usercheckout.php & userrenew.php - working bad

hi all, I think this thread could be in Feature Requests, however when I got deeper into the subject I think it is more a bug rather than request

I read a lot about "stop unfinished adds" etc

now I know what the problem is

ok, here is my explanation and I hope Eric will take it seriously, I am not a programmer and this sort of thing is just too much form me

when a user wants to buy an add he goes through the steps, the
buttons to follow are named Continue - this would be fine if nothing happened till end, but it is working in a different way: when a user goes to step 3 and presses continue a listing and an order are created, none user would expect it to buy and have anything before clicking OK, Submit, Agree or whatever, so if someone is just curious, we all end up with unfinished adds; all this would still be acceptable if a user had a possibility to remove his unfinished and probably unwanted add and order - but it is not possible! this should work something like a basket in an online shop or users should have possibility to remove unwanted orders and listings - this generates another problem, the info to the admin is sent at the very last step, so the admin doesn't even know that a new order has been created, admin has a chance to remove unfinished orders - but we have another problem, when user renew or upgrade a listing the listing changing display to "N" (doesn't display any more) and if the admin removes the order that has not been finished, he will also remove the listing itself

imagine then, that you are a user - you buy an add, you finish it, it
should display for 2 weeks, but after a week you change your mind as
none answered to your listing and you want to gave it featured, you
press upgrade, but when you see the total, you say "no, it is too expensive" and close the browser as there is no back button; what you end up is your paid listing that doesn't display any longer (it should display for another week though), you have unfinished order in order history, that you can't remove and the admin doesn't know that this happened as the email is generated at the very last step tht user didn't go to
also, the listing has new settings that user finally doesn't want to
pay for and if user writes to admin why his listing doesn't display you (as admin) have to dig real deep to find out what the previous settings were and the go to listing itself to correct it, also you can't remove any order or you will remove the listing!

all is really bad, Eric, I think you expected people to go through all step smooth, but it is not the right thing, people change their mind and they should know when they change something when they press something

now, no-one knows what is going on and I think it is so bad that it is nearly dangerous, people pay money and they expect some service, if they don't get they get nervous

I think, both: usercheckout.php & userrenew.php should be super clear

user should have a clear "back button", should be able to stop the process at any step and his listing should not stop displaying if it is paid for

well, my final conclusion - this is a must, not a request, something that makes the script poor and dangerous for the admin and may give the admin a headache, a one step usercheckout.php & userrenew.php could ba a solution, but the most important thing is that any change to the listing/order should be at the last step when the user needs to confirm/buy something, also when renew his previous display shouldn't change and the new settings should appear when they are paid for or accepted by the admin

I wonder what others thing about it

according to this thread https://www.68classifieds.com/forum...ercheckout-php-userrenew-php-working-bad.html I had an idea

A user could have possibility to just start a new listing without ordering it (a piece of code from step3 submit), he could for example create 3 listings to play with without ordering a listing. This would divide ordering proces to 2 steps:
1) creating a new listing, so the data would be created with it, user could easily remove it, see a preview, just play with it
2) ordering it - when the user wants to publish the listing he thinks it is ready to be published then he goes to step 4 of checkout

ordering becomes clear and there would be no more "stop unfinished listings)

another story is the renew, I have no idea how to solve it, probably it should create an order with listing in mind and when the order is paid for or accepted by the admin it will write the new settings to the order

Hi,

Good ideas.

Well for this the listing has to be added to the db before the image step and any others. It is required to know the id to relate all the tables together.

Yes when they renew or upgrade the original listing currently reverts to a not active status because their is a possibility they changed something about the ad. Maybe added featured, highlighted, etc.. So to prevent them from getting free upgrades it has to be set to not active. Then once they hit the thanks page its status changes back.

I am sorry you feel that way and if you can come up with a workable solution then I would be more than happy to look at integrating it. When you try to make a system as flexible as possible and work on as many servers as possible it is hard to work through everything in one smooth motion. Not saying it can't be done.

Again I am all ears if you or anyone can propose a nice easy workable solution. I have also thought about creating a whole shopping cart type checkout but the way I see it the user would have to purchase the package first then later add the number of listings they purchased. This route has a side effect though as users have to pay before starting the ad placement which a lot of folks wouldn't like.

Another option may be to have a simple ad placement:
Step 1: select cat, select package
Step 2: Listing Details, extras, coupons
Step 3: Checkout

Then they could go back and add images later. I can see people not liking that either though.

Eric, I spent on it 2 or more days, lots of time trying to understand how you did it and how it works

I did notice that you first create something then just call back to it in next steps (thanks that orders have enough info), I am not a programmer and when I noticed/understood how you did it I gave up, it is too difficult

as I wrote before

1) step1-step3 - creating listing first, then user can buy it and create order
2) move step 7 to thanks but let the order display (that is another story) - order is completed not after finish, but step before - this is bad
3) need to do something with renew - have no idea what - maybe just remove display ="N" and let it end when it should if not paid for or acepted

by the way - well done with administration folder, I couldn't change its name in v4 as I did in v3

Was this some odd attempt at sarcasm?

Yea not sure I follow that either.

1) step1-step3 - creating listing first, then user can buy it and create order

That may be a good idea. I would have to fully think through the rest of the steps though.

2) move step 7 to thanks but let the order display (that is another story) - order is completed not after finish, but step before - this is bad

Not sure I understand this one.

3) need to do something with renew - have no idea what - maybe just remove display ="N" and let it end when it should if not paid for or acepted

Well with the developer edition you can make this change now. Just edit Listings.php addFeatures() method.

I guess he was refering to 4.1

This is exactly what I am trying to say!

I buy in several shops, I change my mind, remove items, ad them and I think my order is not generated till last step, when I finally press "confirm"

I spent hours on checking how it works and what the steps are, I could change a lot, but I am not able to change the way it works

the easiest way I will go for at this moment is to properly name buttons

I will now go throgh the checkout proces and explain what I ment as still some (including Eric) don't get what I ment

Step 1 - Select Category - that is simple - button "Continue"

Step 2 - Select Package - simple again - server needs to know whare to put a new listing

Step 3 - Listing Details - for the selected Package and for the category chosen first (I understand now why step 1 and step 2 were created - the great functionality of 68c needs the previous steps), but now we have misunderstanding, user doesn't expect to do anything else exept - button "Continue" ------ the easiest way is to name the batton "Create Listing" and user will know that he is actually changing/creating something

when you press continue you go to step 4, but really you use step3submit.php file that is creating listing and the order!

lets go on

Step 4 - Add Images - Eric explaned, first listing then phtos - I get it, no problem buttons "skip.." or "Continue"

Step 5 - Verify the information - this is also understandable, it is mainly for the Payment Method, button "Continue"

Step No Number Verify the information - user expects that still nothing happend, but he is wrong, the php file has already changed the info from stem 5 - and this is exactly what I am after, you get another button "Continue" user doesn't expect nothing but to continue but he really has just changed all his details
this button "Continue" could actually be named: "Now click and we will thank you"

and a funny thing, if a user clicks go back in his browser and goes through some steps another mail will be created, probably another order will be created too , when user uses links above (everyone would think he ca as they are active) Category » Package » Details » Images » Confirm os some of them listing disappears for example package; ok I can disable links, but what are they for? so every one needs to disable them?

similar things happen when renew!

playing with my scripts and trying to find the best way for all those steps I sometimes ended up with several listings and order I couldn't remove, I added a button/maybe buttons to remove orders or listing, but then I noticed that if I remove order only the listing returns errors when modified, so I turned off the modify button

well, the entire process need to function on different servers and browsers, I understand this, but we can't tell users that something works on his opera only because he can't go back, if a button is there it is there for user to use, if the proces is stopped, user doesn't expect anything changed

my programing skills are not that good, I can't program anything on my own, but I am fine with changing things, I gave up to do all myself and decided to start this thread, I hope I shout loud enough as I think it is one big bug that can be a pain for the admin

I understand that it is not easy and it needs rewriting and maybe creating a new table in database maybe for checkout or something, I don't know, but I think it is worth at least a new thread, I did a lot to my script, I have full langage change on the page including categories, pages etc, I have a google map using extra fields were user can add a point, I have langaudge change depending on domain and email are sent in severla langages, I have seller store that doesn't accept javascript like alert and description works with tinyMCE, I have lots of new things - but I can't change the checkout/renew myself and it bothers me much

about the administration folder - it was a year or so ago when I wrote a ticket and asked if it were possible to change the administration folder name, finally I did it myself for v3.17, I did ask for this feature and I was surprised it was not there in v.4, now, as Eric annouced v.4.10 is going to have it, there was no sarcasm - I am just happy, any hacker will first try to get into administration folder, for this reason I also added captcha in any place possible (including admin login)

by the way, in v3 there was a nice cleaning class that made my seller store not working, I had to go throu it, clean but let users use it and make it safe, for v.4 - ALL IS UNSAFE, check the link, I used free add 68 Classifieds

the listing in the demo disappeared, the test user I created also disappeared, but when I created all, all were functioning when you clicked description AAAAAAAAAAAAA there was alert

I used simple code:

PHP:

<B onclick="javascript: alert('Hello Admin')">AAAAAAAA</B> 

Just remove all tags from admin -> checkout settings.

Eric, in version, I think, 3.19 you added a very nice cleaning function, it gave me a pain, but I went through it and removed some code that didn't let seller store work nice
why didn't you give it in v4?

to be honest, I got scared when I discovered it, I didn't like cleanhtml.php as it looked for me too complex and I added a function to format.php (I think), it was a part of that class from v3 - it removes all dangerous words/items etc but still leaves the tags, then I use some common tags in 68c admin

I think there should be some sort of protection, otherwise anybody who uses seller store is in danger

I will look into this.

Eric, seller store is actually one of the most important thing for me - it has to work, so I need the tags, 68c cleans tags but leaves other things

from

PHP:

    /**
     * Code Igniter
     *
     * An open source application development framework for PHP 4.3.2 or newer
     *
     * @package        CodeIgniter
     * @author        Rick Ellis
     * @copyright    Copyright (c) 2006, pMachine, Inc.
     * @license        http://www.codeignitor.com/user_guide/license.html
     * @link        http://www.codeigniter.com
     * @since        Version 1.0
     * @filesource
     */
    // ------------------------------------------------------------------------
    /**
     * Input Class

I created this function and I put it into Format.php

PHP:

function xss_clean($value)
        {                
            $value = preg_replace('/\0+/', '', $value);
            $value = preg_replace('/(\\\\0)+/', '', $value);
    

            $value = preg_replace("/%u0([a-z0-9]{3})/i", "&#x\\1;", $value);
            $value = preg_replace("/%([a-z0-9]{2})/i", "&#x\\1;", $value);        

            $bad = array(

                            'document.cookie'    => '[removed]',
                            'document.write'    => '[removed]',
                            'window.location'    => '[removed]',
                            "javascript\s*:"    => '[removed]',
                            "Redirect\s+302"    => '[removed]',
                            '<!--'                => '<!--',
                            '-->'                => '-->'
                        );
        
            foreach ($bad as $key => $val)
            {
                $value = preg_replace("#".$key."#i", $val, $value);   
            }
        

            $value = preg_replace("#\t+#", " ", $value);
        

            $value = str_replace(array('<?php', '<?PHP', '<?', '?>'),  array('<?php', '<?PHP', '<?', '?>'), $value);

            $words = array('javascript', 'vbscript', 'script', 'applet', 'alert', 'document', 'write', 'cookie', 'window');
            foreach ($words as $word)
            {
                $temp = '';
                for ($i = 0; $i < strlen($word); $i++)
                {
                    $temp .= substr($word, $i, 1)."\s*";
                }
                
                $temp = substr($temp, 0, -3);
                $value = preg_replace('#'.$temp.'#s', $word, $value);
                $value = preg_replace('#'.ucfirst($temp).'#s', ucfirst($word), $value);
            }
        

             $value = preg_replace("#<a.+?href=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>.*?</a>#si", "", $value);
             $value = preg_replace("#<img.+?src=.*?(alert\(|alert&\#40;|javascript\:|window\.|document\.|\.cookie|<script|<xss).*?\>#si", "", $value);
             $value = preg_replace("#<(script|xss).*?\>#si", "", $value);
    

 $value = preg_replace('#(.*?)(onblur|onchange|onclick|onfocus|onload|onmouseover|onmouseup|onmousedown|onselect|onsubmit|onunload|onkeypress|onkeydown|onkeyup|onresize)[^>]*>#iU',"\\1>",$value);

            $value = preg_replace('#<(/*\s*)(alert|basefont|base|behavior|bgsound|blink|body|expression|head|html|meta|plaintext|script|textarea|title|xml|xss)([^>]*)>#is', "<\\1\\2\\3>", $value);

            $value = preg_replace('#(alert|cmd|passthru|eval|exec|system|fopen|fsockopen|file|file_get_contents|readfile|unlink)(\s*)\((.*?)\)#si', "\\1\\2(\\3)", $value);

            $bad = array(
                            'document.cookie'    => '[removed]',
                            'document.write'    => '[removed]',
                            'window.location'    => '[removed]',
                            "javascript\s*:"    => '[removed]',
                            "Redirect\s+302"    => '[removed]',
                            '<!--'                => '<!--',
                            '-->'                => '-->'
                        );
        
            foreach ($bad as $key => $val)
            {
                $value = preg_replace("#".$key."#i", $val, $value);
            }
            return $value;
        }

then

PHP:

case "string":

                
                $NoAllowedTags = '';
                $outputData = strip_tags($value, $NoAllowedTags);
                $outputData = $this->xss_clean($outputData);
                $outputData = $this->IgnoreWhitespace($outputData);


                $outputData = $this->filterword($outputData);
            break;
case "stringHTML":
                $sSQL='SELECT allowedtags FROM '.PREFIX.'checkout_settings WHERE checkoutID=1';
                $result=$db->query($sSQL);
                $rs=$result->fetch();
                $result->freeResult();
                $allowedTags = $rs['allowedtags'];
                $outputData = strip_tags($value, $allowedTags);
                
                $outputData = $this->xss_clean($outputData);

the IgnoreWhitespace - is another function I had to add as I use short description for google map and too much white space mede errors

function xss_clean($value) - is safe and it works for seller store, some original code I needed to remove from it didn't let seller store work properly

you may want to remember this as it is checked and make seller store work smooth (people like seller store)

Hi Eric, Darek and all aboard,

This thread seems to be wandering a bit from its point and I'd like to add my experience as a the owner of a 13-year-old newspaper/magazine which moved it's on-line classifieds system to 68 dev 4 three months ago. I, like Darek, am not a programmer but I have had to pick up a bit of php along the way to do small tweaks and to write a routine to extract all our approved ads in their sections, apply some formatting and prepare them for insertion into our monthly paper publication of which we currently churn out 15,000 examples.

Congratulations to Eric and the team on the neat code. It's a pleasure to wander through.

Right, so here's my impressions about the order process after 3 months with 68:

First off, we manually accept payment and approve paid ads, and to be honest I don't trust the system to handle payments smoothly yet.

It took me a while to get my head around the orders, renewals and listings concept and even though I know it makes sense it still seems clunky to me. I have now learned to work with orders instead of listings. But let me give you the example of the clunkiness I mean:

I come in on Monday after a weekend of people placing ads and find myself with 40 new orders, say. I scroll through the first few pages to find the oldest awaiting approval order on page three. I click on the order. I click on listings tab within the order. I click on the listing within the listings tab and then I edit the ad to correct mistakes and save the changes. 68 returns me to...

...the manage listings page 1. You could say that makes perfect sense, but that doesn't help me out. I click on "Orders" again, then "manage orders" again. Scroll through page one and two again till I get to the oldest order and change it's status to "Approved", hit submit and 68 returns me to...

...page one of the orders. I scroll through the pages again (inspired by the fact that I've only 39 orders left to process) and arrive at the last awaiting confirmation order. Hmm. There are four of them from the same user. This time I right click them and open them in new tabs to avoid so much travel. The first one has no listing in it although it is listed as a paid ad. The second, third and fourth are a similar ad with a time difference of 1 minute and 20 seconds respectively between submissions.

I select the most recent one after verifying it is the best, and discard the other two orders with "delete". But the blank one I leave well alone. I have learned the hard way not to delete these, even if they are throwing the money income tally out of sync for the rest of the month, because, just like Darek discovered, they can be connected to a live listing and when you zap them you zap the users ad which is embarrassing and time consuming. So I make it approved too and forget about it. Close all the tabs. Submit changes and back to page one.

I will probably come across at least another 6, but sometimes many more duplicated orders before I get home to page one, and these are all people getting confused with the order placement process, firing browser back buttons, closing explorer, panicking, opting out... whatever. And each time it generates me an order to investigate and probably a couple of emails for the client too.

I think it is well worth a long serious think / brain storm about how it might be possible to fool proof this rather soon, while we admins still have hair.

Finally I hope this is constructive critisism and I don't come off as a moany old turnip getting his gripe in. I really appreciate the product, and I am aware that it tries to serve a wide spectrum of users and that one persons issues may not be those of another.

Darek is so right when he suggested that people like to twiddle, dabble, poke and say awww and then close their browser (and not always in that order). We should let them do it and only pass the whole mess on to us when it is cooked.

Keep up the good work.

Hi Nick,

I personally try to listen and take in any advice customers have to share. That is the biggest reason for us getting to the point we are now.

I think I have posted this before but just to be clear I am very happy to seriously consider an alternate approach to any of the internals. As long as it keeps the same feature set we already have.

Now I am not saying the way the checkout system is the best but from what you describe all shopping carts have this same issue. We constantly get orders that are not completed, they changed there minds, etc. But this is duplicated in your admin because orders and listings are separate. Which I think they should be. This way the order system can be used for other things in the future.

Nick, this is excatly what I noticed!
Eric, all the confiusing comes from breedcrumbs, it is there to use it, but when it is used we get unfinished order and from unclear buttons.
First - step one, then step two then listing is created and user can edit the listing in normal way but the order is NOT created, the user or admin can delete it without getting into problems.
Then when user wants the listing he can press the button "order the listing" and the order for this listing is created.

This way we would only have to deal with payed or unpayed listing without all confusing that come from info unfinished, uncopleted or whatever.

All the issues come from 2 tables listings and orders but they are not created at the same time, if it is too difficult to deal with both lets deal with one only.

Eric,

I haven't delved inside the order stages, but from what Darek is saying it seems that the order is created before the end of the stages. Is that essential? Is that not where the problem comes from? That the order is created and later the user bums out...

Excuse my ignorance

Nick, that is correct,
I think I remember, when you are on step 2 you chooce the package, once you press go on, the empty listing and order are created then the next steps just fill in the tables with data, that is why I insisted on at least renaming buttons as they are unclear and users don't expect to create anything when they actually do that. Also deviding order from listing would let everyone know what is going on. The idea of the entire system is not that bad, but joing it all together is not the best option.