Getting More Than You Paid For: Working with osCommerce's Open Source Storefront (Part 2)
By Sean Michael Kerner

Adding products -- and coping with shortcomings
Adding your products itself can be a chore. The default installation of osCommerce does not have any direct import capabilities from a spreadsheet (or other data form) for product input, though there are user-contributed modules that'll help in that regard. In fact, the default version of osCommerce really only offers a very rudimentary product template that many users will feel the need to customize.

As do many storefronts, osCommerce offers "What's New" and "Specials" areas for selected merchandise, with some granular control of the timing and expiry of the specials. The Shipping module by default is set for flat-rate costs, though users can easily configure it for a variety of options, including mailing via USPS.

Reporting and Tools
Basic reporting tools are also included, showing the products viewed, purchased, and customer orders total. A database backup manager is also part of the osCommerce tool set, as is a basic newsletter setup for e-mailing your customers -- so you can begin online marketing without having to pay for the service.

Shortcomings... and Extensibility
One of the great strength of open source is the nature of its development process, which allows others to contribute code improvements and enhancements. The osCommerce community is no exception to that rule, with well over 2,100 user contributions currently available. These run the gambit of features from adding other payment gateways to 'fixing' some of the most serious holes in the default installation setup of osCommerce.

That's critical, since two holes in particular could pose headaches for store owners.

From a security point of view, the default installation of osCommerce should not be used in a production environment without customization.

That's because there is no specific admin login authentication protection built into the software. In other words, if you keep everything "as is" from the default installation, anyone can simply visit http://[your site]/catalog/admin and have access to your storefront's admin interface.

Fortunately, there are user contributed modules for that now, and you could always password-protect the admin directory using .htaccess. (More information on setting up .htaccess is available here.)

Even with .htaccess, without the time-based cookie authentication or logout features -- which are common in most proper authentication systems -- if you do access your admin screen, any user that has access to the URL from your Web browser (via your history file, or by simply pressing your browser's "Back" button) could gain control of the site. Be warned.

By default, SSL is not enabled -- an option that should always be turned on when dealing with secure transactions. Otherwise, it's really a trivial matter for someone with malicious intent to "sniff" your network/site traffic and get access to users' financial data.

The Admin Account with Access Level add-on module provides access to the administration tool with added security. A related tool, "EZ" Secure Order & Customer Viewing for osCommerce Admin allows for the secure viewing and editing of order and customer details.

A second area of concern limits osCommerce's "out-of-the-box" interface customizability. Namely, the default template and text are not easily editable -- users must go line-by-line through the code on the appropriate pages to make changes. And you'll want to make changes -- normally, the default install will leave you a template that is essentially unusable for serious e-commerce storefronts.

Again, however, there are user-contributed modules to help in that regard as well, bringing bring a default install of osCommerce out from the dark ages of web development.

Indeed, there are literally hundreds of modules for just about anything and everything possible available here. The only caveat is that there is no "official" rating system on the osCommerce site for the quality of any of the user contributed modules -- so as the site disclaimer notes, "use is at your own risk."

In addition to osCommerce's "out-of-the-box" security vulnerabilities and its weakness in template customization, one other omission could hamper your efforts to set up a storefront. While there is a documentation project online, it is unfortunately still incomplete.

Conclusions
However, with the installation of a few necessary modules, plus a little time and effort, e-commerce store owners can reap some significant benefits from osCommerce without requiring much in the way of developer savvy.

The program offers a solid foundation for a very robust and fully functional storefront that holds its own against virtually any other e-commerce storefront.

Considering the price of the application (that is, free), I'd say it amounts to a fair deal for most cost-conscious store owners. But if you're like most entrepreneurs, your time is at a premium, and might be better spent with one of the already customized pre-built versions of osCommerce, which many Web hosts offer.

In this case, you'll be paying fees (often monthly) for a technology that's essentially free, but you'll save yourself a few hours of configuration -- and if you're not especially tech-savvy, a few hours of moderate hair-pulling.

About the Author

Sean Michael Kerner is a contributor to eCommerce-Guide.com.