Thursday, October 1, 2009

CF Shopkart 5.4 exploit fix

There has been an exploit identified in the latest version in which a hacker can access your control panel. To fix this:

Open errorprocess.cfm and scroll down to the bottom of that file where you will see some HTML code for the friendly error message displayed on the page.

Copy all the HTML code and then paste it into a new file called error.cfm.
Where the HTML code was put CFLOCATION URL = "index.cfm?action=error" (surround it with <>).

Now open switches.cfm and add to the bottom just above the closing cfswitch tag just had a new CFCASE statement and set it to "error". The template to include will be your error.cfm file you just created.

Basically this will redirect the page when an error is generated and the hacker will not be able to see the information they are getting from the database.

Note: Not all sites are affected, but some who have certain widgets hidden will be, and you should take immediate action just in case. I am still working on an update to the latest version to further enhance security.

Monday, August 31, 2009 down for maintenance

The main website is currently down for maintenance and will remain offline for a big part of today.

You can still access the mirror at though I do not have the download for the 5.4 beta release on there yet.

I should have the site back up later today.

Wednesday, August 19, 2009

Cool Drop Down Boxes with CFMenu

I've been working on a couple of projects these past 2 weeks since I released the latest version of CFShopkart (which is why some of you haven't gotten responses back to your tickets yet, but I'm getting caught up on them so please be patient-- trying to deal with the more urgent ones first).

Anyway, before I called it quits for tonight I wanted to share something with my fellow CF developers because it's just too good NOT to.

I am working on a web site and in the graphics submitted to me they had a form with a styled drop down box. As any web programmer knows, drop down boxes can't be styled very easily. Most browsers ignore CSS applied to them and you end up with an ugly gray box anyway.

I was determined to make the drop downs look just how the client wanted so they needed to match the rest of the styles I had already applied to the other form fields. So I set out to find the solution. I thought for sure there would be plenty of scripts around the web that demonstrated just how to do it, because I've seen it done on a few sites using styled UL and LI tags. But alas, I found nothing that worked. Oh, I found a couple of solutions that came close, but they would work in one browser and not in another. Sure, I could use a flash form in CF--it's easy to do-- but I just wanted it to be styled HTML; I wasn't about to redo the entire form.

...and I found nothing that worked. Needless to say, I was frustrated.

I gave up for awhile, because I needed to run a few errands, and while I was out it dawned on me...and this is why I like Coldfusion 8 so much: CFMENU to the rescue!

BUT wait, would I be able to make a CFMENU look like a styled drop down box? And could I get it to behave like one? What about passing the form field value to the next page? Sounds complicated, but it's not!

It was easier than I thought! Here is how I did it (link below to example and code):

1. I created a javascript function that would change the value of a standard text input depending on what value I passed to the function.

2. I styled the input box to match that of what the client wanted using CSS. I also changed the styles for the cfmenu to match the site.

3. I created a CFMENU with a sub menu that contained all the data that would appear in the drop down.

4. Finally, I put the input text box I created as the parent of the cfmenu, and for each item on the the sub menu simply called the function I wrote in step one to change the value of the text box depending on what they chose from the list.

Ok, so it doesn't perform EXACTLY like a drop down box, but it's pretty darn close! The client was very pleased with it. The only downside is that you can't put the cfmenu within a cfform tag. I don't know if that is a big deal for you, but if it is, you might be able to view page source and copy the actual HTML and javascript links generated by CF and use that instead of a cfmenu tag.

Maybe they should make something like this for CF9 or enhance CFMENU so it has more options, because there are a few things I would like to do if I had more access to the features within the YUI menu scripts. Reading the website about YUI, I discovered there are a lot of options that just aren't accessible (that I'm aware of) through CFMENU.

You can see a sample and how exactly I did it by clicking here.

Tuesday, August 4, 2009

CF Shopkart 5.4 Beta Download Available

You can now download the CF Shopkart 5.4 Beta in the downloads section of the website. Please leave feedback in the forum or on this blog entry. See previous blog entries and the website for more information on what is new in this release.

I will be putting out updates and making this the official release once I'm 100% sure everything is working properly. I will be adding more features and improvements in the weeks ahead.

5.4 will be posted no later than Wednesday night.

Tomorrow I am doing some final testing on version 5.4, and I will try to post it tomorrow night, but if not then for sure on Wednesday. I was delayed some today because we had a dns server go down on us. So my website was down for awhile.

I still want to add a few new features to 5.4, but I will save those features for some upcoming updates. I have already added the necessary tables and columns into the database schema so the updates should be very easy to implement. I am pleased with the stability and speed of the current version. I am going to post information on the website about what is new in version 5.4 yet tonight.

Saturday, August 1, 2009

MS Access Users Will Soon Have Something To Smile About

I just got done this morning testing CF Shopkart 5.4 with an MS Access database (2007) and all seemed to be working great! I had to change a few queries and fix up the error processing file, but it's all working now. So MS Access will be available and working in this next release.

Friday, July 31, 2009

Version 5.4 Preview Demo is up!

Today I added just a few more enhancements and improvements, but mostly I tested the heck out of CF Shopkart 5.4 and worked out a few minor glitches. While I was at it, I added the ability to upload multiple images for a product at once.

I added a couple more style classes for the option form fields so you can customize them a little more.

I dropped the access codes feature from this update, mostly because it's not really all that useful, but because it needed work and I really didn't want to spend so much time on a feature that the majority of people will not be using.

You can see the preview demo (no access to the admin, but it's very similar to the cfshopkart 5.3 demo with some visual improvements and of course a few added features) here:

Tomorrow later on I should have it posted to the downloads section.


I have had "Coming Soon" on the hosting page for the past week. It's probably, unfortunately, going to be until Sunday evening by the time I get that off there and get the order form working. I'm also working with Hostek to get my reseller account all setup properly so that I can start setting up the stores on a CF8 server instead of the CF7 server they had me on. They notified me today that they will be moving my existing sites over to the CF8 server.

I will make an announcement here, on twitter (follow me @cfshopkart), and also on the forum.

Another late night again

I cannot wait to share CF Shopkart 5.4 with all of you. Everything is running great so far in testing. I've had to fix a few minor things late today, but so far all seems to be going great as far as mysql is concerned.

Tomorrow I am going to test with MS Access and then do a followup on testing PayPal IPN to make sure that it is still working. Someone told me the the other day that it wasn't. I tried to fix it without getting into heavy testing, but haven't heard anything back. Hopefully it's working now. I will know tomorrow.

I finished today with adding CFQUERYPARAM tags to all the queries on the front end and some critical queries in the admin during the login and loading. This should really help big on keeping any hackers from being successful with the mysql injection attacks.

Among other security enhancements I have added in a check for such attacks when the site loads. Additionally, the page request is checked to see if index.cfm is called and if it's not, then it promptly redirects to it. This will keep people from trying to load any of the coldfusion scripts directly into their browser without going through the index file first.

I've also accomplished the following today:

- The email item link is back and working much better than before.
- Fixed a couple minor bugs in the wish lists feature.
- Added ability to turn on and off the wish lists feature in the settings.
- Now when you add a coupon for a specific item, it also adds the item to the cart.
- Coupons can be added via url now:
- Changed the way option form fields assignments are stored in the database (no more list in products table. It's now a separate table). This was necessary for future enhancements.
- Fixed up the options administration in the control panel.
- Improved styles throughout the control panel.
- Completely redid the details page. I've broken up the elements of that page into separate files and changed the layout up some. It should be a lot easier to edit and customize it now!
- I've gone through all the bug reports that were sent and addressed every single one that I was able to.

Again, thanks to all those who submitted bug reports for version 5.3. It's been a BIG help!

Wednesday, July 29, 2009

A few more notes on the pending 5.4 update

I had some difficulties figuring out a weird bug with Fedex that was reported to me early today. That's why you aren't seeing the update posted yet. It set me back. Then one of my other clients mentioned how nice it would be if they could export their orders to, say, a CSV file.

Well, I decided that I would try to do the export feature before release, but not only will you be able to export orders, but also customer contact info (matching criteria), and product data.

I also decided to go ahead and fix a few bugs with the product import and change the way it works. The procedure is the same until the very last step where you choose columns. It's completely turned around, and it should work much better (and should be easier to understand).

I'll be working on some projects in the morning (got to pay the bills). When I'm done, I plan to get back to programming the new export feature and testing. Hopefully I won't find anything too major anymore in testing. I've worked through most of the bugs that were reported to me (a couple minor ones are still a mystery, but thankfully they seem to be happening on very few sites).

I've also added some security enhancements to help further reduce the likely hood of xss and sql injection attacks.

Well, that's it for me for the day. It's after midnight and my eyes are starting to burn. Good night everyone!

Monday, July 27, 2009

One more thing....

After 5.4 is out I am going to concentrate a lot of my time and efforts into documentation. The documentation was put on hold while I worked on a couple of things including the update (bug fixes are more important than how-to's in my book). So in the coming weeks I will be spending time each day adding to the documentation for both CF shopkart ( and the mini site builder (

CF Shopkart 5.4 Will Be Out Soon!

I have been working the past few days on updating CF Shopkart to version 5.4. Besides fixing some bugs, this update is going to add in a few new features.

The biggest addition to this version is the new navigation menu system. Since the beginning of CF Shopkart all those years ago you have had to manually edit the navigation bar at the top of the site just below the header. Well, no more! By default, CFShopkart will continue to use the default navigation menu at the top. But in 5.4 you will be able to choose between a custom HTML menu, a basic HTML menu, a CF8 drop down menu, and a couple of different flash drop down menus. The menus will go 3 levels deep and they can be styled to match your site. You will be able to add page links, custom links, component links, and links to specific categories on the menu.

Another key new features is the ability to create multiple index files so that you can use different templates or layouts throughout your site. This new feature makes it so that you can tell the application to load a different index file for a specific page if you need to change the layout when a certain page is loaded.

Also included in this update is the long awaited ability to attach files to a product that a customer can download after they checkout. In previous versions of CF Shopkart I had the ability included to upload one file for a product. However, I had removed this feature when I released version 5 because I had started to rewrite it, but unfortunately lost the code I started working on when I had a hard drive fail. To make a long story short, I got busy with other things and eventually was able to begin programming the feature back into the application about a month ago. And it is way better than before. The new file attachment feature will lets you upload several files at once so you can have the customer download one or more files depending on what they purchase. Plus when you upload the file a nice status bar comes up to let you know how long it's taking (thank to swfupload).

One more notable feature is a much needed improvement to the filemanager. You can now upload multiple files at once and watch their progress, because I have integrated swfupload. You can select multiple images now and upload them to your images folder instead of one-at-a-time in the image manager.

This will PROBABLY be the last MAJOR update to version 5. I am going to focus more on version 6, which will be a cf8+ shopping cart system. It will make more use of CFCs and many of the awesome features built into CF8. I will continue to support and make updates to version 5 for quite some time yet so don't get worried. CF Shopkart 5 hasn't ran it's full course yet.

In the months ahead you will be seeing a Version 6 Alpha release posted to the site.

I will make an announcement on twitter (@cfshopkart), here in the blog, and on the forum when version 5.4 is posted. It should be within the next 24-48 hours. I just need to finish tweaking and testing it and making sure I didn't miss a couple of bugs.

Which, reminds me: thank you all who have been submitting the error reports in your control panel. That addition to CF Shopkart 5 has been a HUGE help, and I've been reading and addressing as many as I can whenever I have the chance. This next update is going to fix many of the ones that have been reported. So thank you again for taking the time to click that button ;-)

Monday, July 13, 2009

CF Shopkart News and Updates

I am in the process of rolling out a new service at so I've been busy with that the past few weeks.

I am also working on an update to CF Shopkart (5.4) and it will have a few new features, but most importantly it's going to have some bug fixes as well as some more security fixes.

I am also going to offer more CF Shopkart hosting. I am partnered with Hostek and am a reseller for them. I am going to be setting up any new accounts on there. The first thing many of you will notice is the price increase. I set the price higher because I am not only providing you with hosting (which carries some expense), but I am also installing it, providing important updates, and giving you my full support. I want to be able to provide the best support possible and at the pricing level I had it at, this just wasn't possible. As I grow I want to be able to afford to hire others that can program in CF and provide support too and this will help provide better service overall.

Look for the new hosting sign up which is already in progress on the site. I should have it ready by this weekend and I will also be posting an update.

Tuesday, April 21, 2009

CF Shopkart Update Now Available

I have posted the update archive in the downloads section of the website. I have not yet written an update script so there is no notification in the control panel yet. But I will be in the a few days. Those that are following along though in the forum, twitter, and this blog now have a heads up. You can download the update now.

The CF Shopkart main archive has also been updated.

See the forum or the included text file for fixes and changes.

You can please most of the people some of the time...

This article posted by Randy Cassingham and written by Paul Myers sums it all up nicely. It made me laugh, because I have met so many of these people in the past 7 years I have been working online. And it is so true what Paul says. I enjoyed the article so much that I just had to share it. With people like Paul around publishing helpful tips and info, you don't have to learn the hard way like I did :-)

I highly recommend going over to Paul's website and subscribing to his newsletter. It's a great read for anyone who is really serious about making money online.

Read Randy's article about Paul's newsletter (the article contains a link to Paul's website) here:

And while you are there, sign up to Randy's newsletter called This is True. It is awesome! Start out with the free edition if you want, but I'm telling you right now the Premium This is True is well worth the little amount Randy charges for it (you will not regret subscribing, I promise you that)! I just got my copy of the next edition delivered to my inbox and I plan to read it over a nice hot cup of coffee in the morning-- it's become my Tuesday morning ritual now :-)

Saturday, April 18, 2009

Solved my Dreamweaver CS3 connectivity problems

For the past few months I have been suffering from the dreaded connection problems using Dreamweaver FTP. I have gone through dozens of blogs and dozens of supposed fixes, and saw dozens of recommendations to 'use an external ftp program'. I even uninstalled it and resinstalled it no avail. So I gave up for awhile and started using an external one or just rebooting the system to get Dreamweaver working again. I was convinced that I would have to wipe my OS (WinXP) and reinstall because I thought maybe I screwed up something in the registry.

Here is what was happening:

Dreamweaver would work just fine for awhile (usually half an hour, sometimes longer). Then suddenly, it would start having problems connecting (I couldn't connect to any of the servers in my list). This was happening on both my laptop and my desktop so I knew it had to be something both had in common. The only way I could get Dreamweaver working again was to reboot the system. It would hang on uploading a 62KB file, trying to list the directories, and sometimes it would delete my file from the remote server and then tell me I had to turn on Passive FTP when it was already on, which would cause a 404 error on the server.

So I had this idea that just maybe it was my anti-virus.

I run AVG Anti Virus which is currently on 8.5. If you aren't running AVG, it could still be it so just try this one and see if the problem goes away for you (I know I'm not the only one that has had this problem from the posts I have seen on this):

Open your antivirus control center (for AVG you double-click the AVG icon in your tray).

You need to find the exceptions list. In AVG you click on the tools menu and click on advanced settings. Under Resident shield click on Exceptions.

I added two paths (I'm running Win XP by the way), but the second one is probably what does it:

Path 1: Enter/select the path to Adobe Dreamweaver cs3. On mine it is C:\Program Files\Adobe\Adobe Dreamweaver CS3\

Path 2: This is to the application data folder in your documents and settings under your user account (it might be hidden so you need to change windows settings to show hidden files if you don't see it). The path to mine was: C:\Documents and Settings\Jon\Application Data\Adobe\Dreamweaver 9\

In AVG click on Apply then Ok and close out of it.

It looks like Dreamweaver is working great for me now, and what is really awesome is I got a little bit of a performance boost out the file get and put operations :-)

Friday, April 17, 2009

Shipping Per Item

I just had one of my newer clients email me today asking about charging shipping per item. Not only did I realize there is a minor bug (will be fixed in next update), but it gave me an idea. When you select this method of shipping it just tells you the method was set and nothing else. You are supposed to go to each item and specify the shipping price under the settings tab when editing the item (which I told them to do, of course). However, this made me realize that I could improve on this feature.

This client has a small catalog so it's not big deal for them, but what if someone had a large catalog? Would they really want to click on each item and update one at a time? What if shipping prices go up and they need to change all their item shipping prices? That would be one heck of a task!

Well I have an idea of how I can make it better! So in an upcoming update I'm going to add the ability to change shipping prices on multiple items at once as well as adjust shipping for multiple items at once (similar to the new price adjustments feature I built in). Look for it either in the next update or the one right after.

Tuesday, April 14, 2009

Protecting your Coldfusion Tags from FCKEditor

I ran into a problem on one of my client websites that wanted some dynamic content on their homepage. I edited the homepage in Dreamweaver and added some Coldfusion tags. Two days later, the clients opens the homepage.cfm file in their control panel and FCKEditor screwed up my Coldfusion Tags which generated an error on the homepage (argh!). Naturally I figured there was a setting in fckconfig.js that would solve my troubles. Well, there is, but I had to do a bit of digging to find out how to protect my Coldfusion tags from FCKEditors wrath. You see, the good folks that make FCKEditor available tell you how to protect your php and asp code, but are silent when it comes to Coldfusion tags. FCKEditor attempts to parse Coldfusion tags as HTML and so when you switch views it messes with yours tags in unspeakable ways. But I almost did a little dance when I found the solution to my problem!

I've posted the solution in the CF Shopkart forum:

FCKEditor will ignore any of your Coldfusion tags if you add those lines. Sure, it's a security risk if you are using FCKEditor on a public website, but it's only used in the Control Panel for my client and they don't know anything about CF so I figure I'm safe :D

Edit: In order for dynamic coldfusion content to display in a web browser using FCKeditor, you need to turn script protection off in the cfapplication tag. It is a security risk though because it protects your site from cross site scripting. So if you've been putting cf tags in FCKEditor and then wondering why the dynamic output is not working, it's because script source is on. Set it to "None" or give it a comma delimited list of variables you want to protect. Read more here:

The link above is dead and I can't paste the code to my blog so if anyone seeing this still needs the code, just email me. You can contact me on my website using the contact form:

Monday, April 6, 2009

Update included in archive now

I put the update into the archive, but haven't made a separate package for it yet. I was planning to get to it today but didn't quite manage to get the time. I will put it up sometime this week. I am going to also release another update shortly after that. The next update will hopefully have the LinkPoint payment processor support back! It will probably be posted early to middle of next week.

Also I wanted to address something that a couple people emailed me about. There are still a couple websites reporting a vulnerability in CF Shopkart. The vulnerability was addressed over a month ago and the 5.2.2 download had the patch in it. However, I guess I didn't make that clear on the website so the report is still circulating (many of these sites copy and paste from each other and don't actually do their own research so it might a little while before the all catch up to each other). Regardless, I thought it would be best to just take the 5.2.2 download down so people will no longer believe the reports. I will no longer be offering it and the link is now broken (which will hopefully speed up the process of them taking the information down). I have also contacted a couple of them to make them aware of the update.

And just to be clear, the vulnerability has been addressed in 5.3 and no longer exists. There are still a couple more steps I plan to take to increase security in version 5.3, and I will be putting out updates as I get those steps accomplished.

Also, I will attend to any other threats that come up ASAP. So if you see something out there or hear anything, please do not hesitate to contact me about it. I want to know about it!

Friday, April 3, 2009

CF Shopkart 5.3 is out along with an update!

I have posted CF Shopkart 5.3 on the website for download. I don't have the demo ready yet, but it's coming!

I have also put out an update already ( Those already running 5.3 will be notified the update is available when they login to their control panel.

Linkpoint and YourPay are not working properly, but I will be working on getting that going in the next few days. I will provide another update once I have that working.

Monday, March 30, 2009

CF Shopkart 5.3 almost out!

I have been testing the new version last night and today and working out any last minute kinks. But as I was testing, I decided to check up on the PayPal Payments Pro integration guides and found out they now have a new method of making the calls. So today I decided to go ahead and put the PayPal Payment Pro support into version 5.3 before I post it (I've had several requests in the past few months for it, but haven't gotten to it).

So far so good! I'm just hoping my tests work. Can it really be this easy? PayPal even provides a CFC for making the calls!

You can all expect version 5.3 to be posted on the site no later than this Wednesday evening!

After this release I am going to focus on documentation and adding more support for other payment processors (please make requests in the forum and provide links).

Friday, February 20, 2009

CFShopkart 5.3 will have error reporting.

I was working on the 5.3 update again today and have fixed a few bugs in it that have been reported to me. One of the new things that will be included in this update is error reporting. I came up with the idea when I was fixing a bug in someone's website. I decided to finally get around to putting in a custom error page and handler instead of just having visitors see Coldfusion errors on your website. It will just display a friendly little message, and the entire Coldfusion error will get logged to your database.

In your control panel you will then find the error log and you can click to view the details of the error. To most people that error message won't mean anything, but to me, it can reveal where a problem might be in the application (especially if I get numerous reports of the same thing). There will be a button above the error report and it will send it right on over to my website and log it for my later review! This type of reporting will go a long way in improving CF Shopkart.

Update on the forum: Charles, the guy who runs the forum, had a problem with his server. The good news is, he told me he is working on it over the weekend and should have it up and running by Monday (if all goes well). So keep your fingers crossed folks, and hope it all goes smoothly so you can all start visiting the forum again.

And one more thing: I am putting together a knowledge base. Every time I fix a bug or do some kind of update that fixes a problem I will be putting it into the knowledge base. The knowledge base will also have documentation that will help both end users and developers. It's going to take time, but I will be working on it as much as I possibly can...but don't expect it overnight ;-)

Thanks to all who have been supporting CF Shopkart and to all who have sent me wonderful comments. The compliments are very incouraging.

Thursday, February 19, 2009

Been very busy here!

I have been slammed with work lately. Though I have been working hard on an update to version 5 in what little spare time I have. I can't give a specific date, but I'm going to clear some things out of my way and get it posted soon.

Ido see the forum is down, thank you all for emailing me and letting me know :-). I do not actually run the forum, so I can't really provide any updates on when it's coming back up. I don't even own the domain for it. I'm hoping that it comes back up soon otherwise I'm going to be forced to get one up of my own :-(. I wish the guy that runs it would just let me host it. I wouldn't charge him a thing for it! I've got his email somewhere in my sea of emails. I will write to him and find out what is going on with that.

In the meantime, if anyone has any fixes or anything just reply to this blog post. I've got some things cooking for CF Shopkart, and there will be lots of good things happening this year!