Loaded Commerce Community

Due to my frustration with the register_global issue, which is well documented on this site and others as being both a security problem and on the verge of depracation I have just sent the following email to support. I would like to ask all users of CRE Loaded to consider the message below and comment on whether or not this is an issue for you in the first place but also whether or not you would be willing o give up your free time to assist in getting a final resolution to the fault. You would not have to be a developer to help as any new code produced would need to be tested on as many platforms as possible prior to going live.

I welcome any thoughs on this matter, hopefully something constructive can be acheived. Here is the email I sent to support:

Sirs,

I don't want to be churlish about this, but as both the current versoins of PHP (4.4.8 & 5.2.5) have register_globals turned off and that an increasing number of ISPs are blocking the functionality of local php.ini & .htaccess files without crippling other elements of their hosting services, isn't it about time that you as an organisation, 'bit the bullet' and resolved these issues which are rapidly becoming a major reason NOT to use CRE Loaded. Don't get me wrong I really like you're product but I also hate not being able to choose my hosting company myself and having to rely on companies which allow known security issues to go unchecked. This is not the strongest selling point you could have.

In my humble opinion, a permanent and effective fix to the register_globals issue that does not require opening the very security hole which the directive was changed to close (and which is on the verge of deprecation). I am very disappointed to notice from your forums that this has now been an issue for almost four years, which is poor response even for a software company.

On a more constructive note, I would like to offer my services in this matter as I'm sure would others if permitted the opportunity, as this is such a major issue for many of us, and only going to be getting a bigger one. I have been writing php professionally for a number of years and I am sure that if the question were asked the you would find no shortage of volunteers to help in this project. All it would take from yourselves is the commitment to take the project on and the resources to coordinate the project. To that end I am going to create a thread in the user forums asking for a consensus opinion from the user base. That should at least tell us whether this is as much as an issue as I believe or if I've just 'gone off on one'.

Very best regards and thank you for an otherwise great product.

Edward Finlayson

CRE is already in development of a Register Globals off version. The next release (6.3) will have a lot of this work done but will not be advertised as a RG off version until 6.5 release.

Great news, but you'll have to forgive my antithesis however as we have all been hearing very similar things since php 4 was released in 2004. What I for one would like to see is movement, for example are you recruiting for beta testers for this 'release' or have you got even an estimated release date. No, not yet, later in the year...... yawn!!! heard it all before. What about some action??? or some honesty, transparency, or just a cry for help if you can't manage it on your own. You have a not insignificant number of experienced users and developers available if you only ask, and yes I do mean ask.

My offer still stands, I am prepared to work on this for free if it means a real and lasting solution is the outcome but I haven't got time to work on it full time (I have a job, I develop in php for a living), but I can and would be willing to give around 15-20 hrs per week to the project, which in terms of my salary equates to a 'donation' of up to £430 per week.

If CRE Loaded is not destined to be GF off until 6.5, some 3 major releases away, perhaps sales of the current platform should be suspended until that is revised, because at this rate 6.5 will be available sometime after the winter of 2012, do you honestly believe that their will still be php4 installations on web servers then even after considering that 'Support for PHP 4 has been discontinued since 2007-12-31. Please consider upgrading to PHP 5.2. The release below is the last PHP 4 release' as can be seen at http://www.php.net/downloads.php#v5', also at php.net checkout http://uk2.php.net/manual/en/security.globals.php which states ‘This feature is DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.’ Php 6.0 is available for testing only at http://snaps.php.net/ but is a good indication of where the language is heading.

With the above in mind, I don’t want any more lip service I want change, progression and improvement. Isn’t it time that the loyalty and patience of your customers was rewarded.

That’s my ‘two cents’ worth, does anyone else have a point off view? If you do, please give it. Debate only strengthens the understanding of the cause of the argument. Let’s understand the cause of this debate….. and then fix it.

Heya EFinlayson,

Thanks for the paragraph of comments but rest assured we here at CRE have read the PHP for Dummies book just as you have and we also realize the upcoming PHP 6.0 does not make use of Register Globals.

Thanks for the heads up though .... whew ... might have missed that one

Pretty strong words for a fellow whose "extensive documentation" consists of all of 3 posts.....

Here's mine. The decision was made some time back to focus on real bugs and feature impairments to the detriment of RG Off support. It was made under the impression that a full 2.2, 2.3 or 3.0 release of osCommerce was eminent and would fix that issue anyway. It was the right decision at the time, and I say that as one of the people who made it.

Perhaps, with the benefit of your 20:40 hindsight I might have made it differently - but without that impossibility, I've nothing for which to apologize.

In the meantime, a number of other PHP 5 compatibility issues have been addressed and the code is poised to give users a significant lifespan for their investment regardless of PHP 4's EOL, and the decision was made to proceed with RG off fixes. Sounds like a very reasonable progression to me, particularly when you consider that this is hardly the only issue involved.

So, if you want to pop in here screaming "Fire!" and demanding instant action, why don't you just slide back out on the same banana peel you slid in on?

NOTE: While the undersigned was Project Manager, and Chief Operating Officer for CRE from 2004 to 2007 he is no longer associated with and does not speak for CRE, Inc.

David

Thank you both for your eloquently put and constructive comments. I'll reply in order.

[datazen]

Thank you for letting us, your CUSTOMERS know that you have at least gone to the bother of reading 'PHP for dummies' personally I was using the language in anger for a significant time before the first idiot guide was allowed to escape. Don't get me wrong, all of the 'Dummies' guides are well written, informative and well informed. Perhaps you should re-read it?

[Nimitz1061]

Thank you for your 'quote', something which I have NOT said in this posting though, but thanks anyway
One thing, perhaps compatibility with the very language in which the product is written might be considered an imperative, especially considering that this as been a documented issue since php 4 was released in 2004. Do you honestly think that a commercial programme, (I am right in thinking that CRE Loaded is thought of as a commercial programme aren’t I?) should wait for, and I do quote, all though I’m paraphrasing, ‘someone else to do it for us’. Don’t get me wrong your work as it stands is possibly the best ecommerce solution on the market; I for one have actually paid good money for it without regret. It is solely my frustration in this continued ‘head in the sand’ attitude that has provoked me into this debate. I say ‘permissum populus narro’ which, just in case you ‘don’t do Latin’ means simply “let the people speak”. I most sincerely hope that no-one has an issue with that at least.
Please, please do not take this personally, I do value, and understand how much effort, energy and emotional energy goes into writing software, after all I do it for a living as well, however I am personally neither screaming nor riding a banana skin, nice analogy though, but instead just asking that you, the development community either get on and actually do as you have been promising for so awfully long, or if you are having difficulties do the ‘grown-up’ thing and ask for help.


I do not wish to engage in a flame-battle, and that is most certainly NOT the purpose of this thread. I do want to pose the question however: shouldn’t this already have been fixed, and if not shouldn’t it be done now with php 4 End Of Life and the fact that the feature which CRE depends on, even if it’s based on osCommerce, is about to be deprecated out of the language?

The number of posting I have made is entirely moot; I simply haven’t had anything to say. Now that I have, I have finally registered in the forums and said it, surely no-one could have a ‘problem’ with that. The strength of ones argument is never enhanced by the number of debates you’ve had, just by your powers of persuasion, and the eloquence of its delivery. I am asking the question and offering to help at my own expense, is that not constructive, even if it seems unwelcome?

Finally, I would encourage other customers and users of CRE Loaded to add their comments here. And if it turns out that I am talking out of my hat and no-one cares that the product will, in it's current form, become unusable without something being done to remedy the situation I will offer my apology to all concerned right now. If however you do care, please add your thoughts.

Fin

Fin,

No one has said the issue shouldn't be addressed. Just that the process of addressing it will not be declared final until it is final. 6.2 is already less dependent on RG, the process will continue until it is done. osCommerce took several years to do it with a much smaller code base, and considering that CRE is putting much more behind their code than osC (no "full release in over 6 years??) I think they should be a bit cautious about declaring the code fully ready.

As for the number of posts you have made, you made them pertinent by your content and tone. Your initial point was and is well taken. The tone of your initial posts however, defined presumption. By all means, let the discussion continue.

It might be pertinent to note that while PHP 4 will be getting nothing more than security fixes for the next year, that PHP 5 is still under active development and will be supported for some time after the release of PHP 6. As the 6.x line will run well under PHP 5, this issue is not so urgent as you make it out to be and personal attacks on developers you don't even know are both unwarranted and rude.


David

Hi David,

I concur personal attacks are unnecessary and counter productive, and if I have caused offence I am truly sorry, it was not meant to. My comment to you was meant in a light-hearted and jocular way, as I'm sure yours was. I was not meaning to slight anyone’s ability or professional integrity please accept my most profound apology.

My comments are not meant to be either premature or alarmist, if they have come across as as such, that is unfortunate, I am simply raising attention to a subject which is not going to go away and in fact is going to become increasingly important as more and more ISP are changing the security profiles of their hosting services in order to avoid 'issues' with hacked websites, data security et al.

CRE Loaded does indeed run admirably under PHP5 and is as I have attested, possibly the best eCommerce solution available.

What then can I do as both a customer and a professional developer do to assist, other than raising attention to what is commonly known to be a security risk & offering my support and assistance to address it.

Once again, I unreservedly apologise for any insult that either you or any person contributing to the debate has suffered and state for the record that it was not my intention to offend, and regret any offence suffered.

Best regards,

Fin

I simply let you know that CRE is in fact aware and has been working on the RG issue for some time. My comments were direct and accurate as well as professional. Then you come here to my domain and sling crap you call "comments"??

careful .... you have no idea what you say nor to who you say it to ...



Have you read your own posts? I believe first blood was drawn by you!



"Commonly known"- well of course we know about it. I stated that in my first post.

Professional ???? Hardly.

Developer?? I hope not.

You call your posts helpful?



I take GREAT offense at your comments. If you are truly a developer then you know EXACTLY what I mean. The CRE staff are all professionals and all give 12+ hours a day 7 days per week to the project. I personally oversee a lot of the programming here at CRE so for you to just "assume" we are not aware of the RG issue and to take it to such length is absurd.




I guess that shoe fits. Just wonder where that nose of yours has been.

To use the common vernacular 'Nuff said!!!

Your diatribe merely confirms my suspicions, especially when yet again we hear ‘we’re dealing with it’. Look here -> http://forums.creloaded.com/Forums/view ... html#57947 another example of being told it’s being dealt with. Personally, I am neither insulted, nor put out by your ranting. Instead I welcome ANY response, even if I would prefer a reasoned discussion, or even proposed action to the drivel above.

I at least earn my living as a developer, and once again regret that my APOLOGY seems to have caused you so much personal harm. Therefore, once more I apologise, perhaps we should both 'take a deep breath'.

So far as to whom I'm talk, that's simple: THE USER BASE AND PAYING CUSTOMERS. You seem to forget in your fervour that it is people like myself that has made 'your domain' possible. As neither of us is Mr J. Rambo then the issue of 'first blood' is also moot.

Your response merely demonstrates the amount of emotional energy that goes into developing software, which I attested above and while I am truly sorry that you seem to feel so threatened by free speech, especially for an American, in this matter the body of evidence simply outweighs your protestations and if you re-read the conversation above, you will clearly see that I am NOT simply beating anyone but instead trying get a fix, even offering to help you to do it.

Finally, a question, is CRE Loaded a professional, commercial product or an open source community application?


Regards,

Fin

Not to worry, I am not threatened. If I have mistaken your comments for passion, then I also apologize.



Anyone can contribute to the project and apply to become a member of the team. Perhaps you are exactly what CRE needs. All resumes are accepted at resume@creloaded.com.



I started with CRE in 2005, so 2004 was bit before my tenure. All I can say at the moment is that the next version 6.3, will be using the RG off codebase. Once fully tested as an RG off version by our QA department and beta testers and once we feel confident that it has passed said tests, it will be advertised and supported that way.

A beta testers group does exist and you can also join the group. I believe the thread is here - http://forums.creloaded.com/Forums/view ... =7874.html. Just leave your request and info.


Best Regards,

Thanks for your input Scott,

I will be doing as you suggest, later this evening once I get a bit more of my own work done. I would consider it a privelege to be able to contribute towards this excellent product.

Best regards,

Fin

ahem,

6.3 has been released and register_globals issues is addressed in this release. Viva La CRE.

Flame Off.