2010/03

Earlier versions of Magento were susceptible to a form of session fixation vulnerability, which can have quite serious consequences even without anyone trying to exploit it maliciously. Visitors may unwittingly follow a link to a Magento site, and be logged in as another user without performing any actions. This results in multiple visitors sharing a session and causes confusion as they add and remove things from the same cart, and potentially even allows them to view another customer's details and place orders under their account. Luckily the issue has a simple fix in version 1.4 and later, but in this post we'll also detail a precaution that can be taken to guard against this in earlier versions.

The Magento order process completes with an order success page confirming that the order has been received and displaying the order number. This poses a problem for orders with non-instantaneous payment methods (like Check/Money Order) since the necessary payment details are then only available to customers during the payment step before the order is placed and customers need to know to note these down. Ideally you want any necessary payment information to be shown to the customer once they have finished placing the order. This post shows how to customise the order success page based on the selected payment type to show payment details for non-instantaneous payment methods, ensuring that customers properly complete the full order process.

A commonly used Magento feature is the ability to place customers into different customer groups. These customer groups can then be used in a number of ways, such as tiered pricing where each customer group may have different pricing applied. By default, Magento does not include a means of automatically sorting customers into different groups when the customer account is created; instead they must be assigned manually. This post follows on from our creating custom customer attributes post and shows how to automate customers being assigned to groups based upon information they have provided when signing up, whether from a custom or default customer attribute.

First of all, you need to find the Magento core file that provides the API method you want to extend. These are generally in model files called Api.php or under directories called Api. For example, I recently needed to look up customer orders by their IDs, as opposed to their increment IDs (aka their order numbers, such as '#100000003'). After some searching, I found the file that contains the relevant code at app/code/core/Mage/Sales/Model/Order/Api.php, in the _initOrder() method:

$conn = Mage::getSingleton('core/resource')->getConnection('core_read');

This will return a Varien_Db_Adapter_Pdo_Mysql object, a subclass of Zend_Db_Adapter_Abstract, which will allow you to run the Zend adapter methods directly. For example:

// Prints a list of all website names
$results = $conn->fetchAll("SELECT * FROM core_website;");
foreach($results as $row) {
 echo $row['name'] . "\n";
}

Note the use of the core_read parameter in the getConnection call - this instructs Magento as to which resource to use. Essentially, which database to use to perform queries. In most cases this won't be relevant and can be left as core_read but it becomes vitally important to set this correctly when using multiple databases, which is one deployment scenario outlined in the Magento performance whitepaper.