Archive for the ‘Troubleshooting’ category

« Older Entries

How to fix the flaw in the WP Ecommerce table rate shipping module

January 25th, 2012

Catchy title eh! It’s difficult to name such a post but I have just diagnosed a client’s site and realised that there was a bit of an error in the WPEC (WPSC) table rate shipping module.

Reading the code it looks like the table rate module is designed to be used exclusively or in conjunction with a secondary service. The flaw I have found is that table rate is coded to always return a price regardless of whether you want one or not.

Basically my client wanted to use the weight shipping module for all postage except if the cart amount was more than £200 in which case free postage would be offered. Simple right?.. just add a layer (row) into the table rate settings with a minimum price of 200 and a value of 0. This would mean that weight based is used until the table rate conditional kicks in at £200 and offers cheaper postage (free in fact).

No.. sadly not correct :(

Table rate is written so that is always returns a price regardless of whether you want it to or not. Basically if you have a single row (layer) in the settings for the module it will show it. The system works well at the top end where price is greater than or equal to but there must always be a base price in the module (value of 0.00 or 0.01 if it doesn’t save) to catch those which fail the PHP logic. Note the following function to get a quote (taken directly from tablerate.php):

    function getQuote() {

        global $wpdb, $wpsc_cart;
        if (isset($_SESSION['nzshpcrt_cart'])) {
            $shopping_cart = $_SESSION['nzshpcrt_cart'];
        }
        if (is_object($wpsc_cart)) {
            $price = $wpsc_cart->calculate_subtotal(true);
        }

        $layers = get_option('table_rate_layers');

        if ($layers != '') {

            // At some point we should probably remove this as the sorting should be
            // done when we save the data to the database. But need to leave it here
            // for people who have non-sorted settings in their database
            krsort($layers);

            foreach ($layers as $key => $shipping) {

                if ($price >= (float)$key) {

                    if (stristr($shipping, '%')) {

                        // Shipping should be a % of the cart total
                        $shipping = str_replace('%', '', $shipping);
                        $shipping_amount = $price * ( $shipping / 100 );

                    } else {

                        // Shipping is an absolute value
                        $shipping_amount = $shipping;

                    }

                    return array("Table Rate"=>$shipping_amount);

                }

            }

            $shipping = array_shift($layers);

            if (stristr($shipping, '%')) {
                $shipping = str_replace('%', '', $shipping);
                $shipping_amount = $price * ( $shipping / 100 );
            } else {
                $shipping_amount = $shipping;
            }

            return array("Table Rate"=>$shipping_amount);

        }
    }

If you read through the code it basically loops through all of the layers to find the conditional price point that matches and returns the price. The oddity is the next set of code which, I suppose, is a fall back. Sadly the fall back is entirely unnecessary and causes this issue. The code starts from the following onwards:

$shipping = array_shift($layers);

In fact the simplest way to ‘fix’ the function is to put a return  statement just before that line:

return false;
$shipping = array_shift($layers);

Once that is in place you are free to use the module properly once again. I might write this as a separate shipping module for people to download as changing the name of each layer would be a nice idea as well as setting a maximum price point for each layer.

No comments »

Posted in Bug Fixes, Ecommerce, PHP, Plugins, Troubleshooting, Wordpress

Turn off theme CSS for the visual editor in WordPress 3.3+

January 5th, 2012

It’s been on the cards for months and WordPress has finally added the inbuilt function whereby CSS files declared on the front end are now also declared on the edit item (post/page/custom post type) pages within the admin system. This is wonderful for some but, as someone who looks at a fair few sites using a range of free, premium and bespoke themes, actually it’s a curse in disguise. Let me explain…

Let’s say you go to the WordPress theme repository and grab a nice free theme which has been written by a developer less than ‘au fait’ with WordPress functionality or best practice. You turn on the theme, all looks good and then go to write a post only to be presented with the page from hell because loose CSS rules used in style.css have broken the editor page look and feel all together. As there is no way in CSS to set a priority without rewriting the code itself you are left with a mess.

Pre WordPress 3.3 this wasn’t an issue as you needed to explicitly declare an editor style sheet in order to use the styles and make it look somewhat closer to that which you might find on the front end of the site.

Now.. turning it off! Well it will require some coding and in actual fact the simplest way to do anything about it is to make your stylesheet invisible to WordPress. Let me explain: The correct way to enqueue any CSS and JS on your site is to do something like the following:

add_action('wp_print_styles', 'theme_add_stylesheet');
function theme_add_stylesheet() {
    wp_register_style('theme_stylesheet', get_stylesheet_directory_uri() . '/style.css');
    wp_enqueue_style( 'theme_stylesheet');
}

This means that when the wp_head action is triggered from header.php in your theme the style will be printed to screen along with the other styles and scripts. The enqueue style function adds the name and location of the script to a global array which can be reused at any time. In short, WordPress knows that it is a CSS file declared by a plugin or theme and therefore can reuse it at will.

The fix is simple.. don’t use that method and, instead, use the original crude method of adding a stylesheet which is to write the HTML yourself as follows:

<link rel="stylesheet" href="<?php bloginfo('stylesheet_url'); ?>" type="text/css" media="screen" />

This code, when placed in header.php of your theme, simply outputs the line in the head section of your page and includes the stylesheet unbeknown to WordPress and therefore won’t be used in the editor.

99% of the themes I have seen and used use the latter method so it’s not an issue but hopefully this will hel someone who has just upgraded and has some sort of multicoloured and wierdly laid out admin post page.

No comments »

Posted in Bug Fixes, PHP, Plugins, Themes, Time Savers, Troubleshooting, Tutorials, Wordpress

WordPress plugin queue jumping made easy

January 1st, 2012

Hi all. Happy new year etc.. I have plenty of plans for the next 12 months but won’t go into them unlike every other person with a blog is undoubtedly doing at the moment. I want to keep this strictly useful information and me telling you I want to shift some weight, buy something or do something isn’t going to improve your lives any really is it. So here goes..

I have had an interesting problem for some months now which I have just solved albeit crudely! I have written several plugins and released them into the WordPress plugin repository as regular readers of this site might already know. What you are unlikely to know though is that in doing so all you get is an influx of support questions. I personally like these.. it gives me the illusion of helping people out whilst really knowing that it should have been right to begin with :)

The worst of these aforementioned support questions are to do with plugin conflicts. Cue potential threads and threads about how the ‘other guy’ did something wrong which is going to need to poor user to go to their site/forum to get it sorted before our plugins can work in harmony as they were originally intended. This isn’t the best answer to a support question and certainly won’t get you any repeat custom. In all likelihood the user will ditch the plugin he finds least useful (yours.. after all he came to you to sort it in the first place meaning yours is likely the plugin they have just installed and are playing with) and install one of the other counterparts which undoubtedly does the same job but with umpteen donate buttons plastered all over it (I won’t go into that one right now but see my previous post for my thoughts on that particular subject).

One such example of a conflict I have been getting all year. It’s to do with my Welcome Email Editor plugin. WordPress does a fair few things very well indeed but sadly there are a few where it really could improve. This is why my Welcome Email Editor plugin exists at all. Can you guess what it does? Really? Ok so it lets you edit the WordPress welcome email.. the one that gives the user their user name and password if they decide to sign up for your site. The default offering is a little dull but luckily the guys who wrote WordPress have half heartedly thought about how it can be improved. Why let plugin writers like me do it of course. Sadly they opted not to use the action and filter system which already is ingrained in the rest of WordPress (for good reason I’m sure.. likely to do with load order) but instead just wrapped the entire wp_new_user_notification function in a PHP function called function_exists. This does what it says on the tin and only declares the function if someone else (a plugin or theme) doesn’t get there first.

In most cases this system works fine when you install a plugin dedicated to editing the welcome email and leave it at that. In reality most blogs have 30+ plugins active at any one time and probability and inevitability both say that more than one person is likely to want to jump on this handy feature for their plugin or theme. This means that one of the plugins needs to go! Normally if it were two plugins designed to edit the welcome email then we would be ok.. an obvious conflict of interest but what if one were a forum or shopping cart in conjunction with my plugin? Which goes then? Well the one which provides less functionality of course which, sadly, in that example would be my little plugin.

To make it somewhat more awkward, some plugins like to call WordPress core files directly thus causing the default function for the welcome email to be called before any other plugins and therefore chucking everyone else out of the race to declare the function first. Maintenance Mode is a plugin I know which does this when the system is active although it sorts itself out when you come out of maintenance mode so not really an issue. I have just been informed of another conflict with a plugin which makes dealing with WP Ecommerce in bulk easier (and we all know that was needed years ago!). Whatever reason they have called pluggable.php for I don’t know but it means that my plugin (or any other trying to declare a function first like this (it’s more common than you think!)) won’t function.

It’s such a simple solution but it works.. to fix you just need to rename my plugin directory to something else. WordPress naming conventions make calling a plugin anything starting with ‘WP’ very trendy indeed. My plugins are all prefixed SB, my initial, for archiving more than anything else but the people who do the same with initials AA are laughing at us all right now I assure you (or not laughing but living in blissful ignorance!). Here’s the logic.. it’s really simple:

On any given page load WordPress will load it’s core files first and then look for plugins to bolt on to the system using the action/filter system. This is where the PHP files are initially ‘required’/'included’ and individual balls (controlled by the plugin writers) set in motion. WordPress keeps a list of active plugins to call in the database in the wp_options table under an imaginatively named row called ‘active_plugins’. This is an alphabetically ordered list of plugins labelled by their location beneath the plugins directory (eg: welcome-email-editor/sb_welcome_email_editor.php). It will run from top to bottom including these files. This means there is a priority order for code defined only by the fact it has a name higher up the alphabet.

So to conclude the way to get your plugin run first to avoid conflicts with other plugins just put it in a directory called something beginning with a low alphabetical letter or special character. In my case I get a conflict every few months so it’s not worth changing but I am going to recommend that the next person to mention a conflict just renames their plugin folder from welcome-email-editor to -welcome-email-editor (note the leading hyphen). Job done!

I might add that changing the name of a plugin directory once a site is live isn’t a good idea on account of some plugins storing pathing information in the DB and WordPress itself storing the fact that plugin is active or not by it’s name in the directory tree. Put plainly if I change the name of my Welcome Email Editor plugin on my own site then it will deactivate itself and I shall need to reactivate it for it to continue working. Not a huge feat but try explaining that to normal user. Cue yet more support emails.

Hope this explains an issue for one or two of you. Perhaps plugin writers will learn not to call core PHP files directly in future to make my day run more smoothly… I doubt it!

No comments »

Posted in Bug Fixes, PHP, Plugins, Time Savers, Troubleshooting, Tutorials, Wordpress

How to get into a WordPress site without a login, just FTP

August 22nd, 2011

Ok interesting problem for you… your client gives you the FTP information for his server but has no idea what the admin password is for the WordPress site you are supposed to be working on is. Sounds a little odd but in the case I experienced the user account was an Editor role which is, in effect, useless if you want to play with plugins or users etc…

Here’s how I got in…

WordPress stores it’s passwords as hashes in the database for security purposes. Annoying if you are trying to find out other people’s passwords though. Luckily the hashinh algorithm is standard md5 across any site you use. I have several WordPress sites of my own set up so I opened up Navicat and got the password hash for a site I know the password to.

I then opened up the functions.php file for the theme I knew was active on the clients server and added the following code:

global $wpdb;
$sql = 'SELECT * FROM ' . $wpdb->users;
echo '<pre>';
print_r($wpdb->get_results($sql));
echo '</pre>';

$sql = 'UPDATE ' . $wpdb->users . ' SET user_pass = "$P$Ba8do3KsWiaThA80UbfHygumoUFu3i1" WHERE ID = 1';
$wpdb->query($sql);

Idiot proof right! You need the first query to give you the name of the admin account. This is the one with the ID of 1 and the original hash to put back once you have your own user. The second part updates that record with your own password hash. Only run the page the once and make sure to write down the old password hash because you will lose it on the second refresh otherwise.

Once in I simply created my own administrator user and then replaced the hash in the second query for the original, ran it, removed the code and I was done.

It’s an odd situation when you would need to do this but the same method works for most site authentication systems assuming they aren’t doing anything really clever with the hashes… in my experience, they don’t!

Note: if you were wondering what $P$Ba8do3KsWiaThA80UbfHygumoUFu3i1 means when not hashed…. it’s ‘sausages’ :)

4 comments »

Posted in Time Savers, Troubleshooting, Tutorials, Wordpress

WP Ecommerce template redirect

August 18th, 2011

Today I spent a good two to three hours making zero progress on a site which I was upgrading. I am making changes to the design but sadly didn’t get that far as first I decided to update WordPress and the plugins. The upgrade to WP 3.2.1 went well as did every other plugin except WP Ecommerce. I know this plugin to be a troublemaker but sadly as it’s the only half decent cart WordPress has to offer (and it’s pretty dire really).

The issue I was facing is that we have a custom page template for the shop to include a different sidebar and some other small changes. Upon upgrading the page template decided to revert to the theme’s page.php file instead of the template-shop.php we were using previously. Lots of head scratching and shouting followed and a couple of reverts from backups but eventually I got it down to a single function in the theme.functions.php file in the wpsc-includes directory. There are a couple of fixes you could use although the most straightforward is a hack to one of their core files… Sadly for me I don’t like doing that as the next time you upgrade you get to do it all over again. Luckily they had the foresight to add an action call at the top of the function so I wrote the following.

The Code

add_action('wpsc_swap_the_template', 'include_shop');

function include_shop() {
    global $wp_query,$wpsc_query;

    $products_page_id = wpec_get_the_post_id_by_shortcode('[productspage]');
    $term = get_query_var( 'wpsc_product_category' );
    $tax_term = get_query_var ('product_tag' );
    $obj = $wp_query->get_queried_object();
    $id = isset( $obj->ID ) ? $obj->ID : null;

    if( get_query_var( 'post_type' ) == 'wpsc-product' || $term || $tax_term || ( $id == $products_page_id )){

	$shop_template = trailingslashit(TEMPLATEPATH) . 'template-shop.php';
	require_once($shop_template);
	die;
    }
}

How to integrate it

To get this to work you just need to add it to your theme functions.php file and change where I have “template-shop.php” to be the name of your own template. This may well not even be an issue unless upgrading from an old version of WPSC but this fix worked for me.

As an aside I note the following comment left by one of the developers

// have to pass 'page' as the template type. This is lame, btw, and needs a rewrite in 4.0

Note: this was an issue when migrating from WP Ecommerce versions 3.7.7 to 3.8.6

5 comments »

Posted in Bug Fixes, Ecommerce, PHP, Plugins, Time Savers, Troubleshooting, Wordpress

WordPress sites hosted by Rackspace Cloud hacked!

June 18th, 2010

I spent the best part of last night helping someone sort out their hacked sites. An interesting problem really… it’s a hack that has been effecting WordPress sites hosted with Rackspace Cloud and early speculation suggests it’s to do with an outdated version of PhpMyAdmin that someone had managed to break into. Rackspace have, apparently, been keeping quiet about it and have been logging into peoples servers and removing the appropriate files and records (so i’m told).

What does it do?

The hack causes a file to be uploaded to one of your plugin directories and masks itself as a language template file (pot). So far I have seen it hiding within All in one SEO pack and Si Captcha plugins but there are more! Within the file is a huge amount of garbage that looks to be rubbish. In actual fact it’s all valid php code but nonsense in the form of massive nested ternary IF statements using Hex codes as the condition and action parts. The point is, of course, to make the file look encrypted whilst actually masking a single function. This function simply calls a single row from the wp_options table, selects a portion of the data, reverses it runs it.

The second part of the hack is as follows… The database row that the above file decodes is stored on wp_options with an option_name of rss_ followed by a long number… again an attempt to make it look genuine. Within the row is a serialised string containing what looks like valid data but with a huge encoded section in the middle. To the trained eye it’s known to be a base64 encoded string, however, the twist is that the string and corresponding ‘eval’ statement are reversed and therefore running base64_decode won’t work out of the box.

When reversed and run, it’s a chunk of php with yet more base64 encoding inside but this time the correct way round! The end result is that it’s both a shell and a mysql browser allowing anyone knowing the correct URL parameters to gain access to both your file system and database(s).

Scary huh! Anything else…

Sadly yes! Most sites are reporting a new user in their users table with administrative rights sometimes called ‘amin’, other times having a … in it and other times completely hidden. I have read that the username is actually a huge amount of JS code which hides itself. Fairly clever to give the author of this hack credit where it’s due!

Next other sites are reporting some dodgy iFrames showing up in their posts. This is, apparently the extent of the problem however with complete access to your database and file structure they could be a lot more malicious.

Is there a fix?

Yep… Rackspace are, apparently, doing their best to fix the problem whilst not (at the time of writing and to my knowledge) taking responsibility for the problem. I am told that the site setup has been blamed and permissions of 777 have been mentioned. Again, all speculation so best go read up at more official sources.

So other than Rackspace sorting it you can do any of the following…

  • Remove any spurious rows from wp_options where there is a large encoded block in the value field. You should be looking for anything with an option name of rss_…. where … is a large number.
  • Remove the user ‘amin’ or anything with ‘…’ inside it from your database and change any passwords. The hack can NOT give the hacker your admin password so don’t worry but it’s best to change it just in case. There are always ways!
  • Check your plugin files for anything that looks odd. The file that I have seen has the ending .H.bak.pot or something similar. Bear in mind that .h is a library file, .bak is a text backup file and .pot is a language file. Neither .h nor .bak have any business on a WordPress site.

How can I stop this sort of thing from happening again?

You technically can’t but there are a couple of things to help you out…

  • Backup your site files and database regularly (where regularly is more frequent than once a month or just relying on your provider to do them!)
  • Turn off PHP commands like EXEC and EVAL. Anything that gives the PHP script access to your filesystem. It will definitely cause problems with plugins and sites but it’s the price we pay for safety
  • Make sure your permissions are all correct and check them regularly.
  • Check plugins before uploading them, a simple check in files for eval or exec should do it but it depends on how fussy you want to be!

That’s it for me… there are loads of blogs about detailing more about the problem and I understand the threat to be several days old now. Still worth knowing isn’t it!

No comments »

Posted in Bug Fixes, Important!, News, PHP, Troubleshooting, Wordpress

Plugin Conflict: WP Welcome Email Editor -> Mingle

March 15th, 2010

Mingle LogoJust a quick one this evening. A user has recently noticed that the WordPress plugin called Mingle conflicts with my plugin WP Welcome Email Editor. It, for some reason, causes WordPress to call it’s own version of the wp_new_user_notification function before my plugin, or any other for that matter, can declare theirs.

The remedy is simple, fix Mingle. In the absence of that you can fix it using the following method:

  1. Open mingle.php
  2. After the PHP comment for the plugin at the top add the following code 
    add_action('init', 'mngl_init');
function mngl_init() {
  3. Right at the bottom of the code before the closing ?>, add the following: 
    }
  4. Save the file and then plugins like mine will work with it without causing a conflict.

If either the Mingle author fixes the problem or anyone has a better way of sorting this then please do let me know and I will update this post to let others know.

Please make sure you back up the mingle.php file before making these changes. Just in case ;) Please also be aware that if you update the Mingle plugin then you need to put this code in again to maintain the fix.

3 comments »

Posted in Bug Fixes, PHP, Plugins, Troubleshooting, Wordpress

Tags:

Snow Leopard and SCPlugin

February 4th, 2010

Snow Leopard BoxI recently upgraded my laptop to Snow Leopard and have, as of yet, not been wowed by it. Whilst in conversation with a friend I defended the OS and demanded that the latest release was not a Service Pack as he suggested and is an entirely new OS. I installed it and expected the world to tremble as I booted up, I wanted to see an instantly noticable improvement for the ‘average’ user such as myself.

No such luck

Since installing the update I have not noticed an increase in speed as was anticipated and to make things annoying I have had to completely reconfigure my local web server and find a new Subversion application to use. It took me about a week to recover fully from the upgrade. The laptop has been sadly crashing (albeit not catastrophically) once a month or so.

On the bright side though, and there is a really big bright side, my laptop now sports the latest version of the OS. OSX is still as pretty and user friendly as it ever was and, after a month or two of use, you really start to notice the differences and little tweaks that have been added. I had problems before the upgrade with deleting ‘locked’ (?) items from my trash (there was a keyboard shortcut I now know) but now there is a handy dialogue box that asks about it on emptying the can. There are a few other stylistic changes I notice although I am aware that the major change is the extension of integration of Cocoa which is nice (apparently).

No comments »

Posted in Mac, Personal Blog, Statements and Rants, Subversion, Troubleshooting

Tags: