Community Add-Ons
Add file to this packageCustomer Testimonials v1.0
for osCommerce Online Merchant v2.2
This is an application whereby when satisfied client emails or writes you a compliment/testimonial, you as the site owner can easily show this on your website.
This script creates a side "infobox" which randomly picks a testimonial to show. The person viewing your site can then click the text to show the full Testimonial on a new page.
Download 
Report
This version is an updated 2.0 version with the security bug fixed giving possibility to SQL INJECTION. All previous versions installed must be updated.
File customers_testimonials.php changed (casting variable testimonials_id + making sure only one testimonial is showed for one id).
Only file changed customers_testimonials.php from last version 2.0. Update!!!
I noticed that when you select edit in the administration section it was not displaying the location.
Problem was on line 159 it had $testimonials_location instead of $tInfo->testimonials_location.
This file is a direct replacement for admin/testimonials_manager.php V2.0
Full Package
Please back up your files and use at your own risk. This is working on my site but I am not a pro and can't garantee perfect results on yours.
CAREFUL: *** if you are updating from an older version use the testimonial_update_to_v2.sql file to make sure you do not affect the testimonials that are already in your database.
Made a few corrections (from v.1.4):
- catalog/customer_testimonial.php was getting info from the boxes directory instead of the modules directory... you can again get the CLICK HERE TO VIEW ALL TESTIMONIALS
- wording in english files in both admin and catalog has been changed to make it more user friendly for those of us who cater to customers who are not as litterate as others.
- randomizing of the full list of testimonials has been included
(From v1.4.1)
Subject now showing on both shop and admin sides.
(from v1.4.2)
changed HTTPS_POST_VARS for tep_db_prepare_input($HTTP_POST_VARS to make the input fields safer as recommended by Hayden and Paul.
** Additional Modifications:
- Corrected the 2 buttons on the catalog/customer_testimonials.php (sorry..my bad)
- Added a field to get State and Country from customer and have it show in both shop and admin. (You can change this to City or whatever you choose by simply editing the catalog/includes/languages/english/customer_testimonials.php and catalog/admin/includes/languages/english/testimonial_manager.php files to suit your needs.)
All credits goes to those who created this contribution added to it in the past.
changed HTTPS_POST_VARS for tep_db_prepare_input($HTTP_POST_VARS to make the input fields safer as recommended by Hayden and Paul.
Full Package
Customer Testimonials v1.4.1 -
Subject now showing on both shop and admin sides.
Thanks to Haydens post in forum at http://forums.oscommerce.com/index.php?showtopic=230089, there is security risk to using this mod. Anyone could effectively issue a script command and control your server or site?...
Avoid this until a patch is issued.
Vulnerability found.
I have modded my Testamonials contrib to only use the customers name and message, no other details are taken, so I'm not sure what other fields are vulnerable.
I've found that the following code, entered as the customers name, shows a messagebox within the admin page. If entered as the testamonial body, it causes the 'delete', 'edit' and 'add new' buttons not to be shown on the admin page, effectively causing a DOS. I had to log into Phpmyadmin to remove from the customer_testamonials table.
<script>alert(123);</ScRiPt>
Also, This line entered as the testamonial body causes the same DOS affect, but luckily does not seem to include the specified file:
<!--#include file="/etc/passwd"-->
Therefore I propose that all fields entered by the customer are screened for such exploit attempts.
Full Package
Please back up your files and use at your own risk. This is working on my site but I am not a pro and can't garantee perfect results on yours.
Made a few corrections:
- catalog/customer_testimonial.php was getting info from the boxes directory instead of the modules directory... you can again get the CLICK HERE TO VIEW ALL TESTIMONIALS
- wording in english files in both admin and catalog has been changed to make it more user friendly for those of us who cater to customers who are not as litterate as others.
- randomizing of the full list of testimonials has been included
All credits goes to those who created this contribution added to it in the past.
For some reason my box display something RETENTE..
This is just a fixed /catalog/includes/boxes/customer_testimonials.php added into the full package.
Full package, 1 fix included!
Gathered previous fixes, changed box code a bit, made single install file insead of many, customer testimonial send changed to show customers data by default if logged in.
Support forum located http://forums.oscommerce.com/index.php?showtopic=230089
NO FILE INSIDE.
__________
(DOWNLOAD FILES BELOW)
__________
Guys, you might want to check this one. This feature supports a customer initiated testimonial. The admin has the prerogative to accept or decline it though. It is presumed that you have already installed the customer_testimonials_v1.3 files. No intention was made to create a nice layout as the functionality was the primary concern. You may customize it on your own.
This will ensure your customer doesn't loose their basket contents
On line 31 of
catalog/includes/boxes/customer_testimonial.php should read
'text' => '<a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, tep_get_all_get_params(array('language', 'currency')) . 'language=' . substr($language, 0, 2), $request_type) .'&testimonial_id=' . $random_testimonial['testimonials_id'] . '"><b><center>' . $testimonial_titulo . '</center></b><br>' . strip_tags($testimonial) . '...<br><b>' . TEXT_READ_MORE . '</b></a><br><br><table align="right" border="0" cellspacing="0" cellpadding="0"><tr align="right"><td align="right" class="infoBoxContents">' . TEXT_REMITENTE . '<b>'.$random_testimonial['testimonials_name'].' </b></td></tr></table>'
Thanks Gary Burton by the graet idea
Note: use the downloaded file only if you use a template version of OSC.
Otherwise make the manual change to the query.
To randomize the query change :
_________________________________________
$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE status = '1'");
_________________________________________
to:
_________________________________________
$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE status = '1' order by rand()");
_________________________________________
In this way you get a random list each time the page is called.
Enjoy ;-)
My apologies for the post here on this request. Does anyone know how to randomize the complete list of testimonials so it displays them in a different order each time?
replace in catalog/includes/boxes/customers_testimonials.php on line 31
I believe this is the proper syntax
'text' => '<a href="' . tep_href_link (FILENAME_CUSTOMER_TESTIMONIALS, 'testimonial_id=' . $random_testimonial['testimonials_id']) . '">' . $testimonial . '...<br>Read more...</a><br><b>' . $random_testimonial['testimonials_name'] . '</b>'
On line 31 of
catalog/includes/boxes/customer_testimonial.php should
read
'text' => '<a href="' . tep_href_link (FILENAME_CUSTOMER_TESTIMONIALS) .'?testimonial_id=' . $random_testimonial['testimonials_id'] . '">' . $testimonial . '...<br>Read more...</a><br><b>'.$random_testimonial['testimonials_name'].'</b>'
This will ensure your customer doesn't loose their basket contents
This application allows you to dynamicly display customer corrispondence in the form of 'Testimonials' An info box is displayed in the column of your choice which shows a small piece of a random testamonial. When clicked on, the full testimonial is displayed.
Admin Features:
* Add/View/Change/Delete testimonials.
* Active/Inactive setting for each entry.
Catalog Features:
* Shows small snipet of random active entry in an info box.
* Clicking on snipet shows full text in main data area.
* Clicking arrow on info box shows full text of all
active entries in main data area.
* Displays URL or mailto: for entries that contain them.
* Displays link to show all active entries when viewing
single entry full text.
This version has been modified to work on OSC v2.2 MS2
Updated to v1.1 as there were 4 or 5 silly errors in the code.
I have installed it from scratch and all appears to now be working as it should do.
Working example as at http://www.seen-online.co.uk/customer_testimonials.php
This is an application whereby when satisfied client emails or writes you a compliment/testimonial, you as the site owner can easily show this on your website.
This script creates a side "infobox" which randomly picks a testimonial to show. The person viewing your site can then click the text to show the full Testimonial on a new page.