datakick

If you can't remember your pwd, or if it's lost, you can either recover new password - you will need to fix your email issues first. But you should do that anyway create new admin user

The php script do not change your pwd. Use your original password, unless you broke it with manually changing stuff in the db.

A little bit unnecessary, since everything is protected behind admin pwd anyway. One of the reasons to do this is to protect against any potential vulnerabilities in admin PHP files -- attacker can't exploit them if they can't access that portion of website in the first place. But there are not that many php files in /admin directory, so...

that's why the recovery steps explicitly says:

Not really sure what are we talking here about. The fix for this problem was, previously, to change password directly in database. Which would, in fact, be a bit more complicated than it was written in the post above, because plain md5 would not work. The password would have to be salted with _COOKIE_KEY_ for this mechanism to work. You could, however, insert any password generated by php function password_hash. The new solution is to use a php script to log in into your server. To me, those two solutions are similar in complexity. For a lot people the new solution might even be easier, as it's just upload file using FTP. Changing data directly in database may be more scary.

As it should be. SQL injections are really bad, of course, as attacker can extract or change all informations in your store. But gaining access to PHP side is much more severe. Attacker can then do anything they want. Making it impossible for store owners to change email and password manually in database is a small price to pay.

The approach described by @DRMasterChief will not work on newer versions of thirty bees, intentionally. You can check if your tb_employee table contains column signature - if the column exists, you can't change the email/password in the table manually. You also need to change the value of column signature, but for that you need to know a secret that's not available to mysl. This mechanism exists to prevent attackers to elevate sql injections into complete access. If your store contained SQL-injection vulnerability (often caused by older third party modules), attacker could use it to change admin password, and then log in (basically the same mechanism described above). With the requirement to change signature as well, this no longer works. You can use force-login php script to log into your admin, see this post: You will have to: upload force-login.php file into your admin123xyz directory (every installation have different admin folder name) open url https://your.store/admin123xyz/force-login.php this will logs you in as an admin change password delete force-login.php script

Fixed in commit https://github.com/thirtybees/thirtybees/commit/7e9f2db06acd8323d4cefef0bb44654b87e6f0ca

This Attempt to update unsaved object warning message exists to alert developers to a code that do something they probably do not expect. In this case, FrontController is trying to update Cart object and set language/currency. But because the cart does not exists, that update is silently ignored - nothing is actually saved/updated into database. This is obviously strange situation that needs to be investigated and fixed. In this case, we should can simply add a check that cart exists before we try to do any of this stuff. In a lot of other cases, the fix may be much more complicated.

You need to update your theme and remove dependency on polyfill.io This is how we did it in niara theme: https://github.com/thirtybees/niara/commit/3ab40e7ae52e0c495a2b67f09131996fb6ed65ea For your theme, it will be mostly the same - edit file header.tpl, find line with polyfill.io, and delete it.

I'm not sure what is the question. There is no trigger_error(...) in TriggerController.

This is related to MAX_JOIN_SIZE configuration variable in mysql server. From documentations: If the max_join_size variable (also called sql_max_join_size) is set, then it will limit any SELECT statements that probably need to examine more than MAX_JOIN_SIZE rows. This means that database server (during preparation stage) will estimate how many rows it will need to process (based on table statistics). If the estimate is above threshold, it will refuse to execute the query. This is set on some shared hostings to achieve some kind of fair usage between all users. Sometimes we can indeed optimize the query, or create a new db indexes so the join space is not so huge. But sometimes its just not possible. I still maintain that this is stupid and dangerous practice by hosting providers. This can kill any sql query, and therefore cause a lot of 500 error pages. Ecommerce store should not run on such hosting.

There is a potential workaround here. You can set SQL_BIG_SELECTS variable for a database session. That should allow you to bypass the error (may or may not work, depending on your hosting configuration) Create a new override override/classes/db/Db.php with this content: <?php class Db extends DbCore { /** * This override allows complex queries to run on shared hosting */ public function connect() { $link = parent::connect(); $link->exec('SET SQL_BIG_SELECTS = 1'); return $link; } } Then clear cache in Advanced Parameters > Performance to reload the overrides

Well sure, you can remove old data, it will reduce the number of rows db have to examine. But still, the root cause of the issue is that your hosting is throttling your database. We send them valid sql request, and they may or may not return results. This is just stupid. Who knows what other sql queries they will kill randomly. This "fair usage mechanism" can cost you sales. But that's sharing hosting. You can always move to a dedicated hosting without such restrictions

This is your hosting restrictions. You are probably on a shared hosting, and they have enabled this restriction to ensure fair usage for all customers. Ask them if they can disable this.