WP eStore plugin – ShrinkTheWeb plugin

[WPS P&C Admin]

Hmmm, one thing I’m a little suspicious of is that the first snippet of code above has different commenting above it to what I see in my .htaccess file. Although the code underneath is the same (apart from the HTTP_REFERER statement referring to my website instead of yours), it does make me wonder if there are other differences between my root  .htaccess file and yours, which could be why the exact same custom code settings work on your site but not mine.

Below is what I see in my root .htaccess file. See how the commenting above it is different to what you pasted above? Could it be that there are other differences too?   Would it help if I sent you my .htaccess file so you can compare it to yours?

# TimThumb Forbid RFI By Host Name But Allow Internal Requests
RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
RewriteRule .* index.php [F,L]
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteCond %{HTTP_REFERER} ^.*wpspandc.com.au.*
RewriteRule . - [S=1]

[AITpro Admin]

Your .htaccess code looks fine.  It is something else about your site that is causing the problem so my testing would not have that same condition/problem/etc.  Just one of those unsolved mysteries I guess.  I have thrown in the towel because it works fine on my test site and the only issue/problem I found was the wp-admin media-upload.php issue.  I did not have to do anything else.  Do you have any other security plugins installed?  Maybe one of them is breaking BPS?

[WPS P&C Admin]

I don’t have any other security plugins installed, but I do have a permissions plugin (Press Permit), which I used to create roles and content-specific permissions for back-end users to edit only their pages on the site. Other than that my site is a pretty basic, vanilla WordPress site, with no complex customisation. Could it be something specific to my theme (Pinboard)?

I manage another WordPress website which has similar settings and plugins (although a different theme) so I will install WP eStore and BPS on that, and see if I can get it to work there. I will also run it past the provider of the Press Permit plugin, to see if he has any ideas.

[WPS P&C Admin]

Ok, I’ve installed WP eStore and BPS on my other site, and they appear to be co-operating perfectly. I’m going to contact the suppliers of the WP eStore plugin and ask them if they can figure it out. I’m not ready to give up just yet……

[AITpro Admin]

I do not think the issue is with WP eStore unless there is some setting that is different or maybe incorrect.  My gut is telling me that there is another factor involved such as a Host control panel setting, a plugin or theme conflict with BPS and/or timthumb or maybe some database corruption or damage.  I guess you could try installing the same plugins on the site that is working and see if the problem reoccurs.

[WPS P&C Admin]

Ok, fantastic news…. I rang my hosting provider, and asked them to help me with this issue, since the WP eStore forum suggested that the problem could be caused by a PHP session error, or incorrect PHP server settings.

The person I spoke to read this entire post from top to bottom, and saw your suggestion on 22nd April at 4:37pm about commenting out all the security filters from… to…. and he experimented with commenting out a few lines at a time, until he was able to narrow it down to one specific line (which was actually just below the range that you suggested commenting out). It seems that commenting out the following security filter fixes my original problem (empty shopping cart upon checkout):

RewriteCond %{REQUEST_FILENAME} !-f

So, now that part of my root .htaccess file looks like this, and my problem is resolved:

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
#RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

I have no idea what the effect of commenting out this line is. Can you tell me what this line does?

So that this customisation doesn’t disappear next time I upgrade this plugin (or Deactivate Root Folder BulletProof Mode and back), is there any custom code fix that I can save, or will I need to reapply this manual change?

[AITpro Admin]

hmm interesting.  That condition is actually supposed to help prevent problems when a file cannot be found, but if everything works with that commented out then great.  It means if a file is not found by the Request that was made to your website then continue to the RewriteRule.  The f stands for file and the d stands for directory.  In any case it is not a critical condition and is just supposed to help against file request issues/problems.

That .htaccess code is standard WordPress code/standard BPS code so it does not have a Custom Code option.  When you upgrade BPS the automatic .htaccess file does not affect any customizations you have made to the standard code.  Or in other words, it will NOT be changed when updating BPS.  If you use [obsolete-removed] at a later time then yes you would have to comment that out again.

[WPS P&C Admin]

Ok, well thanks for your help. I’ll make a note that I will need to reapply that change if I ever use the [obsolete-removed] buttons again. I’m glad my persistence paid off, and that I can continue using BPS. I’m impressed with it as a plugin, and was disappointed to think I wasn’t going to be able to use it.

Thanks again for your help.

[WPS P&C Admin]

Oops, looks like I spoke way too soon. With that security filter commented out my site is completely broken. Nothings looks right – no header logo, no navigation menu, everything in plain text. The website looks awful. When I tested it this afternoon it looked like it was working ok, and all the pages were displayed fine, but I must have been seeing cached versions of the pages. 3 hours later everything is a mess.

Fortunately, removing the # uncomment that line has restored the website, but the original problem is back.

However, I noticed something else…the product I am adding to my cart is the NSW Swifts tickets, but when I look at the entries in the security log I see the following 2 entries:

>>>>>>>>>>> 403 GET or Other Request Error Logged - 29/04/2013 - 10:19 pm <<<<<<<<<<<
REMOTE_ADDR: 60.225.179.31
Host Name: 60.225.179.31
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.wpspandc.com.au/webstore/
REQUEST_URI: /wp-content/plugins/wp-cart-for-digital-products/lib/timthumb.php?src=[thumb]http://www.wpspandc.com.au/community-advertising/[/thumb]&h=125&w=125&zc=1&q=100
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31

>>>>>>>>>>> 403 GET or Other Request Error Logged - 29/04/2013 - 10:20 pm <<<<<<<<<<<
REMOTE_ADDR: 60.225.179.31
Host Name: 60.225.179.31
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: http: //www.wpspandc.com.au/webstore/
REQUEST_URI: /wp-content/plugins/wp-cart-for-digital-products/lib/timthumb.php?src=[thumb]http://www.wpspandc.com.au/community-advertising/[/thumb]&h=125&w=125&zc=1&q=100
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31

I don’t know why the REQUEST_URI contains a reference to our Community Advertising page. The [thumb] tags around this URL are from another plugin, ShrinkTheWeb, which we use to generate the thumbnail images on our Community Advertising page. However, this page is nothing to do with the Webstore (other than the fact that we sell an item in the webstore, which people can purchase to pay for a listing on our Community Advertising page).

I’ve experimented a bit by deleting the security log, and keeping an eye on it as I do things. The first log entry was written when the webstore page was loaded, before I added anything to my cart. The second log entry gets written when I add the NSW Swifts tickets to my cart.

I just checked the settings for the NSW Swifts tickets item, and verified that the Thumbnail Image URL for this item is as follows:

http: //www.wpspandc.com.au/wp-content/gallery//NSW-Swifts.jpg

Does this give you any clues as to what’s going on? I’m going to try deactivating the ShrinkTheWeb plugin, to see if that makes any difference.

[AITpro Admin]

The RewriteCond %{REQUEST_FILENAME} !-f is standard WordPress .htaccess code that has been incorporated into BPS and is not a security filter.

This is the same original problem and I have posted the fixes that work 100% of the time on every other website in the world except for yours.  There is another factor occurring on this website so you need to find out what that is.

As I have already stated.  I have provided the fixes that work in 100% of the cases and I do not know exactly what is wrong on your site.

I do not think the issue is with WP eStore unless there is some setting that is different or maybe incorrect.  My gut is telling me that there is another factor involved such as a Host control panel setting, a plugin or theme conflict with BPS and/or timthumb or maybe some database corruption or damage.  I guess you could try installing the same plugins on the site that is working and see if the problem reoccurs.

 

[AITpro Admin]

If it was my site and this problem was occurring only on this one site and not on a test site and I suspected Database damage or corruption I would make a database backup, reinstall a clean site with new database and then import the backup database content tables into the new site’s database.

These are the standard WordPress content database tables that you would want to restore.  WP eStore and/or other plugins and themes that you have installed may also have their own custom database tables so you would import those as well.  If there is database corruption in one of those custom database tables with a plugin and theme and that is where the problem is then the problem would occur again.  At that point you would have to isolate which database table has the corruption and pull the content out of that database table and manually add that content to your new site.

wp_comments
wp_links
wp_postmeta
wp_posts
wp_terms
wp_term_relationships
wp_term_taxonomy
wp_usermeta
wp_users

[WPS P&C Admin]

Ok, thanks for this. I will keep looking for an answer elsewhere.

There is nothing custom, fancy or unusual about my site, and I’m beginning to think that there is some corruption somewhere, and I will have to start again with a clean site.

[AITpro Admin]

You can try and run a database repair with the Adminer plugin, but in general running a database repair is only able to fix surface level problems so if you have some data in one of your tables that is completely fubar then a database repair is not going to be able to fix it.  You might get lucky by doing something like this – uninstall the most likely plugins that you think could be related to the problem.  Any plugin having anything at all to do with timthumb or images.  Before you do this be sure to make a backup of your database first.  It would be a nightmare to delete your content and have to create it again from scratch.  So if you uninstall a plugin and data is missing from your database you can either restore your entire database or just import individual database tables back into your database.

Also have you tried deactivating and reactivating all of your plugins?  I have seen this fix problems very similar to this one on your site.

[WPS P&C Admin]

Ok, fantastic news. I’ve figured out what the problem was. The Thumbnail URL for one of my webstore products (Community Advertising) contained [thumb] [/thumb] tags, which are a feature of the ShrinkTheWeb plugin. Once I removed those the original problem went away. BPS is now working normally on my site, and I’m very happy to be using it.

I’m sorry to have taken up so much of your time with this issue, and thank you for your patience. I have learned a great deal over the last week!

[AITpro Admin]

Great Job! Please notify the ShrinkTheWeb plugin author of this coding mistake.  Using square brackets like that is a very poor coding practice and the additional clunky forward slash has to be a coding mistake.  This is not only bad, it is also very dangerous.

[Author]

Posts