| QWK |
| QwkPatch |
QwkPatch protects you against various, bugs, exploits or validation limitations of the Miva Merchant software by doing additional system checks to help make sure customers aren't doing things they shouldn't be able to do.
QwkPatch has a fully configurable error screen which accepts a token for display of the specific configurable error message returned when a given patch is triggered. For 4.x the error screen even automatically includes the normal page wrap, such as the global header, footer, and navigation for whatever user interface module you have installed.
Miva Merchant Compatibility: 2.22 - 4.24
QwkPatch has been extensively tested on Miva Merchant versions 2.25, 3.02, 4.12, 4.13, and 4.22. QwkPatch should work on all versions above 2.2 baring possible unknown bugs in various versions of Miva Merchant. On 2.x versions below 2.2 some of the patches may still work, but due to API limitations, and general instability with Miva Merchant versions below 2.2 we can't support use of the software on versions below 2.2. So if you want to try it, you do so at your own risk.
Miva Merchant 1.x can't use the software at all, because the API simply doesn't support it. So if you have a Miva Merchant 1.x store you want protected, you would have to have custom modifications done.
QwkPatch 2.00 Patch List
Patch 1 - Payment Module Installed Check
This patch does a check to make sure the payment method submitted for payment authorization is for a valid module installed in the store. Without this patch it is possible under certain circumstances for shoppers to bypass the need to enter in any payment information such as a credit card number, and skip right to the invoice. Without the patch you must therefore be very careful to manually cross reference all your orders to make sure you don't ship something that wasn't paid for. Also if you do any sort of electronic fulfillment, such as selling software, images, etc. then shoppers using this exploit would get the products before you even noticed there was a problem. This patch is not required if you are using Miva Merchant 4.16 or higher.
Patch 2 - Add To Basket Availability Group Check
This patch stops shoppers from being able to add an item to their basket that is part of an availability group they don't belong to. Without this patch it is possible for a shopper to add such an item to the basket, even if they haven't created a customer account, much less been assigned to the availability group.
Patch 3 - Upsale Item Manual Basket Add Check
This patch stops shoppers from manually adding an upsale item to their basket. If you use upsale you probably have worked hard to make sure that certain free, or steeply discounted items are only presented to the shopper during checkout when they have certain items in their basket, and/or have met certain minimum purchase requirements. Without this patch a shopper can modify the url to manually add an upsale item to their basket. When doing so they can even get an item that was discounted to $0.00 that should have only been available with the purchase of specific expensive other items. If the free upsale item is the only thing they add to their basket they can even bypass the shipping, tax, and payment options and jump straight to the invoice.
Patch 4 - Shipping Module Installed Check
This patch does a check to make sure that the shipping method submitted is for a valid module installed in the store. Without this patch it is possible for shoppers to bypass the shipping calculations and not pay any shipping charges on the order. Without the patch you must therefore be very careful to manually cross reference all your orders to make sure you don't ship something that didn't have the shipping charges paid for. This patch is not required if you are using Miva Merchant 4.16 or higher.
Patch 5 - Shipping Charge Check
This patch makes sure that a shipping charge was actually added to the basket charges table. It is okay if the charge was set at a zero price because you offer free shipping under certain circumstances, but this patch makes sure a shipping module actually made that decision and added a zero charge, rather than there being no charge in the table. Without the patch you must therefore be very careful to manually cross reference all your orders to make sure you don't ship something that didn't have the shipping charges paid for. This patch is not required if you are using Miva Merchant 4.16 or higher.
Patch 6 - Tax Charge Check
This patch makes sure a tax charge was actually added to the basket charges table. It is okay if the charge was set at a zero price because no tax was required based on your tax module configurations, but his patch makes sure your tax module actually made that decision and added a zero charge, rather than there being no charge in the table. Without the patch you must therefore be very careful to manually cross reference all your orders to make sure you don't ship something which you didn't collect the proper taxes on. This patch is not required if you are using Miva Merchant 4.16 or higher.
Patch 7 - Affiliate Status Check
This patch stops affiliates from changing their status, or new affiliates from creating their account with a status of their choice. Without this patch it is posisble for affiliates that have not been approved yet, to change their status so that they are approved, or for new affiliates to set their initial status as approved. This patch is meaningless if you are using a version of Miva Merchant lower than 4.x.
Patch 8 - Duplicate Order ID Check
This patch helps prevent duplicate order numbers from being added to the orders database. Without this patch there are various circumstances that can cause duplicate order numbers to get entered into the orders database. To be clear, this patch doesn't stop duplicate order ids from being issued, nor does it prevent the automatic recovery of order numbers to the orphans database, what it does is generates a new order id for the about to be created order if the order id exists in the orders database.
Patch 9 - Partial Product Code Match On Add To Basket
This patch helps prevent products from accidently getting added into a shoppers shopping basket, which can occur if, for whatever reason, the add to basket request is made with a product code that is not currently valid and yet is a partial match on another valid product code. For example, let's suppose you had three products with the codes "PROD", "PROD-PRO", and "PROD-LITE" and links existed in various places to add those products to the basket, but the first product had been deleted or deactivated in the store without all the links to add it having been removed. In such a case if someone clicked on that link they would, depending on whether they had either of the other products in the basket, either get an error message saying the product wasn't found and yet one of the other two products would be silently added to the basket, or they would get no error message but the quantity of one of the items already in the basket would be increased by one. Clearly this is something that would serve only to confuse and annoy shoppers and thus should be avoided. Using the patch stops the behavior and instead lets you choose an error message to display to the shopper.