Welcome to Zen Cart™ ...


The Zen Cart™ software is made available to you for use, additions, changes, modifications, etc. without charge, under the GNU General Public License.

While we do not charge for this software, donations are greatly appreciated each time you download a new version, to help cover the expenses of maintenance, upgrades, updates, the free support forum and the continued development of this software for your online e-commerce store.

Donations can be made at: The Zen Cart™ Team Page

We appreciate your support.
The Zen Cart™ Team

Zen Cart™ is derived from: Copyright 2003 osCommerce
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE
and is redistributable under the GNU General Public License



This software is OSI Certified Open Source Software.
OSI Certified is a certification mark of the Open Source Initiative.

CHANGELOG - List of Changed Files

For a list of files that have been changed since v1.3.8, see the changelog-v1-3-9a.html

*** SECURITY REQUIREMENT ***

For added security, Zen Cart™ comes with several .htaccess files already included in various folders to help provide protection against unwanted visitors and even against mis-use of your site in the unfortunate situation of your site being hacked. These protections prevent hackers from using your site as phishing sources.

However, for these built-in protections to work, your web hosting server administrator MUST set the AllowOverride directive in the server's apache configuration (the server's master httpd.conf file) to "All" or at least ensure it includes these parameters: 'Limit Options Indexes'.

ie:    AllowOverride All
or:    AllowOverride Limit Options Indexes

Without these settings, you will likely encounter "500 Internal Server Error" messages when attempting to access various parts of your site, including perhaps the zc_install installer script.

If your hosting company won't let you use OPTIONS directives in your .htaccess files, you can comment those with a #, or you can upgrade to v1.3.9b which has already done that for you.

Storeowners hosting on Windows Servers using IIS instead of Apache may need to remove the .htaccess files and rework them into suitable equivalents within your IIS configuration. See Microsoft's IIS website for specific assistance.

ADDITIONAL NOTE ABOUT .htaccess FILES

Inside some folders is an .htaccess file that lists certain *permitted* filetypes which may be accessed. (Anything else is blocked to prevent abuse on your site).

The side-effect of this is that if you choose to use media types that are not already listed in the *permitted* list, then your visitors will not be able to see those resources.

Thus, if you are using product images that are not in the list of permitted types in your /images/.htaccess, you will need to add those types to the list.

Similarly, if you are using certain media types in music product previews, you will need to make sure those are in your /media/.htaccess

And, if you are using filetypes for downloadable products that are not already listed in your /pub/.htaccess and /download/.htaccess you will need to add those as well.

Zen Cart™ Minimum Requirements

PHP 4.3.2 or higher, Apache 1.3.30 and MySQL 3.23.x or higher.

Upgrade Instructions from v1.3.8 to 1.3.9

If you are upgrading from Zen Cart v1.3.8, the process is simple:
- compare all the changed files with the files on your own site... and re-apply your customizations to the new files
- upload the new files (with your customizations added) to your site
- upload the zc_install folder to your server, and run zc_install/index.php
... select Database Upgrade from the System Inspection screen. Apply the required updates.

If you are upgrading from a version prior to v1.3.8, please follow the instructions in the "how to upgrade" documentation in the /docs folder.

IMPORTANT NOTES

  • SECURITY: Please be sure to review and apply the Site Security Recommendations to your site prior to taking your shop "live". If you are uncertain about how site security applies to you, talk to your web host to ensure that you have proper measures in place.

  • PAYMENT MODULES: Many changes have been made to the Authorize.net (SIM/AIM/eCheck), PayPal (IPN/Standard/Pro/Express), Linkpoint/FirstData payment modules. If you are using any of these modules, you will need to Remove and re-Install the modules via Admin->Modules->Payment in order for them to work properly. (Write down your settings first, for easier re-configuration!)
    If you don't remove+reinstall them, you will have some blank spaces in your configuration settings when you attempt to edit them next.

    ALSO: NOCHEX and Offline CC Module have been removed from core for PCI/PA-DSS reasons.

  • SHIPPING MODULES All the built-in shipping modules have been updated.
    For EACH one that you're using, you will need to Remove and re-Install the module in Admin->Modules->Shipping in order to make them work properly. (Write down your settings first, for easier re-configuration!)

  • ORDER TOTAL modules ...All the OT modules have been updated with fixes.
    You will need to Remove and re-Install each module in Admin->Modules->Order Total in order to make them work properly.
    (Write down your settings first, for easier re-configuration!)

UPGRADING YOUR TEMPLATES

Since version 1.2, Zen Cart™ has had a major overhaul of the templating system for v1.3. As such, you have two options:
  • upgrade your existing template by applying the new stylesheet and moving a few lines of code around; or
  • the best way to have almost-tableless and much tidier template code, is to make a new template (based on template_default or the new "green" classic introduced in v1.3.5) and carefully re-apply your own customizations to the new template system.

For further information on template upgrading, see the support-forum discussion on this topic.


1.3.9 Template changes (since 1.3.8) have been minimal. Simply merge the changes with any of your override versions.

Whats New ...

The following improvements and bugfixes are included in v1.3.9a since v1.3.8:

  • PHP 5.3.x compatibility
  • PCI scan improvements to prevent commonly-reported false-positives
  • SSL-detection improvements
  • Session Handling improvements for shared-SSL configurations to deal with IE-specific quirks
  • Session-Handler improvements: closing when done, removed redundant start, etc
  • Search improvements
  • Hack-attempt detection improvements
  • Add .htaccess for /images/ folder, and security updates to many others as well
  • Canonical URL support added for product pages and product listings. See /includes/init_includes/init_canonical.php
  • Developer Toolkit Improvements (smarter searches, case-sensitive options, etc)
  • USPS module updated to RateV3 API and includes all updates posted to March 2010
  • PayPal UK - 3D-Secure support added
  • PayPal micropayments support added
  • Added CURL processing for PayPal IPN handling in case fsockopen() is disabled or failing
  • Various updates to PayPal, Linkpoint (now renamed to FirstData) and Authnet Payment modules
  • Split tax line support integrated
  • Added per-EZ-page stylesheet support
  • Fix ISO country/currency errors in default SQL file (old countries removed, etc)
  • Fixes/updates/additions of various notifier calls
  • MySQL 6-alpha preliminary compatibility
  • Updates to spiders.txt file for stronger efficiency and more up-to-date data
  • Improvements to configure.php file read-only detection (automatically sets to read-only if found writable, and permissions allow it)
  • Various performance improvements, including freeing up wasted memory to make things run more lean
  • PHP error logging automatically enabled by default, since errors are not displayed to the browser (for security reasons)
  • Turn off autocomplete on cc-number fields so browsers don't store/retrieve that information
  • Spam slamming via tell-a-friend is now throttled
  • Admin-login-slamming protection - added delays to prevent brute-force password attacks
  • Add safety to payment modules to prevent attempt to re-install once already installed, since that has always thrown ugly (although harmless) SQL errors on the screen
  • Authorize.net system change required alteration of transaction_id field size (details posted on forum months ago)
  • Include PayPal rename from verisign.com to paypal.com for all services using the old service which was obsoleted in Sept 2009. (Details for fix also posted on forum)


Bugfixes

  • Posted bugfixes for v1.3.8 (see forum: http://www.zen-cart.com/forum/showthread.php?t=82619 and http://www.zen-cart.com/forum/forumdisplay.php?f=140 )
  • Posted (on forum) security fixes
  • BUGSFORUM-168 Added stronger detection of suhosin usage: now disables certain features which are incompatible with suhosin, instead of throwing errors in places like whos_online
  • "Catchable fatal error" fixes
  • Tax calculation fixes in various places
  • Fix division-by-zero errors in ot_coupon.php and ot_group_pricing.php
  • Various fixes to Gift Certificate, Coupon, Group Discount, etc order-total modules
  • Customer DOB was getting erased if admin edited customer data and min DOB length was set to 0
  • Error when deleting ALL attributes
  • Tell-A-Friend was sending wrong URL if product used alternate product-type
  • Category metatags could not be removed once added
  • Unknown column "o.orders_id in 'on clause' when using admin order search
  • Back button navigation tweaks
  • TEXTAREA attributes with character limit could delete typed text when limit reached
  • queryFactoryResult errors addressed
  • Can no longer delete categoryID=0 ... which could happen in limited cases, thus deleting all products and categories unexpectedly.
  • Spiders could occasionally trigger PHP server errors if they attempted to add-to-cart
  • Spiders list updated and pruned
  • Session handling improvements including wiser parsing of tld
  • Fixes to email handling
  • IE8 fix to admin UI
  • Fix for credit-covers issues when using loworder-fee type modules
  • Fix some secure/nonsecure warning triggers
  • Fix Discount Coupons to allow for:
    - Add All Products in 1 Cat
    - Remove All Products in 1 Cat
    - NOTE: you specify DENY or ALLOW and that is how you ADD or REMOVE
    - Allow Links to Products or Categories in ordered list plus popup help
  • Various multiple-language bugs
  • Added ability to define DB_CHARSET to automatically trigger a mysql SET NAMES statement if needed for things like UTF8 support, preventing the need to edit the db class
  • various banner-manager date fixes
  • various fixes to media-collection components such as media-manager, sort-orders of clips, etc
  • Fix GV balance display on side panel when customer has a balance but no order and was displaying as $0.00
  • bug in admin reviews pagination
  • Prevent display of HOME_PAGE_META_KEYWORDS etc if people mistakenly skip that part of their upgrade. Defaults to normal content as if define was set to blank.
  • Various admin page fixes to javascript validation code
  • fix bug which prevented admin from getting copies of "all" coupon emails sent out (was only getting a copy of the last email sent)
  • eliminate secure warnings when Customer is not logged in and adds to cart then hits checkout and merge carts happen and return to shopping_cart and hit submits to update cart etc.
  • Shipping Estimator is displayed open on shopping_cart vs being a button
  • fix incorrect display of tax rate when deleting tax rates
  • Fix category look up to use master_categories_id
  • Fixes SaleMaker Priced by Attribute
  • Fixes Admin Display of Product Category from displaying "something" on Linked Products
  • Fix categories name lookup based on product master_categories_id vs random categories_id from products_to_categories
  • Fix navigation on add/cancel featured/specials from products_price_manager and back
  • Fix breadcrumbs not to include products_name when on listing and Display Cart is off and does not break Reviews
  • Fix salemaker bug on Entire Catalog not being selected on edit when set
  • fix broken reviews where reviews are stuck on same product and work like specials and new products
  • fix for dropped connections on timeouts due to slow external methods
  • Fix function free_shipping_weights value on Product weight and Attribute weight in shopping cart
  • Added noindex,nofollow to admin pages to aid in reducing admin indexing if logins are bypassed somehow
  • force use of SSLv3 in authorize.net modules (system requirement by authnet)
  • fix to prevent countries from being deleted if currently assigned to address_book records
  • zones shipping module: Auto build additional Zones when $this->num_zones is changed and already installed
  • Add SSL-detection support for Zeus SSL Accelerator/Load-balancer by detecting HTTP_SSLSESSIONID
  • fix small logic bug in sqlpatch tool
  • Admin specials: Prevent GIFT from being put on Special in Manual entry just like in regular entry
  • fix: Storage of email_html in email_archive table problematic
  • incorporate forum-suggested change to accommodate upper-case characters in phpbb usernames
  • Fix bug on duplicate Discount Coupon success message
  • regex fixes on cc validation class for better detection of card types
  • fix order-status pulldown on admin orders page for consistency
  • switch the whois lookup in whos_online to domaintools site instead of dnsstuff
  • PayPal Express Checkout now uses default email-format when creating an account
  • add additional port support for gmail
  • search page was showing slashes in some cases if search result came up with no records found
  • added warning to admin to indicate if /admin/ folder hasn't been renamed
  • fix address-format inconsistency bug (if multiple address-book entries are shown and include different formats, page was only observing the format of the *last* item in the list, not honoring each individual address's proper format code)
  • BUGSFORUM-798 - fix store-manager bug which croaks when using Optimize DB if database name has hyphens in it
  • fix credit covers problems in coupon
  • fix rounding error and ensure $cost is a number not a string
  • fix zone restriction problems in some shipping modules
  • BUGSFORUM-801 - fix newsletter signup box bug where checkbox is auto-selected and user deselects it
  • BUGSFORUM-809 - language typo
  • BUGSFORUM-442 - quick fix for strict data-typing in 1.3.9 for product update pages in admin. (v2.0 uses proper bindvars approach)
  • add robots_example.txt to help minimize some confusion on the matter
  • Set up 301-Redirect if a spider attempts to visit a URL that contains a ZENID, in effect removing the zenid from the spider's database
  • BUGSFORUM-546: 111219: Paypal IPN orders not recorded if order-total addons are missing language files
  • BUGSFORUM-632: 117422: PayPal Shipping Labels Not Sync'ing
  • Workaround to accommodate BUGSFORUM-281: 90799: function replace_accents(), Japanese, PayPal
  • Partial fix to various PayPal bugs where IPNs weren't allowing proper creation of orders due to MySQL Strict Data typing issues.
  • add stock check before Express Checkout commences, preventing checkouts if stock-checks would normally prohibit
  • PayPal updates - safer handling for PaymentReview transactions
  • PayPal - can now enable address-override switch if store model requires it
  • PayPal website payments pro now asks merchant to choose which country their PayPal account is located in, since this more accurately drives how the module should be communicating
  • PayPal - fix bug causing wrong order-status to be set on refunds, resulting in them disappearing from orders list
  • Add paypal language defines for auto-added descriptions in line-item calcs
  • Rudimentary PayPal FMF support to prevent throwing of errors
  • authorize.net modules: fix missing $messageStack references
  • Skip sending first 4 digits of CC number in order-confirmation email (security requirement)
  • Fix missing Refund option for Express Checkout
  • Add notifier to shipping/payment classes, to allow contribs to hook in and disable
  • Add additional notifiers to order class
  • Fix broken notifier functionality in PayPal IPN
  • change ereg* functions to equivalent preg functions for PHP 5.3 and PHP 6 compatibility
  • Fix wrong order of info on order-status-update emails
  • Fix text to use correct text for each review when set to greater than 1
  • Fix image or missing image on reviews edits and previews
  • Fix bug to Prevent Password Forgotten from being sent as blank when set to 0 length
  • Fix mismatched functions on building path to wrong category when Linked Products exist
  • Disable the storing of auth_code details as part of customer comments and customer order-confirmation emails, for fraud-prevention reasons
  • Options Values Manager - Bring sort order input field into vertical alignment with header and other column contents
  • referrals report - Fix broken dates and times months don't have 32 days and days are 24 hours
  • BUGSFORUM-820 - error in tax_basis determination for ot_shipping
  • UPS/USPS - Fix minimum weights when 0 to be 1 ounce (.0625 pounds)
  • USPS - Add missing Priority Mail International Regular/Medium Flat-Rate Boxes/Priority Mail International Small Flat-Rate Box
  • USPS - Fixing codes to make USPS happy with changes to ISO and expected country names
  • USPS/UPS - quick cheap hack to pass expected codes back and forth between _getQuote() and quote().
  • Fix missing backslashes in usps which was breaking intl quotes
  • Fix bug where Discount Quanties get copied on Copy Product to Duplicate when marked not to be copied
  • Order class - pass on the ID values from cart to order for easier parsing during order processing
  • ot_coupon - fix restrictions - Base zone restrictions on Delivery for Free Shipping or Billing for Amount or Percentage
  • Bugfix - prevent duplicate messageStack entries
  • Some template updates, added bindvars to guard against sql injection
  • Fix for cart class breaking on update where there is an upload and a checkbox involved
  • Backport support for embedded image attachments in emails which was supposed to be in 1.3.8 and got missed somehow
  • Email html checkout template was inserting store name in duplicate
  • Fix race condition when updating counter history
  • Add ability to set certain countries to show at top of pulldown list, defaulting to store's default country
  • Fix Discount Quantities to recognize the Discount Type: NONE to properly disable Discount Quantities and not break calculations
  • Trap errors that occur when users fail to properly upload lang file with modules
  • Fix Per Unit to not require change to Maximum 5000
  • Fix wording on % amount of Order Total on Zones and Table Rate - can mix/match dollar/percentage
  • Fix Handling Fee per Box/Order mismatch and add a choice for Weight oriented shipping methods
  • Packing slip and invoices - Fix format_id for billing address
  • IPN updates to identify EC transactions more easily, as long as core code doesn't get changed by end-users
  • Fix for lack of proper static properties in php4, also fixes problems with notifiers in ad hoc instantiated classes, ie order class
  • Fix missing restrictions limit on coupons
  • Show tax desc in tax-rates window to more easily spot empty descriptions which can be confusing
  • Prevent admin-side edits from mangling & into & when editing ez-pages
  • Fix missing manufacturers filter for displaying Manufacturers with Products to match sidebox setting from Maximum Values
  • Fix image to load on all attributes on multiple select of Option Values
  • option values manager - Fix for multiple languages showing multiple records for same value when multiple languages
  • Remove redundant code in index_filters, improving performance
  • Fix ceil error where amounts are less than 0, such as ceil(.6/.2)
  • ot_coupon Fix for Minimum Amount to be based on Product totals based on the Restrictions not the full Total Order
  • BUGSFORUM-980 - If customer changes spelling of CITY on PayPal end, the change wasn't reflected in the customer's/order's address details.
  • zc_install no longer checks CURL over proxy if regular CURL test fails
  • BUGSFORUM-982 - Fix minor bug where messageStack alert not being shown, due to syntax error, with payment/shipping modules missing language files.
  • Fix bold cheapest bug in shipping estimator to match checkout_shipping
  • Fix problems caused by using double-quotes in attribute option names/values
  • Add additional notifiers for tare/shipping/quote/cheapest to shipping control class
  • Fix bug with virtual-content-cart sending customers back thru checkout-payment and confirmation screens a second time after returning from paypal express checkout
  • BUGSFORUM-1008 - fix issue with newsletters not sending properly due to queryFactoryObject error caused by typo
  • BUGSFORUM-1005 - fix typo in shipping estimator parameter, which was causing duplicate "name" attributes on input field, thus causing validation error
  • BUGSFORUM-1014 - fix bad ID problem in shipping methods selector in checkout_shipping template
  • Add note to USPS debug emails to tell the recipient how to turn them off, since so many are confused by it.
  • Updates to linkpoint-api (firstdata) payment module
  • Fixed order-of-operations problem with cached data
  • BUGSFORUM-1022 - fix problem with PCI false-positive when invalid $_GET['sort'] parameter is injected on URL (PCI patch posted in Nov)
  • BUGSFORUM-1034 - Remove security vulnerability from the CURLTEST.PHP script, and removed other dev-use-only files
  • CURLTEST.PHP renamed
  • BUGSFORUM-514 - Storage of email_html in email_archive table problematic
  • Reduce a loop of lookup queries on top-level cat display in admin
  • Fix potential XSS vulnerabilities in various admin files
  • BUGSFORUM-1041 - fix broken forms which prevented search from working properly in products-purchased admin report
  • BUGSFORUM-1036 - prevent ability for 'free_free' to be set by POST contamination on the shipping page
  • BUGSFORUM-1027 - state selection incorrect in address book edits when pulldown enabled
  • Stop storing CC EXPDATE in orders table for gateway modules, for PA-DSS reasons
  • BUGSFORUM-1044 - JPY currency adjustments in EC module
  • BUGSFORUM-610 - Incorrect decimal value 'f' when free-shipping selected
  • Fix ot_coupon bug on minimum values where comparison is a string and not a value
  • Fix broken search in admin product screens where Search is broken as soon as editing is done and search is lost
  • Fix admin Add New Product when Search is set, cannot add a new product as no known category is set to assign to new product
  • Fix installer to properly ignore commented lines in configure.php files when reading prior settings as part of an upgrade
  • Fix admin categories navigation glitches
  • Installer update: no longer raises warning-flag if "cgi" version of PHP is in use.
  • Admin comments in order status history which are set to -1 will not be shown to customers
  • Fix group pricing/discount coupon bug
  • BUGSFORUM-1082 - linkpoint_api payment module fixed array vs string error
  • Fix bad SQL joins in music_genre filter and record_company filter code
  • Fix alpha sort functionality with music_genre and record_company filters
  • BUGSFORUM-191 Fix bug preventing address-book-process from properly updating the State field when no zones exist for selected country, caused by not properly validating the $_POST input which is blank when page is first drawn.
  • Fix problem of order-confirmation submit button allowing multiple submits/clicks, resulting in duplicate orders
  • Fix broken rounding problem when calculating number of boxes for shipping quotes
  • Fix banners not activating based on date NULL needed to be 'NULL'
  • Fix banners dates for midnight or they do not expire or start on right day
  • Fix admin customers report: Report was combining people with same name, changed to customers_id
  • Music products - Fix wrong categories_id for copy and fix methods update fields to match formats in product_general
  • BUGSFORUM-288 - trim spaces from contact-us email address to prevent being rejected
  • BUGSFORUM-904 - Admin product preview screen - Added check to make sure key POST fields actually contain data. If not, do error trapping, instead of saving blanks.
  • BUGSFORUM-1156 - fix priced-by-attrib problem with negative values
  • "last login" date for customers logging in with new accounts is now set correctly
  • Changed default permissions set on uploaded files to 644 from 777
  • Fix wrong header response on some pages during down-for-maintenance
  • Fix double mention of GV amount in emails
  • BUGSFORUM-603 - Salemaker expiry performance problems for sales starting and ending on same day
  • admin metatags picks up defines from custom template if set


Zen Cart™ Copyright 2003-2010