-Are-You-Safe/</A>



                      Jen
                      Hostasaurus.Com
                      Miva Premier Hosting Partner
                      813.971.8772
                      [email protected]


                      -----Original Message-----
                      From: [email protected]
                      [mailto:[email protected]] On Behalf Of Wil
                      Hatfield
                      Sent: Tuesday, May 03, 2005 6:34 PM
                      To: MvMarkus; [email protected]
                      Subject: RE: [m5u] m5 old links


                      Markus,

                      I haven't dug into the MivaSQL too much yet but since it uses the same
                      old
                      native file locking routine that it used to use my guess is that it will
                      be
                      as secure as it used to be. The SQL it uses is just another way of
                      talking
                      to its databases (laymans).

                      Speculating.... any "Injection Hacks" as you state would only be related
                      to
                      the use of MySQL with Miva Merchant. I would have to do some reading but
                      my
                      hacker educated guess tells me that this would require an open MySQL
                      port
                      and other tools.

                      Let me sum this up.... there should never be an open MySQL port to the
                      outside world. Miva and other scripts should be required to connect to
                      localhost for connectivity. Yes, most hosts have this port open and not
                      blocked at the firewall. I can't speak for the others but we do not as
                      it
                      isn't allowed through the firewall.


                      Wil Hatfield
                      HyperConX Customer Care

                      HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                      1.800.894.3613 - Toll Free in the US and Canada

                      Check out the all new Miva Pages:
                      <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

                      Premium e-commerce hosting, 24/7 technical support, toll free
                      support lines for your convenience, great low cost packages to
                      choose from, Authorize.Net Direct retailer, need high-speed
                      connectivity well we have that too. Everything a business
                      needs to succeed. Host with the Pros and sell like one too!




                      -----Original Message-----
                      From: MvMarkus [mailto:[email protected]]
                      Sent: Tuesday, May 03, 2005 1:09 PM
                      To: 'Wil Hatfield'; [email protected]
                      Subject: RE: [m5u] m5 old links


                      Dear Wil, David,

                      Thanks a lot for these answers, they're very helpful.

                      A last word to the bug reports: As you suggested, Wil, I certainly won't
                      hesitate to send a report to bugs@... if I ever detect one, but of
                      course
                      I'd like to know that they are taken into consideration, especially
                      since
                      with v5 there are new potential vulernabilities through SQL injection
                      hacks
                      that we have never faced before. Considering that most major problems in
                      PHP/ASP scripts originate right there (and lack of input sanitation,
                      which
                      then often allows for a SQL hack), I believe that an aggressive and
                      "open"
                      stance from Miva's side to address those issues is the only way
                      Miva/Merchant's database layer can remain as secure as we knew it for
                      years.


                      For that reason, the recent posting about "paying to report bugs"
                      troubled
                      me quite a bit. But again, I am really only talking about real bugs and
                      vulnerabilities; not templating/usability issues, and I agree with David
                      that there will be cases where it's not going to be clear how to
                      interpret a
                      reported problem.

                      So I still have my hopes up that the people in San Diego will not ignore
                      a
                      message that indicates some nasty SQL injection through a cookie... I
                      certainly don't want to find the public posting of an exploit of such
                      vulernability during my weekly readings of @RISK (SANS Institute).

                      markus






                      -----Original Message-----
                      From: [email protected]
                      [mailto:[email protected]] On Behalf Of Wil
                      Hatfield
                      Sent: Tuesday, May 03, 2005 3:23 PM
                      To: MvMarkus; [email protected]
                      Subject: RE: [m5u] m5 old links

                      Well David already did a great job answering. My additions follow:

                      3. Now that Miva has some money and more proactive staff they have been
                      being very good about keeping on top of the bugs. They even hired in
                      James
                      one of the best guys for the job who will be in charge of many things
                      and I
                      believe making sure those bugs get fixed is one of them even if through
                      deligation. Here is a good resource... [email protected].

                      4. In laymans terms, when you modify the "pages" aka "screen layout" in
                      MIVA
                      Merchant 5 Admin and click the Update button the "page" is compiled
                      directly
                      into the MM5 software. No compiler required unless you are building your
                      own
                      external applications or modules.

                      5. Special upgrade pricing will be available to existing customers. New
                      customers already get a new MM5 capable license key when they come to
                      us, so
                      everyone is covered.

                      Thanks for your perspective and questions. I am going to put together an
                      "Inside MIVA Merchant 5" page shortly and am glad to have the input so I
                      know what kind of questions are out there.


                      Wil Hatfield
                      HyperConX Customer Care

                      HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                      1.800.894.3613 - Toll Free in the US and Canada

                      Check out the all new Miva Pages:
                      <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

                      Premium e-commerce hosting, 24/7 technical support, toll free support
                      lines
                      for your convenience, great low cost packages to choose from,
                      Authorize.Net
                      Direct retailer, need high-speed connectivity well we have that too.
                      Everything a business needs to succeed. Host with the Pros and sell like
                      one
                      too!




                      -----Original Message-----
                      From: [email protected]
                      [mailto:[email protected]]On Behalf Of MvMarkus
                      Sent: Tuesday, May 03, 2005 11:28 AM
                      To: 'Wil Hatfield'; [email protected]
                      Subject: RE: [m5u] m5 old links


                      Hi Wil,

                      Thanks for the links. The questions that I referred to regard mainly
                      issues
                      that are only indirectly related to MM5:

                      (I'm just putting together some that I remember right out of the back of
                      my
                      mind, others will certainly have many others, and probably more MM or
                      module
                      specific questions. The purpose is not to start another public
                      discussion,
                      but simply to get some straight and simple answers from official side).

                      1.) Compiler: When will a new compiler be released (if at all)? Will
                      there
                      be any costs involved?

                      2.) MM5/MySQL licensing issues: Do we need to purchase our own
                      commercial
                      license of MySQL, do ISPs have to offer commercial license, or has Miva
                      Corp. an agreement with MySQL ABE in place that covers the end-users?

                      3.) A statement (confirmation) reg. bug reports only being accepted from
                      members of Miva's support plan, and in such case clear instructions how
                      to
                      submit critical bugs (like security issues) if one is not a member of
                      such a
                      support plan. Obviously, I'd like to see that Miva is still committed to
                      listen to those issues without requiring any upfront payments.

                      4.) Does the new template mechanism in MM5 require a compiler on the
                      server,
                      does Empresa handle the precompilation or are these interpreted scripts
                      that
                      don't require real compilation?

                      5.) Will there be an upgrade pricing for MM5 for existing users of MM4
                      and
                      earlier or will it only be sold as a completely new product?


                      Most MM5 related questions (changes, new features, availability of
                      payment
                      gateways) are probably covered by the docs and your webpages, or, since
                      the
                      official release date is only on May 16 ( which I just learned today
                      from
                      David), will be addressed at that occasion or by the module developers
                      themselves.

                      Thanks,

                      Markus






                      -----Original Message-----
                      From: [email protected]
                      [mailto:[email protected]] On Behalf Of Wil
                      Hatfield
                      Sent: Tuesday, May 03, 2005 1:27 PM
                      To: MvMarkus; [email protected]
                      Subject: RE: [m5u] m5 old links

                      What questions did you have that weren't covered in the docs?

                      <A HREF ="http://www.hyperconx.com/software/miva-merchant-5.phtml">http://www.hyperconx.com/software/miva-merchant-5.phtml</A>


                      Wil Hatfield
                      HyperConX Customer Care

                      HyperConX International - <A HREF ="http://www.hyperconx.com">http://www.hyperconx.com</A>
                      1.800.894.3613 - Toll Free in the US and Canada

                      Check out the all new Miva Pages:
                      <A HREF ="http://www.hyperconx.com/miva/">http://www.hyperconx.com/miva/</A>

                      Premium e-commerce hosting, 24/7 technical support, toll free support
                      lines
                      for your convenience, great low cost packages to choose from,
                      Authorize.Net
                      Direct retailer, need high-speed connectivity well we have that too.
                      Everything a business needs to succeed. Host with the Pros and sell like
                      one
                      too!




                      -----Original Message-----
                      From: [email protected]
                      [mailto:[email protected]]On Behalf Of MvMarkus
                      Sent: Tuesday, May 03, 2005 9:44 AM
                      To: 'David Hubbard'; [email protected]
                      Subject: RE: [m5u] m5 old links


                      I still have the hope that yesterday wasn't the official release...
                      Meaning:
                      I hope they'd at least make a public and official annoucement and answer
                      some of the questions that were asked here over the past weeks, to set
                      an
                      end to all the FUD and speculations.

                      Markus




                      -----Original Message-----
                      From: [email protected]
                      [mailto:[email protected]] On Behalf Of David
                      Hubbard
                      Sent: Tuesday, May 03, 2005 12:37 PM
                      To: [email protected]
                      Subject: RE: [m5u] m5 old links

                      It was just released yesterday, I would suspect they will eventually be
                      releasing many things like that which store owners consider mandatory.

                      David

                      > -----Original Message-----
                      > From: [email protected]
                      > [mailto:[email protected]] On Behalf Of John
                      > Fischer
                      > Sent: Tuesday, May 03, 2005 12:35 PM
                      > To: [email protected]
                      > Subject: RE: [m5u] m5 old links
                      >
                      > Well I can't migrate to Miva till a M5 SFL is released
                      >
                      > Anybody else in that boat?
                      >
                      > Is Miva going to ignore us on this issue?
                      >
                      >
                      >
                      >

                      Comment


                        #26
                        m5 old links



                        From: [email protected]=20
                        >=20
                        > As stated "I would have to do some reading" and now I have.=20
                        > Thanks for the link Jen.
                        >=20
                        > I SERIOUSLY doubt that those vulnerabilities would be present=20
                        > in a Merchant release. Frankly the vulnerabilites are caused
                        > by some really stupid coding mistakes. Seems to lean more

                        A lot of the applications that have been vulnerable to this
                        type of attack have been written by programmers whose
                        backgrounds also should not have allowed such code to
                        be left unchecked. Take phpbb for example, it's been
                        vulnerable to attacks similar to previous ones in three of
                        the last five releases, and they have five programmers working
                        on it.

                        > towards ASP and that is probably why the author there on the
                        > page really uses ASP as his examples.

                        I think PHP is the most commonly exploited language for
                        this attack due in part to its once-default setup of
                        allowing "register globals" which made it incredibly
                        easy to pass in new data to override already set variables.
                        It also tends to be present and used for poorly coded
                        applications on millions of web servers.

                        > Perl and PHP aren't going to accept misguided variable inputs
                        > so easily and I very much doubt that C++ will either. Maybe

                        The language doesn't know what makes input valid or not. Any
                        language will accept any input, it's the programmer who has
                        to check that the input given is valid and decide what to do
                        with it. A single line php program that just uses the include()
                        function can be turned into a remotely controlled attack
                        participant by sending it perfectly valid input. A C++
                        variable is no more likely to check an SQL query for sanity
                        than any other language, we just have to have confidence
                        that Miva has done so.

                        > one day I can add C++ to my list. Now on the MivaScript side
                        > it could but with all the new "validation" taking place in
                        > VM & MM5 I am pretty comfortable with it.
                        >=20
                        > Good information though. I will continue to strip() chop()=20
                        > chomp() my way to clean inputs.

                        Removing whitespace from the end of a string is not sanitizing
                        your inputs. That's not going to catch someone nesting
                        a "select (*) from s01_Orders" into a variable they've discovered
                        in Merchant that has been left unprotected.

                        David


                        Comment


                          #27
                          m5 old links



                          David Hubbard wrote:
                          > Removing whitespace from the end of a string is not sanitizing
                          > your inputs. That's not going to catch someone nesting
                          > a "select (*) from s01_Orders" into a variable they've discovered
                          > in Merchant that has been left unprotected.

                          Let's say we have a text attribute on a product. Are you saying that
                          the customer could enter some variation of select (*) from s01_Orders
                          into the text input and add the product to the basket and it would run
                          that query?

                          --
                          Bill Weiland A2Z Emporium Plus <A HREF ="http://www.emporiumplus.com/store.mvc ">http://www.emporiumplus.com/store.mvc </A>
                          Modules for eCommerce. Mail Mgr, Coupon, PayPal, Froogle/Yahoo feeds
                          Rate This, Gift/Wish List, Wait List Mgr, EZ Batch, Shipping & more
                          Online Documentation <A HREF ="http://www.emporiumplus.com/docs">http://www.emporiumplus.com/docs</A>
                          Question <A HREF ="http://www.emporiumplus.com/mivamodule_wcw.mvc?Screen=SPTS ">http://www.emporiumplus.com/mivamodu...vc?Screen=SPTS </A>
                          |


                          Comment


                            #28
                            m5 old links



                            From: [email protected]=20
                            >=20
                            > David Hubbard wrote:
                            > > Removing whitespace from the end of a string is not sanitizing
                            > > your inputs. That's not going to catch someone nesting
                            > > a "select (*) from s01_Orders" into a variable they've discovered
                            > > in Merchant that has been left unprotected.
                            >=20
                            > Let's say we have a text attribute on a product. Are you saying that
                            > the customer could enter some variation of select (*) from s01_Orders
                            > into the text input and add the product to the basket and it would run
                            > that query? =20
                            >=20

                            Very unlikely in that case, since the text being input from a
                            text input box would be considered inherently insecure; that
                            type of text is probably handled carefully, escaped and inserted
                            into the database for storage. SQL injection attacks typically
                            find ways to override known variables with new queries, or alter
                            existing queries. An example would be my guessing that internal
                            to Merchant or a module, a variable named "query" were being used.
                            This is common for programmers to do in languages where they're
                            working with SQL, storing their query somewhere while they build
                            it before executing it, so my guess of "query" might be right in
                            a lot of cases. Well, if there's some unchecked input somewhere,
                            maybe I can set query equal to "select (*) from s01_Orders"
                            by passing it in where the module doesn't expect it, and then it
                            ends up running that query for me and displaying the results
                            instead of what it intended on doing.

                            In prior versions of Merchant you could pass in POST variables
                            and have Merchant pre-fill form fields for you. For example,
                            I can hit a product page with a text attribute via POST and send
                            it <input name=3D"AttributeValue[1]" value=3D"select (*) from =
                            s01_Orders">.
                            Merchant will fill that box in for me when it renders the page
                            because I effectively set a variable internal to it while the
                            script was running. I could change AttributeValue[1] to maybe
                            g.query or some other Merchant-style variable; I don't know=20
                            MivaScript so I'm just theorizing, but maybe by doing something
                            like that I'll cause a variable set internal to the script to
                            be overridden by what I want it to be, and that's where the
                            danger potentially lies.

                            David


                            Comment


                              #29
                              m5 old links



                              David Hubbard wrote:
                              > I don't know
                              > MivaScript so I'm just theorizing, but maybe by doing something
                              > like that I'll cause a variable set internal to the script to
                              > be overridden by what I want it to be, and that's where the
                              > danger potentially lies.

                              But accessing the data in Merchant is done with more than select (*)
                              from s01_Products

                              For example:
                              <MvOPENVIEW NAME = "Merchant"
                              VIEW = "Products"
                              QUERY = "{'SELECT * FROM ' $ g.Store_Table_Prefix $ 'Products WHERE id
                              = ?' }"
                              FIELDS = "l.product:id">

                              Isn't Merchant creating a specific way of getting to the data such that
                              you would need to use the "Mv" commands. Or does somehow having select
                              (*) from s01_Products floating around allow you to connect outside of
                              Merchant?

                              Inquiring minds want to know. So do the hackers.

                              --
                              Bill Weiland A2Z Emporium Plus <A HREF ="http://www.emporiumplus.com/store.mvc ">http://www.emporiumplus.com/store.mvc </A>
                              Modules for eCommerce. Mail Mgr, Coupon, PayPal, Froogle/Yahoo feeds
                              Rate This, Gift/Wish List, Wait List Mgr, EZ Batch, Shipping & more
                              Online Documentation <A HREF ="http://www.emporiumplus.com/docs">http://www.emporiumplus.com/docs</A>
                              Question <A HREF ="http://www.emporiumplus.com/mivamodule_wcw.mvc?Screen=SPTS ">http://www.emporiumplus.com/mivamodu...vc?Screen=SPTS </A>
                              |


                              Comment


                                #30
                                m5 old links



                                It depends what you do with the user input. If any user input is used
                                unchecked to dynamically build queries, then it can certainly happen. There
                                are also diverse other situations, where user input, or other manipulable
                                data (cookies, http headers, cgi/form/url variables,...) can be used for
                                injection.

                                This risk of code injection always existed in Miva Script, but took
                                different forms with different versions of the engine and of Merchant. For
                                example any server having still files of (even an inactive) Merchant version
                                prior ~2.21, can be compromised easily and data and script files of the
                                entire account can be accessed.

                                The most evident holes were plugged later, but Merchant became safer with
                                v4, and then especially with the compiled 4.14. Well, I speak about stock
                                Merchant - unfortunately it cannot be told about all 3rd party modules.
                                Unfortunately, I saw many 3rd party modules that open the entire system to
                                easy exploits.

                                While the compiled v4 Miva Script reduced the risks considerably, with the
                                SQL interface, there may be indeed new risks included. Although I hope and
                                believe that the stock Merchant is written cleanly, inexperienced coders may
                                indeed introduce new security flaws.

                                Ivo Truxa

                                | http://miva.truxoft.com
                                | Advanced Miva Merchant modules



                                -----Original Message-----
                                From: William Weiland


                                David Hubbard wrote:
                                > Removing whitespace from the end of a string is not sanitizing
                                > your inputs. That's not going to catch someone nesting
                                > a "select (*) from s01_Orders" into a variable they've discovered
                                > in Merchant that has been left unprotected.

                                Let's say we have a text attribute on a product. Are you saying that
                                the customer could enter some variation of select (*) from s01_Orders
                                into the text input and add the product to the basket and it would run
                                that query?




                                Comment

                                Working...
                                X