I have a PHP developer who installs OSCommerce packages for me. It's a great system and the sites have all turned out well. I don't do much PHP myself and while we have not had any problems I am not sure how safe the sites are.
Can anyone offer advice on how secure OSCommerce really is? Is there a continuing update process that we should be using and if so do you charge your clients for this?
There was a new security rollup released recently for osCommerce 2.2 Milestone 2 (the standard release for the last few years).
You should look at applying this rollup. The code changes aren't too bad, and there are diff/patch files available if you're familiar with automated patching tools - this makes the process pretty painless.
I'm about to patch up a bunch of my shops - but need to sort out charging the clients that don't have maintenance or don't put much business our way.