I've been hit again. Its been going on for many years off and on.

This time it's bad, about 200 or more items must be counted and inventoried. Not to mention the number of people, looking for items that are not in stock.

There has to be a better way to stop this vulnerability in the cart?

Hi Steven
Can you keep a spreadsheet of the items that you expect and the number that you actually have in stock and send that to me. I'm looking for the pattern in the differences.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Sure. But its random.

He's just bringing the stock to 0.

Sending over part of a list now.

Everytime I see that address, I block the IP and it goes away.
It's also the same email address every time.
Is that not the case here?

David

Dave that's correct. I block the ip BUT the damage is done. It makes a mess of our inventory. It caused 3 people about 4 hours of work. That's 12 man hours during the holiday season. What a mess. This needs to be able to be blocked prior to this attack.

You can install some code that will block that email address.
They use the same email address, no?
David

Yes same email address.

I went through my notes and think this is the correct script for changing the inccart.php page

var regex=/[^@]+@[^@]+\.[a-z]{2,}$/i;
chkfocus(!regex.test(frm.email.value),frm.email,"<?php print jscheck($GLOBALS['xxValEm'])?>");
<?php if(@$GLOBALS['verifyemail']){ ?>
chkfocus(!regex.test(frm.email2.value),frm.email2,"<?php print jscheck($GLOBALS['xxEmVerf'].'\n\n'.$GLOBALS['xxValEm'])?>");
chkfocus(frm.email.value!=frm.email2.value,frm.email2,"<?php print jscheck($GLOBALS['xxEmNoMa'])?>");
<?php }
} ?>

CHANGE TO

var regex=/[^@]+@[^@]+\.[a-z]{2,}$/i;
if(frm.email.value=="sample@ email.tst") {
window.location.href="https://ih1.redbubble.net/image.717939983.4497/flat,750x,075,f-pad,750x1000,f8f8f8.u6.jpg";
return(false);
}
else chkfocus(!regex.test(frm.email.value),frm.email,"<?php print jscheck($GLOBALS['xxValEm'])?>");
<?php if(@$GLOBALS['verifyemail']){ ?>
chkfocus(!regex.test(frm.email2.value),frm.email2,"<?php print jscheck($GLOBALS['xxEmVerf'].'\n\n'.$GLOBALS['xxValEm'])?>");
chkfocus(frm.email.value!=frm.email2.value,frm.email2,"<?php print jscheck($GLOBALS['xxEmNoMa'])?>");
<?php }
} ?>

If not, let me know and I check my other notes, but it should give you an idea how to do the work around.
NOTE There is no space in the email address. I just put it here so it would not link.

Since this is a modification to the inccart.php file, it will be overwritten with updates.


Marshall
CENLYT Productions - ms designs
Affordable Web Design
Custom Ecommerce Designs
Responsive Websites
Cenlyt.com

Marshall, thanks! Ive put it in and its working. My worry is that somehow they are getting around the cart. But we wait and see.

One question, its it possible to add multiple emails to that code?

I never tried adding multiple emails, and honestly, not sure how. Maybe Vince can help. It is probably plainly simple. I also have a modification if it is the same phone number. Again, I think this is the one for v7 carts, but you get the idea.

var regex=/[^@]+@[^@]+\.[a-z]{2,}$/i;
if(frm.email.value=="johnsmithstore.91@gmail.com") {
window.location.href="https://ih1.redbubble.net/image.717939983.4497/flat,750x,075,f-pad,750x1000,f8f8f8.u6.jpg";
return(false);
}
else if(!regex.test(frm.email.value)){
alert("<?php print jscheck($GLOBALS['xxValEm'])?>");
frm.email.focus();
return(false);
}

if(frm.phone.value=="") return(chkfocus(frm.phone,"<?php print jscheck($GLOBALS['xxPlsEntr'] . ' "' . $GLOBALS['xxPhone'])?>\"."));


To


if(frm.phone.value=="6502530000") {
window.location.href="https://ih1.redbubble.net/image.717939983.4497/flat,750x,075,f-pad,750x1000,f8f8f8.u6.jpg";
return(false);
}
else if(frm.phone.value=="") return(chkfocus(frm.phone,"<?php print jscheck($GLOBALS['xxPlsEntr'] . ' "' . $GLOBALS['xxPhone'])?>\"."));



Marshall
CENLYT Productions - ms designs
Affordable Web Design
Custom Ecommerce Designs
Responsive Websites
Cenlyt.com

Thanks, I hope vince can help more, since these are coming from a few emails.

I asked Vince to see if this can be added to the admin area. There are many times we would like to stop people from ordering. This would be a giant help

.php mimics javascript in some ways - Or maybe javascript mimics .php in some ways.



https://stackoverflow.com/questions/5593512/php-if-statement-with-multiple-conditions

Taking that into account, this should work if(frm.email.value=="johnsmithstore.91@gmail.com" || frm.email.value=="tomsmithstore.91@gmail.com") {

David

Thanks Dave, Im going to give that a shot.