The model is referenced but it is never retrieved in the header, nor is it contemplated in the table.
Commenting out for now.

only used by includes\modules\pages\back_in_stock_notification_subscribe\header_php.php

When this is stable:
zencart/zencart#5499

So are shown in received email as unreplaced.
$URL_INTRO

$URL_VALUE

Two instances used of concatentation, but $pagination_columns has not been initialised.

When logged in, and viewing BISN list.

done on my site

It seems that spammers are using the module to send SPAM LINKS which contain malicious links in the NAME field.

The module only asks for three fields: Name, Email Address, and Confirm Email Address. What is happening is that they put a legitimate email address in the two fields (the person they want to spam), but they put their malicious link in the NAME field. Since the form is submitted and authenticated by our own SMTP domain, it isn't seen as SPAM (since our domain is originating the email) and it gets sent to the customer.

Here is a screenshot of what the SPAM looks like: https://i.postimg.cc/c15tMdZj/screenshot-132.png

Notice that in this example, the NAME FIELD that the spammer used was: "🍒 Amber want to play with you! Start Game: https://letsg0dancing.page.link/go?exx 🍒"

So when the recipient (whose address is entered in the email field) opens the Back In Stock email, the very first line (which is the NAME field) contains the malicious link.

SOME THOUGHTS ON ADDRESSING THE ISSUE:

1. Some sort of CAPTCHA might be applied to help reduce automated spammers from abusing the form. However, this won't stop spammers from manually entering in the information.

2. At the very least, perhaps run a string-check on the NAME and reject anything that is 1) over a certain amount of characters, and 2) reject anything that has an "HTTP" or ".com" in it, and 3) reject any name with "more than two blank spaces" in it.

That alone should weed out most fake names, since most names won't be over about 10 characters, and most won't have a www/http string, and most won't have more than two blank spaces (John Smith Jr, etc).

3. As a complete fail-safe, perhaps having an option to DISABLE the NAME field would work. In other words, only allow an email address to be entered. This would still "spam" though, but it won't contain any malicious links because there would be no name field.

and so can remove bis_functions.php

Evidently this is only applicable for sites that have filled the hole that is control-of-attributes-stock with Stock By Attributes (SBA) or Products Options Stock Manager (POSM).

I've done a hack for POSM but it's not for public consumption, so it's a work in progress/up for consultation.

php 8.1.9
When entering admin BISN page.

--> PHP Fatal error: 1055:'DBNAME.pd.products_name' isn't in GROUP BY ::
SELECT bisns.product_id, pd.products_name, p.products_model, COUNT(*) AS num_subscribers, p.products_type, p.products_quantity AS current_stock, cd.categories_name, cd.categories_id , bisns.product_name_extra FROM back_in_stock_notification_subscriptions bisns LEFT JOIN products_description pd ON (pd.products_id = bisns.product_id AND pd.language_id = '1') LEFT JOIN products p ON p.products_id = pd.products_id LEFT JOIN categories_description cd ON (p.master_categories_id = cd.categories_id AND cd.language_id = '1') WHERE 1 = 1 GROUP BY bisns.product_id ORDER BY p.products_model
==> ADMIN\back_in_stock_notifications.php on line 165.

done on my site

related article
https://www.drip.com/blog/back-in-stock-email-examples

In \includes\modules\pages\back_in_stock_notification_subscribeLine\header_php.php
line 193 has the date format as
'date_subscribed' => date('Y-m-d H:m:i')
I believe that it should be 'date_subscribed' => date('Y-m-d H:m:i')

crashes BISN admin pages if a product with subscriptions has been deleted

[15-Feb-2022 20:23:03 America/Vancouver] PHP Fatal error: Uncaught Error: Undefined constant "BACK_IN_STOCK_REQUIRES_LOGIN" in /usr/home/sites/zen15/www/includes/languages/english/extra_definitions/back_in_stock_notifications.php:23
Stack trace:
#0 /usr/home/sites/zen15/www/includes/modules/extra_definitions.php(45): include()
#1 /usr/home/sites/zen15/www/includes/init_includes/init_templates.php(85): include('/usr/home/sites...')
#2 /usr/home/sites/zen15/www/includes/autoload_func.php(37): require_once('/usr/home/sites...')
#3 /usr/home/sites/zen15/www/includes/application_top.php(222): require('/usr/home/sites...')
#4 /usr/home/sites/zen15/www/index.php(25): require('/usr/home/sites...')
#5 {main}
thrown in /usr/home/sites/zen15/www/includes/languages/english/extra_definitions/back_in_stock_notifications.php on

--- /usr/home/sites/zen15/www/includes/languages/english/extra_definitions/back_in_stock_notifications.php.old  2022-02-15 20:27:17.771032000 -0800
+++ /usr/home/sites/zen15/www/includes/languages/english/extra_definitions/back_in_stock_notifications.php      2022-02-15 20:30:26.138009000 -0800
@@ -20,7 +20,7 @@
  * Note that the link is added in place of %s, %s must be present for the link to work!
  */
 define('BACK_IN_STOCK_NOTIFICATION_TEXT_PRODUCT_LISTING_ALREADY_SUBSCRIBED', '<br />You have requested to be notified when this product is back in stock.');
-if (BACK_IN_STOCK_REQUIRES_LOGIN == '1') {
+if (defined('BACK_IN_STOCK_REQUIRES_LOGIN') && BACK_IN_STOCK_REQUIRES_LOGIN == '1') {
   define('BACK_IN_STOCK_NOTIFICATION_TEXT_PRODUCT_LISTING_FORM_LINK', '<br />To be notified when this product is back in stock please <a href="%s">click here</a>. (Requires account)');
 } else {
   define('BACK_IN_STOCK_NOTIFICATION_TEXT_PRODUCT_LISTING_FORM_LINK', '<br />To be notified when this product is back in stock please <a href="%s">click here</a>.');
@@ -30,7 +30,7 @@
  * Text/HTML for other pages.
  */
 define('BACK_IN_STOCK_NOTIFICATION_TEXT_ALREADY_SUBSCRIBED', 'You have requested to be notified when this product is back in stock.');
-if (BACK_IN_STOCK_REQUIRES_LOGIN == '1') {
+if (defined('BACK_IN_STOCK_REQUIRES_LOGIN') && BACK_IN_STOCK_REQUIRES_LOGIN == '1') {
   define('BACK_IN_STOCK_NOTIFICATION_TEXT_FORM_LINK', 'To be notified when this product is back in stock please <a href="%s">click here</a>. (Requires account)');
 } else {
   define('BACK_IN_STOCK_NOTIFICATION_TEXT_FORM_LINK', 'To be notified when this product is back in stock please <a href="%s">click here</a>.');

This has been missing forever!

to allow quick reply if necessary

to not send all at once

PHP Fatal error: 1055:'DBNAME.bisns.name' isn't in GROUP BY ::
SELECT
bisns.email_address, bisns.name, bisns.languages_id, c.customers_email_address, c.customers_firstname,
c.customers_lastname
FROM
back_in_stock_notification_subscriptions bisns
LEFT JOIN
products p
ON
p.products_id = bisns.product_id
LEFT JOIN
customers c
ON
c.customers_id = bisns.customer_id
WHERE
p.products_quantity > 0
AND
bisns.languages_id = 1
GROUP BY
email_address, customers_email_address
ORDER BY
email_address, customers_email_address ==> (as called by) ADMIN\includes\functions\back_in_stock_notifications_functions.php on line 82 <== in includes/classes/db/mysql/query_factory.php on line 665.