Should We Use OpenCart?
As a continuation of my research into choosing an appropriate shopping cart application for an upcoming project I'm working on I chose to review OpenCart this time. To be honest, I hadn't even heard of OpenCart until one of the comments from the last post turned me onto it but after reviewing it I am glad I did.
As mentioned above, OpenCart is another e-commerce platform useful for setting up an online storefront. OpenCart is released under the GNU General Public License version 3 (GPLv3) which means it's freely available for anyone to use and since OpenCart is written in php it's right in my wheel house. The main developer of OpenCart is Daniel Kerr who, from what I can gather, is over in Great Britain but not the Australian rules footballer (in case there was some confusion from any Aussies).
Anywho, OpenCart has lot of good features available out of the box with my favorites being the Backup Manager, User Groups, really nice localization (l18n) and internationalization (i18n) options, support for multiple stores and a slick reporting overview. OpenCart also has the one feature I personally love from any and all e-commerce packages; Guest Checkouts. Personally, when I'm buying something from an online store that's not a 500 pound gorilla like Amazon or Best Buy I hate signing up for an account. Guest checkout is the shit.
The code is really well structured and thought out; it uses a nice implementation of the MVC pattern which made things ridiculously easy to walk through and find out what was going on under the hood. OpenCart appears to be using a home grown MVC framework, which, while, in my opinion a little unnecessary, isn't at all a big deal. Unfortunately, the code appears to be open to Cross Site Request Forgery (CSRF) attacks and other security issues. More on this in a minute.
The OpenCart administration module is attractive and laid out logically. Everything is ready and available in such a way that most people with experience working with administration panels would feel right at home. It should be noted though that the administration panel will NOT work in Internet Explorer 6.
Naturally, OpenCart also ships with the ability to have custom themes and the default theme that ships with OpenCart is quite attractive too. After reviewing the procedure for creating themes though I have to say that I'm not even a little impressed in how themes are supposed to be created; they appear, in my opinion, to be overly complicated, a little convoluted and deviates from the traditional manner used with countless other open source projects.
OpenCart has a basic module system though it isn't what, in my experience, should be considered a module system; in OpenCart a module is more of a sidebar widget. A small distinction to be sure and not really an issue; more of an inconvenience of nomenclature than anything else but something that drives me nuts (can't we all agree on what these terms mean already?).
There's also a lot of manual intervention needed when configuring the system. Want to add a module? FTP the module, go to the module section of the admin, click install, click edit and fill out the form (be sure to enable the module too). Want to turn on search engine friendly URLs? Rename the file .htaccess.txt to .htaccess (through FTP or similar) then go to the administration panel, then to the settings area to enable. Very anti user friendly in my opinion.
There are other issues with OpenCart, like the flow for adding images to a product being pretty convoluted, but those are all small in the grand scheme (pretty much all my gripes can be, rightfully, dismissed as design decisions I don't agree with). Fair enough. What isn't acceptable is the complete lack of respect the developer has for security in OpenCart or the developers who try to help out in general. This, I'm afraid, is a deal breaker.
May 2010 was actually a pretty fortuitous time for me to research OpenCart; as soon as I began looking into the program I started seeing some discussion on OpenCart which lead me to a forum post on the official OpenCart forums. Another developer had some suggestions on how to improve the style and conventions of OpenCart and, well, Daniel really showed his ass.
Then, not a week later, I see on that there's another war going on between Daniel and a developer who found some pretty nasty CSRF issues. Again, Daniel showed his ass (along with a good helping of ignorance mixed with arrogance this time) with nothing being resolved.
This was truly the breaking point for me. Why in the world would I ever use software written by someone who, when confronted with the issues, acts like nothing's wrong? Nope. I have people relying on me to make choices that won't, you know, ruin their business and OpenCart, for all it's bells and whistles and nice code and pretty administration panel, is a horrible platform because the developer refuses to do anything about issues when presented with them.
Email
Twitter
Dear Sir, I am not here to comment on your post. I just need your little help. Is multiple store functionality possible in OpenSort? Please, reply! Your help will be appreciated.
Yup; multiple stores are possible though it’s not so straightforward as I would like to setup.
I think there is something wrong with you to be posting my comments in your blog. Nice review of opencart but there is a lot i don’t agree with. You are comparing opencart to which applications? When you claim adding images to a product being pretty convoluted? what application does this better?
“Another developer had some suggestions on how to improve the style and conventions of OpenCart and, well, Daniel really showed his ass.”
The developer was not being helpful and was quite mis-informed about the right way to do things.
He was spreading mis infromation about opencart to anyone visiting the forums.
“pretty nasty CSRF issues. Again, Daniel showed his ass (along with a good helping of ignorance mixed with arrogance this time) with nothing being resolved.”
This will be resolved in the next version. I never said i was not going to fix it but i got sick of the guy harrasing me about it. The amazing thing is when i told him to stop bothering me he posts in his blog to everyone, look what he said look what he said to me!
If your such a good programmer then plase post me the best application you have written! Post me somethign that has more features than opencart or better web design since I did everythign from the artwork, db, html, css javascript and php my self.
Fucking grow up you idiot!
Hi Daniel,
I admit, I am arrogant and cocky and, sometimes I like to act superior too (just ask my girlfriend
). I know this about myself and, you know what? It’s not a big deal because I listen to feedback and criticism with respect and don’t turn into a child at the helpful, yet sometimes redundant, criticism.
I wasn’t comparing OpenCart to anything in particular; the point of the post (which I admit may have been unclear) was to evaluate OpenCart for an upcoming project I have planned. So, it was a broad review focusing on features, code, stability and community. To be honest with you, OpenCart far exceeded my expectations in all aspects except community and stability. You’ve truly put together an amazing project and you should be proud.
That being said, your attitude and response to criticism is, like I said in the post, abysmal. Frankly, obnoxious and immature would be a step up at this point. Do you not recognize that OpenCart and you are, at this point, synonymous? Your behavior reflects upon the project man and right now, you make your amazing and wonderful project look like a ghetto of childish behavior and incompetence. Even having gone through the code and basically falling in love with the parts and components and the very philosophy of the code it’s a no-go because instead of focusing on damage control you’re fanning the flames and allowing the trolls something to discuss. My clients don’t want to lose money man and I have no faith that OpenCart is secure. Deal with it.
Even your comment on this post starts out so nice but quickly ends with you, once again, showing your ass. How mature do you think it looks that you sign off with something so base (and lacking in imagination) as “Fucking grow up you idiot!”?
My comments about the Image Manager stemmed from the lack of an instinctual process. When adding an image it is not at all intuitive to click on the unmarked image next to the thumbnail after clicking “Add Image”. Add to that the fact that if there are any form submission issues all the images are lost. This is a problem. If you don’t agree, well it’s your project man, do what you want. Bitching about the criticism though doesn’t solve a thing though. Ever. Own that someone disagrees with you (like this is the first or last time that’s going to happen) and be honest; anything less makes you and OpenCart look less, ahem… open.
I have no doubt that, to you, in all your intelligence, the user in the forums was wrong. As I said, your code is GOOD. But, what kind of a response was that? What possible outcome were you expecting other than to get completely outed saying such things and calling people names and, basically, just being a jerk?
A far better response would have been to either ignore the post (I tend to ignore the things I don’t agree with rather than fight) or been a professional and just said “Thanks, I’ll take it under advisement.”.
I’m glad to hear that the CSRF issues will be resolved in the next release. From your responses and, what appeared to be, ignorance on the topic (with comments about virus protection making the issue moot) it appeared that this was NOT going to happen without a fork.
As for Ben and his post, it’s the Internet man and those of us with blogs (myself included), well we’re all attention whores. Personally, I see no problem with him making the communication public simply because from the language it DIDN’T look like you were going to take it seriously. That’s a problem that required the drastic step. Were you to be responsive and open Ben would be the dick for his post. As it stands though, I look at Ben’s post as a warning to everyone currently using OpenCart as to the security holes that it looked like you were either ignorant of or ignoring.
As to my chops as a programmer (really?!?! that’s the tact you’re taking?) take a look at my portfolio.
Thank you for taking the time to respond to my points Daniel. I can only imagine the constraints on your time and I do appreciate the opportunity to discuss this post with you.
Eric
I want to defend Opencart. It is truly not a horrible platform to us ‘civilians’ - quite the contrary!
I’ve been blown away by it.
OK, I’m not a developer - but I have spent a lot of time trying other carts. These include the Cube and Prestashop. Prestashop is good, but not quite there for us at this time.
Opencart contains a lot of functionality that users need, by which I mean shop owners AND customers: but it isn’t top heavy with a lot of functions you don’t need.
For example, I don’t want something that tracks inventory and creates invoices, and emails my customers every time I blow my nose
Just kidding, but I already have inventory tracking and an accounting system. I just need a selling framework.
On top of that, this cart offers a gorgeous shopfront out of the box, the same for the admin side; a guest checkout (fab); attractive and easy checkout process (vital), ajax functionality, which means the shopper isn’t bounced out to checkout every time they add to cart, and it’s fast loading too. I also figured out how to customise it a lot faster than the other ones I tried. I haven’t really had a problem with modules either, but maybe I’m not smart/experienced enough to notice issues there.
I gather you’re not impressed with theme generation, though, Eric. I had a much harder time with Prestashop, but that is also probably because I’m a ‘civilian’.
The security flaws have either been fixed or will be shortly. There WAS a lot of hot air about that. I hope people won’t be afraid of raising concerns again, without it turning into a flame war, which solves nothing.
BTW I’m not going to excuse rudeness, not at all. I just think it would be a shame to reject software because of personality problems…..though I guess you are concerned about your clients, which is not an issue for me. Still, if all successful software developers were always nice to everyone, where would (*unnamed billionaire*) or (*unnamed millionaire*) be?
Interesting post, though, and so is the one on Prestashop. Thank you.
ok many thanks and sorry about the rudness. I just get pissed at all the stupied stuf people a minority of people are saying.
Hi Lexie,
I couldn’t agree with you more! OpenCart is a very nice piece of software in every way imaginable with the exceptions being, as I laid out above, the security flaws and the community. In fact, I was so blown away by it that until I started digging into the community I had already begun convincing the team that this was the one to go with.
None of the issues I saw as far as theme generation, image manager or anything having to do with the actual interface were relevant compared to the gain from the whole. Subjectivity should never be used for this type of decision.
It’s just, as you said, I have to worry about my clients. But that worry, and the cost associated with anything going wrong, can NOT be underestimated and from what I witnessed the OpenCart developer was ignorant of the most basic security concerns and turned downright confrontational when confronted with it. No matter how good a program is, or how much I like a program, I can’t (hell, won’t) put my client’s financial security at risk like that.
That being said though, I am really optimistic about OpenCart and if the security holes are fixed ASAP then I see no reason why it couldn’t overtake the competition and become the standard. I do believe Daniel has the talent, skill and knowledge to do just that (no pressure there…) he just, and this is only my opinion here, has to fail more and get used to the Internet trolls (also, not an easy thing to do but a necessary growing pain that he HAS to go through anyway).
Thanks again Lexie,
Eric
Thank you very much for replying, Eric, I really appreciate it.
I think I understand your point more clearly. You’re not concerned with security flaws per se (which seem common enough), nor even personalities: but there is a question mark in your mind about whether future problems will be properly dealt with? And your risk assessment strategy tells you not to proceed at this time. I think anyone would respect that.
I may feel confident, and whilst I do think Daniel and the team will come through, I’ve only got myself to answer to if I’m wrong. And as I said, quite seriously, I don’t have enough knowledge to make a good judgment on some of the matters you mentioned.
Can I say that I’m impressed by your magnamity and willingness to keep an open mind. Wish I could afford your services to build my shop…but then I’d make you use Opencart!
Keep smiling, L
I have narrowed my choice down to Opencart, Zen Cart and PrestaShop.
Out of all of those, the only one who seems to have a face is Opencart.
Considering I am also liking the feature set and GPL license ... I think I will pick Opencart.
I am very concerned about about security. If I find somthing that needs fixing I will fix it. Look at my past releases. If people report a bug its normal fixed and a new release is out the next day.
I have found though the the a lot of the people that are leading the current charge againest OpenCart are ex-members who have been banned for trying to fork the project or people that have been banned not just by me but other moderators.
If i had listen to this guy:
http://forum.opencart.com/viewtopic.php?p=72582#p72582
I would have put the project back about 2 years. I have enough experience with PHP and OOP to know which are the right ways and wrong ways of coding applications.
As for the the CSFR problem. he risk is very low and it was going to be addressed. The problem is though to create a token would mean changes to every admin page. To behonest the CSFR should not happen, but because the browsers have changed their behaviour and kept cookies cached even after the browser was closed it causes problems. If you click a link from an email then cookies in another tab should not be transfered to the new tab if the cookie had a lifetime of 0. The life time set to 0 means the cookie dies after you close the browser and should not be passed to any other window or tab.
Wow, it’s funny how the exact same comment came from a different IP address and a different email address and was flagged as spam. I’m leaving this here so people will know that this was SPAM!! SPAM!! SPAM!!! SPAM!! SPAM!! SPAM!!! SPAM!! SPAM!! SPAM!!!
Hi Daniel,
I have no doubt that by your standards you’re up on the security fixes. The thing is though that Ben put forth his post in January (4 freaking months ago?!?!?) and you have yet to do anything about the issue but pass the buck and call people names.
Listening to your peers is an important part of being a professional. Believe me, if you think you’re smarter than everyone else in the world you’re sorely mistaken. In my experience, those who think they’re smarter and better than everyone else are usually so blinded by their individual glory and achievements as to have lost all perspective. A dangerous place for anyone but especially programmers because of the potential damage that can be caused.
So, if the suggestions in the forum post (and, to me, they appeared to be suggestions) weren’t agreeable to you why not just explain that like an adult? Why go off the deep end and start calling him names and being a jackass about the whole thing? Was it at all worth it? Do you enjoy having your credibility called into question and responding to random people on the Internet?
Point being though that I don’t think there was any expectation that you accept all his suggestions verbatim and without question. That would be ridiculous. What was expected though was that you would respond like an adult and a professional. Instead, you went the way you did and probably started all of this (that’s the order I started seeing everything anyway).
As to the risk of a CSRF attack, it may be low for you (and I disagree that the risk is low) but not for those of us who are responsible for the choices we make. Think about it man, there’s a bug in your software that has the potential to destroy someone’s business and livelihood. So what if you think it has a low chance of happening? If a high profile site was using OpenCart and someone targeted them they would be hosed. End of story. This is NOT outside the realm of possibility and considering the stakes it’s just atrocious risk management not to fix ASAP much less 4 months later.
And, yes, in a perfect world where the browsers all work the way we each want then CSRF wouldn’t be possible. But you know what? They DON’T. Wish all you want but the browsers work the way they do and there’s NOTHING you can do about it (at least anytime soon). To try and pawn the fact that YOUR code has a security hole onto the browsers is just lame. You need to build for reality instead of an idealized fantasy where browsers don’t have security vulnerabilities. Make your peace with that ASAP. Please, for all our sakes
It’s you project and your code and IT’S YOUR FAULT. Stop looking for scapegoats and just fix it already.
Or don’t. But don’t be surprised when people start talking about OpenCart being insecure and written by a developer who doesn’t care about his project enough to make sure that KNOWN security holes are fixed in a timely fashion.
You have a choice here man, you can either step up and join the big boys in the big boy world or you can expect OpenCart to join the ghetto along with Oscommerce, ZenCart and Dolphin CMS. It really is that simple.
If it sounds like I’m being harsh it’s because I’m very familiar with this situation; I know the logic doesn’t escape you either which makes the whole thing sound like a discussion about ego vs logic. I also know that you’re a really talented programmer who could whip out a solution if you just wanted to. Please do.
Eric
Hi Lexie,
You almost had it; I’m also really concerned about the security holes. I could never recommend or install a program that had known security holes and weren’t fixed. This could be mitigated through confidence that the developer would have the issue fixed shortly but, in this case, it didn’t look like Daniel would even do that much.
Every program has bugs and every program has security holes. We worry about the ones we don’t know about but when we KNOW about one, it should never be a concern because it’s fixed ASAP. This one has been known about in OpenCart for 4 months and nothing has been done about it except talk about how nothing will be done about it.
Eric
Daniel will do fix in the next version, can’t wait for the new release!! after tnext realease, I think opencart will be the king!
Daniel man, you need to start treating other people that are trying to help you with some respect. You may disagree 100% with them, but swearing at them, what will that solve? It just makes you look childish.
If you keep this up, what do you think is going to happen when people Google your name about web development?
Also, if a store does fall victim to CSRF, what do you think will happen to the reputation of OpenCart?
Opencart is great, & from the way I see it, built in a very similar way to the CodeIgniter MVC framework. It’s a great separation of presentation and logical code.
You should definitely give it a shot.
I can see that Daniel is still learning about public relations and internet etiquette, or maybe he’s decided that this is the way he wants to conduct himself, I don’t know; but it shouldn’t have any bearing on your choice of shopping cart and doesn’t reflect on the rest of the Opencart community. Daniel hasn’t added or subtracted anything from my personal experience of Opencart, so I’m sure you will be able to look at the code on it’s own and find it useful.
I like how the title of this blog is “Should We Use OpenCart”.
The author of the blog seems to think he has some big following and that his opinion actually matters to a lot of people.
Same with Alex, who thinks hes talking for an entire community of opencart users. I already have a very strong community that supports my work and my teams work. There are a lot more blogs, forum messages etc.. that are in favour of using OpenCart.
So far the people I have had a go at were not part of the community and only registered on my forums to give there unwanted opinions. They where unwatned because the person did not have the experiance to understand the coding desisions I had made and decided to critise the project for them.
As for Ben and his CSRF blog, its funny that when I told him to get lost he starts his own OpenCart fork. I told him where to go once and had to tell hm a second time after he started advertsing his fork in the forums.
This is his blog… he can say anything he wants, everything that’s true, and everything that’s not.
That’s why you need to stay away from this stuff Daniel, it’s not good for your reputation & it’s not good for the Opencart community as a whole.
If you see negativity, or criticism that frustrates you, seriously, get out of there - Don’t answer it. It doesn’t require a response from you. PM me or email me and I’ll deal with it or just let someone else step in. You don’t need to turn a simple support request into a personal attack.
Daniel,
We’ve already been over this; you and I already had what I thought was a pleasant discussion. I had thought you were moving on man. I’m disappointed you’re still quick to go on the offensive…
Let it go.
Eric
I’m not saying I wouldn’t give it a go for a future project. I will always consider a project based on the project, not the people who are involved.
For one, I love the Kohana framework, but I have seen the BDFL be a bit harsh on new users (this has seemed to have stopped however).
I wouldn’t use OpenCart until the CSRF stuff is fixed, and the attitude towards security from its developers is taken more seriously. I’d seriously love to consider it one day soon.
BTW, Daniel, you can be commended for creating a popular open source cart. We all know that is no easy task.
Happy coding!