Zencart 1.3.8a with all patches applied

Alrite, so we have been asked about it many times and we also do have to use it on our projects for customers that set up new stores (or upgrade to 1.3.8a)

So here is Zen1.3.8a with all patches applied. The package will be updated whenever a new patch comes out so your best bet is to return here whenever you need a new package of Zen 1.3.8a.

Hope this will help you out.

Link to download: (this now being updated by Philip Clarke)

https://sourceforge.net/projects/shopupgraded/files/

If you think this is useful, please help others by spreading the news about this package (and help them to avoid wasting time apply all these patches)

No related posts.

65 Comments

  1. Zen Cart says:

    You have called this blog post “Zencart 1.3.9 (Zencart 1.3.8a with all patches applied)”.

    What you have posted is NOT Zen Cart v1.3.9. AND Zen Cart v1.3.9 is NOT merely v1.3.8 with several patches applied to it.

    You are not only communicating false information, but you are also bringing confusion to the entire Zen Cart community.

    Please remove it immediately.

    Reply
    • admin says:

      I apologize for the mis-naming! Changed the name of the post, it’s that simple. No need to get upset here DrByte. It might be you who need some sleep
      And it’s not “some patches”, it includes all patches so far. People have been asking for this for almost over a year now, and the Zencart team always seems so busy to provide a package that could make life easier for new users.

      Reply
      • Ruth says:

        I just wanted to take a moment and thank you. I was directed here by a friend after pulling my hair out for a week, trying to get an large existing store prepared for recompiling the server to Php 5.3.2 – The patch listed on the Zen-Cart forums for 5.3x compatibility did not even go far enough to make this work (maybe it did for 5.3.0 but I don’t know that). By the way… this was to meet the requirements forced on us by a PCI Scan which insisted on Php 5.3.2 (I have all my servers at 5.2.12 right now) – more folks will need this upgraded version.

        Just thought I would let you know that on the front end (just starting to migrate code on the admin) I found one you missed. Didn’t seem to mess with the cart functionality, but I’m looking for zero errors here..LOL – check out classes/shopping_cart.php and there are a couple eregs you missed. No big deal, but to keep everything clean thought you might want to jump in and fix those and the update you d/l.

        Thanks so much for what you’ve done here.

        Reply
        • Philip Clarke says:

          Errm, I can’t find any. The only ereg’s I have found are commented out and none in shopping_cart. Are you sure you haven’t installed something else on top of the one I packaged.

          Philip.

          Reply
  2. CountryCharm says:

    Yes Zen Cart has been needing this a long time for newcomers. Thanks for your contribution on this. As always keep up the good work.

    Reply
  3. Kiddo says:

    Thank you!

    This is the spirit of Open Source.

    Reply
  4. DivaWebDzgn says:

    This is AWESOME!!! Much appreciated..

    Reply
  5. Dayo says:

    Thanks for the contribution.

    The way the ZC Team stubbornly persists with offering a buggy and insecure fileset as the official download when these issues are officially documented is irresponsible.

    I maintain the Gallery2Zencart Bridge and will now change the link for the Zencart download to save the users the grief of having to deal with the issues as G2 users are photographers used to a properly maintained project that takes security issues seriously and not the subject of a casual post on a forum they might never visit.

    Thanks again!

    Reply
  6. matt w says:

    Hi,

    I just installed this on my local test box, standard installation and I get this error on the catalog side index page:

    1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘)’ at line 7
    in:
    [select distinct p.products_id, p.products_image, p.products_tax_class_id, pd.products_name, p.products_date_added, p.products_price, p.products_type, p.master_categories_id from zen_products p, zen_products_description pd where p.products_id = pd.products_id and pd.language_id = '1' and p.products_status = 1 and p.products_id in ()]

    And the right sidebox doesn’t display. This only happens on the homepage. If I go to another page then everything displays correctly. Does anyone else experience this?

    Reply
    • admin says:

      Matt,

      Either you accidentally get an old version or I have not properly uploaded the fixed version (I uploaded it last week). Can you download from the main link and see if the problem is still there? This is an easy fix though, so we can fix it very easily.

      Reply
  7. matt w says:

    Just to clarify for others, the latest version on this page works fine and without any errors.

    Thanks again to Raine for putting this here! I have no idea why the zen cart devs wouldn’t just do this for the sourceforge files. Very very sloppy on their part, I don’t know why they haven’t updated the 1.3.8a files but it is totally irresponsible to their users, most of whom don’t know about checking the Announcements forum on the zen cart forum site to find out about patches. The version that you can download from sourceforge has serious security vulnerabilities!!!

    Reply
  8. khopek says:

    Absolutely fantastic! Saved me sooooo much time on my new install of my site.

    Reply
  9. Tony says:

    Hell yes thank you SIR! Make thing easy for idiots like me

    Reply
  10. Dayo says:

    Hi

    There has been a new patch released by the ZC Team to make it PHP 5.3 compatible http://www.zen-cart.com/forum/showthread.php?p=804484#post804484

    Are you planning to incorporate this into your file set as I am concerned that using the official files may reintroduce bugs and security holes (shows the state of the ZC project that one should be fearful of using official releases in case they add bugs and security holes).

    Thanks

    Reply
  11. admin says:

    Patches have been applied, enjoy

    Reply
  12. Dayo says:

    Hi

    Since you have the most complete Zencart 1.3.8a file set, I thought I’ll let you know of a new PCI Compliance Patch issued by the ZC Team: http://www.zen-cart.com/forum/showthread.php?p=809045#post809045

    Cheers

    Reply
  13. DerManoMann says:

    @Dayo: Good stuff, thanks.

    I’d like to make public that I maintain a public repository based on on this version at http://github.com/DerManoMann/zc-base.

    This repository is public, so everyone can see the changed being made. The reason is that I need/want a proper zen cart base to build full releases of ZenMagick (http://www.zenmagick.org/).

    I guess it would make sense to join forces here with rubikintegration who have done a great job with creating this version. I’d be happy to share the repo or use a different one. It would just be nice to have some sort of history instead of just files to download (at least for my purposes).

    mano

    Reply
  14. admin says:

    Thanks Dayo, patch updated

    Reply
  15. dbltoe says:

    New patch at http://www.zen-cart.com/forum/showthread.php?goto=newpost&t=142927

    Reply
  16. Dayo says:

    Hi

    I have added Posts #36 to #39 at http://www.zen-cart.com/forum/showthread.php?t=82619 to the file set from 05 Dec.

    Just three files affected. Send an email to me and I will reply with the files so you can check and update the package.

    Reply
  17. Philip Clarke says:

    It is necessary to have a default timezone set for php 5.3 otherwise the error appears in the log

    PHP Warning: date(): It is not safe to rely on the system’s timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function.

    /srv/www/htdocs/test/admin/includes/auto_loaders/config.timezone.php

    date_default_timezone_set('UTC');

    does the job or could be in extra_functions and needs to be put over to the catalog side too. Also there are going more issues with the use of split() which is deprecated.

    Reply
  18. DerManoMann says:

    @Philip Have you tried the zc-base package from github [http://github.com/DerManoMann/zc-base]? Download tar all from http://github.com/DerManoMann/zc-base/archives/master

    I would expect that PHP installations of ISPs have a timezone configured (at least of the ones that care about PHP). Perhaps some conditional code might be asked for otherwise.

    mano

    Reply
  19. Philip Clarke says:

    I’ve checked, the zen cart 5.3 patch is not 5.3 compatible, (and sent you the correct files), the zen cart patch still contains ereg and ereg_replace in lots of locations. The comment I made above about the default_date does need to be set, I didn’t set DerManoMan’s post though, my version of SuSE doesn’t ship with it set hence me finding the error every time time() is called (a lot). I have to put this all back on a 5.2.11 server as I’m sure I mentioned it on Mano’s webiste, but E_DEPRECATED in the 5.3 zen cart patch throws an error which I’m sure is why in their release notes they state that the patch is not for versions prior, it’s only a one liner to correct and make everything run smoothly.

    Reply
  20. DerManoMann says:

    Yes, that is correct. The fix for E_DEPRECATED has been added some time ago following your suggestion. I also added code to zc-base to set date.timezone if it isn’t set at all.

    Reply
  21. Philip Clarke says:

    Okay I’ve got to admit a bit of confusion now as to which version is the “current” pacthed release. I submit a list of 5.3 changes to yellow1912 which are similar to your version on github that appears more uptodate that the “current” one listed above. There are minor differences in that I’ve used the //s flag in some preg_split functions in case the data being processed has newlines, but pretty much I appear to have redone your work !

    Reply
  22. DerManoMann says:

    The version available here at rubikintegration was the base for the zc-base version I maintain.

    I’ve already offered to join forces and merge both into a single repository. Perhaps that would help minimize confusion. Alternatively, I might have to refrain from posting here about my zc-base repo on github.

    Based on that version I’ve applied your changes – together with the zencart PHP5.3 patch and some of my own code (in particular the installer seemed to break without my patches).

    I’ll see if I can find your files again and check for the //s flag – perhaps I missed that – or could you email me a diff of the places where you think it is missing?

    Reply
  23. Philip Clarke says:

    Yellow1912 ? Did you apply the zc_5.3 patch because there’s an error in it, I can build a patch, but the deleting of downloads is incorrect in the DrByte 2009 issued patch.

    Reply
  24. Philip Clarke says:

    The ZC 5.3 patch is wrong, here’s the patch to recorrect it

    — a/admin/includes/functions/general.php

    +++ b/admin/includes/functions/general.php

    @@ -2088,7 +2088,7 @@ function zen_copy_products_attributes($products_id_from, $products_id_to) {

    // delete associated downloads

    $products_delete_from= $db->Execute(“select pa.products_id, pad.products_attributes_id from ” . TABLE_PRODUCTS_ATTRIBUTES . ” pa, ” . TABLE_PRODUCTS_ATTRIBUTES_DOWNLOAD . ” pad where pa.products_id=’” . $delete_product_id . “‘ and pad.products_attributes_id= pa.products_attributes_id”);

    while (!$products_delete_from->EOF) {

    - $db->Execute(“delete from ” . TABLE_PRODUCTS_ATTRIBUTES_DOWNLOAD . ” where products_attributes_id = ‘” . $products_delete_from['products_attributes_id'] . “‘”);

    + $db->Execute(“delete from ” . TABLE_PRODUCTS_ATTRIBUTES_DOWNLOAD . ” where products_attributes_id = ‘” . $products_delete_from->fields['products_attributes_id'] . “‘”);

    $products_delete_from->MoveNext();

    }

    if the code is not changed back to the original zen cart (basically someone deleted the word ->fields) then it fails like this

    PHP Fatal error: Cannot use object of type queryFactoryResult as array in …..

    This is only apparent if you try and delete the attributes of an item with downloads.

    Reply
  25. Philip Clarke says:

    Another error in Zen Cart’s 5.3 patch

    zc138a-php53patch/admin/includes/functions/general.php

    is missing the function zen_user_has_gv_balance from the bottom. Unfortunately this has filtered into the patched version above.

    Reply
  26. Philip Clarke says:

    http://bouncing.org/zen-cart-v1.3.8a-5.3.zip

    has all the corrections/ bugfixes from Rubik’s and all the php 5.3 compatibility I could find an then has been recorrected to ammend the errors introduced by DrByte’s 5.3 patch. One thing that might need to be removed is that I have a file 0.timezone.default.php in there and a modification in application_top to load the extra_configures in alphabetical order. This is needed for the time being as not setting a default time zone can crash out 5.3 and also not loading in sequence can cause crashes using the error_logging add-on as it references time().

    Reply
  27. Dayo says:

    Philip

    The “->fields” bug you noted in Post 25 is a great example what I can only describe as the irresponsibility of the Zencart Team. A fix to that bug had been posted in Feb 2008 but with the PHP5.3 patch, the bug was reintroduced. (See http://www.zen-cart.com/forum/showthread.php?t=88609).

    For reasons that remain a mystery to everyone but their holinesses, they prefer to deal with bugs piece meal in forum posts with new bug fixes and patches reintroducing old bugs which users then have to go searching the forums for answers to.

    If a patched version of ZC had been made available, the PHP 5.3 patch would have been done on top of that but in what seems like sheer stubbornness, they prefer to let their user base suffer.

    Personally, I think it is a matter of “face”. They will not update that fileset no matter the inconvenience users may face as they consider it a loss of face and will plug on with a new version which they believe they must release given that v2.0 (as v1.4) was announced in May 2006.

    I think they consider releasing a fixed 1.3.8a an admission of failure and will rather let the user base suffer than face the “shame”. This is clearly ridiculous but it is the only remotely logical reason I can think of for their bizarre position on this issue.

    Seems like the motto is “New Version or Nothing” and if it takes 3 more years then tough. They will not fix the current code base. Users have to deal with the bugs and maybe even get hacked now and then. This seems to be just a small price to pay in their view compared to losing “face”.

    Reply
  28. DerManoMann says:

    Perhaps they will have to change their mind – with three alternative (and slightly different) versions out there to chose from there is real danger for people drifting off somewhere else.

    There is a rumour (http://seo9oneone.com/zen-cart-1-3-9-is-coming-very-soon/) that things are moving. Quote: ‘…will have all of the latest patches for zencart obviously’.

    Of course, this is all speculation until we all see it…

    With Philips version also different to zc-base and the version you guys provide here I seriously consider dropping zc-base or, at least, update from Philips version. I really do not have the time to follow forum posts to figure out what to patch next. Even more since it affects code I do not want to maintain anyway.

    Reply
  29. Dayo says:

    The alternative versions is an issue. Can you guys collaborate and put a common set together?

    Since you already have the files on github, it would be nice if you could give Philip and Yellow commit rights or similar and make that the “official” unofficial source. Yellow & Philip could then point their links to the git tar file. If you guys could do this, it will be awesome.

    Reply
  30. DerManoMann says:

    Fine with me.
    @Philip: Are you ok with that? If so I’ll push your posted version.
    If yellow and Philip would email me their github names I’ll add them to the project.

    I have to add that I might add a couple small things to improve the way the installer is used in ZenMagick. If so, this would always in a way that doesn’t affect stock zencart users (rather improve things I’d say)

    Reply
  31. Dayo says:

    Not sure how this fits into your plans for ZM but I think it may be nicer if ZM related stuff is kept separate from this so that the fileset is equivalent to the one linked above which is simply ZC with the issues the ZC devs refuse to deal with sorted out.

    Reply
  32. DerManoMann says:

    I think the only issue I had (but that’s not urgent anyway) was to be able to run custom SQL scripts during install if the user opts to intall the demo store data.
    Other than that, zc-base is a pretty much the same as your or Philips version.
    I haven’t heard back from Philip or yellow, so I’ll try get in contact with them for further discussion…

    Reply
  33. Philip Clarke says:

    I’ve got no problems with my conversion being used, but I’m wondering whether I’ve stalled. There are quite a few issues with Zen Cart including quite a large character set one that I discovered today. Plus there’s a distinct disadvantage in using my code, in that I use Linux and everyone else uses windows . For the end user at the moment it doesn’t matter as my system seems to save windows line ending correctly if they were present in the old file. BUt everytime I open a define file then my system throws a “wobbly” as there’s a default character that works on windows but not in UTF-8. This is present in every define file in the default installation just after the words “sample text”. What I’m concerned about is that if I carry on, I may pollute the project and cause a fork.

    Philip.

    Reply
  34. Philip Clarke says:

    @dayo I haven’t been paying much attention to this recently but what I found recently on the net was this:

    http://www.ecommerce-guide.com/essentials/shopping_carts/article.php/3855641

    where Zen Cart is still second to osCommerce but has lost 2 million page impressions in 6 months and they’ve placed ZC in the biggest losers category describing version 2.0 as vaporware [sic]. I’m willing to listen to anyone that’s not prepared to “fork” the project, but to bring it up to date. I also found this:

    http://securemyzen.co.uk/content/zen-cart-credit-card-validation-invalid

    where someone I sort of knew last year, invented a credit card number and passed it straight through the validation methods and object which the payment modules are built on. He reported the issue and it shows an new attitude over at ZC development to updating their code.

    Reply
  35. DerManoMann says:

    @Philip: Sounds serious enough to me. But then, it’s moot to discuss the attitude of developers.
    As far as the repository is concerned – I do not intend to fork. For that I do have ZenMagick
    zc-base is intended to be a latest Zen Cart release (1.3.x) to be used as base for a full ZenMagick release.
    The plan is to always be able to use it as standalone zencart. Does that sound compatible to you?

    Reply
  36. Philip Clarke says:

    Sounds compatible enough to me. The issue I discovered yesterday but only confirmed today is that ZC is not truly compatible with MySQL above version 4.0 there are 152 instances where ZC queries the database to find the maximum length of a field, but since version 4.1 when MySQL introduced character set collation, MySQL has reported the length of any column/ field in bytes not “characters” in the case of even latin1 tables this reports a value 3 times the “real” size of the column. Basically we have a “broken” 1.3.8a with PHP 5.3, MySQL > 4.0 and yellow1912 has applied 41 bug fixes plus modifications to the default shipping modules. From wikipedia

    http://en.wikipedia.org/wiki/Fork_%28software_development%29

    the definition of fork is starting independent development of a piece of software, which is not what I am suggesting, I’m suggesting applying all the fixes (which admittedly we’ve already done), plus some more and having a “Zen 1.3.8a Fixed” repository available. I think you should host it as long as you promise not to fork. Both you and myself no longer have any interests vested in Zen Cart and I think it unfair to let yellow1912 be penalised for hosting a fixed version because I’m pretty sure from both your and my experiences (and the post above), that that is what would happen.

    Reply
  37. DerManoMann says:

    Cool – so if you could give me an updated zip of your version plus your github name I’ll get that done. Or, just the name and you can update the rep yourself.
    All I need is a working zencart 1.3.x and the better that is the better will be the ZenMagick version I build on top

    Reply
  38. stravas says:

    You lose this code in ‘admin/includes/functions/general.php’, I find the function in ‘zen-cart-v1.3.8a-5.3.zip’. Hope you can add it to last version, and thanks for you work.

    function zen_user_has_gv_balance($c_id) {
    global $db;
    $gv_result = $db->Execute(“select amount from ” . TABLE_COUPON_GV_CUSTOMER . ” where customer_id = ‘” . (int)$c_id . “‘”);
    if ($gv_result->RecordCount() > 0) {
    if ($gv_result->fields['amount'] > 0) {
    return $gv_result->fields['amount'];
    }
    }
    return 0;
    }

    Reply
  39. Philip Clarke says:

    Sorry not been paying attention and then had to strip out my timezone things and modifications. Below is 1.3.8a vanilla patched for PHP 5.3

    http://bouncing.org/zen-cart-v1.3.8a-5.3-patched.zip

    I don’t have a github account, I run my copies locally across a couple of machines.

    Reply
  40. Philip Clarke says:

    Just updated

    http://bouncing.org/zen-cart-v1.3.8a-5.3-patched.zip

    to deal with bug fix number 41, where option names are truncated if they contain quotes. Also I can confirm that this does install a standard zen cart on PHP 5.2.9 as well as 5.3 so is backwards compatible.

    Reply
  41. Dayo says:

    To be honest, this is turning into a bit of a nightmare.

    While I appreciate the effort and have full respect for the developers, the multiplicity is definitely a bad thing.

    I for one personally think Yellow will be doing users a favour if he deletes the posts with the file links and let us just have one clear link at the top that points to the current file set.

    Reply
  42. Philip Clarke says:

    The problem is that zen cart does release bug fixes. I have just placed the latest version on source forge and am redirecting my links to the files section.

    https://sourceforge.net/projects/shopupgraded/files/

    Reply
  43. Philip Clarke says:

    I’ll just clarify what’s happening at the moment. I had yellow’s original file from above and have patched with the zen cat bug fixes so it is entirely up to date with security and I have corrected the mistakes that the zen cart development team added to the bug fixes !

    I’ve clearly stated that it is not zen cart supported and is not “zen cart” and that the name is only used by association since it’s their work and describing their patches. DerManoMann was basing his zenmagick product on my bug fixed version. My version has been tested as backwards compatible to PHP 5.2.9 and so unlike the Zen cart’s bug fixes it is not solely a 5.3 release. It should also function in PHP 6.0 (untested) so should be more future proof.

    All current zen cart modules are compatible with it, unless Zen cart have introduced some incompatibilities, but zen cart modules may not be 5.3 compatible so I was going to start working through them.

    Reply
  44. Tom Reitz says:

    ZenCart 1.3.9 alpha IS currently being tested for at least the last 4 weeks now! This is not a rumor any more. A few bugs were found and are being worked on currently. In fact, a second version with bug fixes were released earlier this week.

    Reply
  45. DerManoMann says:

    @Philip,

    I know I’ve left this sitting for too long, but I, too, am just human
    If you have restricted yourself to just that, why not share a repository after all the discussion?

    It looks like you will be dedicating more time doing housecleaning – something that is out of my scope and I do not really fancy (neither do you, I guess). If you, like yellow, release just a zip file it means that again there is no visible record of what you have changed as it looks like you are using sf just to distribute the files.

    So, I’ll just devote myself to periodically check for updates and upgrade my repository with

    Reply
  46. Philip Clarke says:

    I don’t know about how git hub releases it’s files and “people” like one zip file. which they can find. Converting the whole lot to be PHP 5.3 compatible and correcting their mistakes was already house cleaning, but someone had to do it. Take this git for example:

    http://github.com/elan/plex/downloads

    for the average user, the downloads are unusable and confusing, a file with a hexadecimal number after it. If I click on the “commit” links then the changes are diff files, I picked that project off the front page at random.

    In some cases when building that zen cart zip I changed ~150 files (one commit has 52 files changes alone), I know that due to a MySQL issue there is either a change in one of the html outputting functions or changes that need to be made in 152 different areas. I can upload it to github too as a starting point if you like, since the bulk of the work is done. Another example chosen at random would be this project

    http://github.com/ajaxorg/o3/downloads

    where there is only one download file, yet they have multiple commits in one section, (both of which is good) but I’d need a beginner’s guide to git work out how to have done that. The version of git I am running is just as obscure, to get the file out, it comes with a 32 character hexadecimal (possibly more) number which I have to unzip and then rename and rezip.

    I could use github probably to record changes and then put it up onto sourceforge to download just seems that it is of interest only really to you (which I don’t have a problem with). Generally the patches come from

    http://www.zen-cart.com/forum/showthread.php?t=82619

    and the security section, and then there are some like USPS patches that caused a divergence of “our” zip’s at http://www.zen-cart.com/forum/forumdisplay.php?f=2 which I have book marked. Trouble is I got kicked out of the forums 2 days ago, ho hum so I guess the fixed patched 5.3 version is unsupported with extreme prejudice !

    Reply
  47. DivaVocals says:

    Question to the honorable Mr Clarke. With regards to the patch files you made available on SF, you state that they are backwards compatible to PHP Version 5.2.9. Do you have any thoughts about compatibility with older versions (specifically version PHP Version 5.2.5 – PHP Version 5.2.8)

    Reply
  48. DerManoMann says:

    Well, git and github is probably not for the average zencart user. github automatically offers to download a zip/tar ball of all sources.
    In the case of zencart that would be sufficient, I think. However, that is obviously always the HEAD version.

    For managed releases there is the download section, but I haven’t tried that either.

    For ZenMagick I do want to use github just as repository, not to distribute releases. Since I do have build scripts that wouldn’t be possible anyway.

    But, in a way, I would face the same issues – which version to use – or just use HEAD? But then, I think the way to go with git is to fork and follow your changes in a controlled manner. That way I can establish a stable version to build ZenMagick from.

    I guess this discussion is getting a bit out of scope of this post/thread, so perhaps we could continue that via email, on your github wiki or elsewhere unless there are more people interested in following this.
    If a place for a public discussion is required we could always start a thread over on http://forum.zenmagick.org/.

    @yellow: It might be good to get a word from you about whether you are happy to keep the discussion here or rather someplace else.

    Reply
    • admin says:

      I will change the link in my post to whatever Final destination you guys agree to use.
      Also, feel free to post here, keep the discussion going on ^_^

      Reply
      • Philip Clarke says:

        Mano and I discussed this off board and I was persuaded to put the version up on github for anyone that wants to use it in their own projects

        http://github.com/PhilipClarke/Zen-Cart-5.3-Patched

        as well as the normal download available from sourceforge.

        https://sourceforge.net/projects/shopupgraded/files/

        So it’s all nice and transparently open.

        Reply
  49. Arocho says:

    ZenCart 1.3.9 alpha IS currently being testee for at least the last 4 weeks now! This is not s rumor any more. A few bugs were found and a4e being worked on currently. In fact, a second version with bug fixes were released earlier this week.;

    Reply
    • Philip Clarke says:

      And this project has been working as opposed to being a beta or alpha since Yellow posted last year, so that would be door stable, horse bolted, shutting or some such similar metaphor.

      Philip.

      Reply
  50. Dayo says:

    Nice to see it come together to one common source guys. Well done.

    In the interest of transparency, it would be great if the intro on the SF page had a link to Github so that those so inclined can look at the changes made.

    On that aspect, the Github would have been better set up with the original ZC files as the initial commit with the changed version then added and continued from there.

    Anyway, just minor stuff and hopefully, similar can be done when v1.3.9 finally comes out (if it ever does) since the ZC devs will probably still have the same laissez faire attitude to security and refuse to be bothered to update the core fileset maintaining that once they post a patch on their site, they can continue to offer an insecure script for download and let the users be damned. Shocking really.

    The sad thing is that the average user couldn’t give two figs about “MVC”, “OOP” or whatever and would be perfectly happy with v1.3.8a as long as they wouldn’t get hacked within five minutes of installing the app.

    As I noted earlier, I believe the refusal to update 1.3.8 it is a “face” issue as absurd as that may seem to any rational person. I believe they feel that their next offering has to be a new version of some sort no matter what the cost is to current users in terms of getting hacked etc.

    A worrying mindset but there we go. Thank God for opensource allowing sane minds to intervene.

    Why they

    Talk about misplaced priorities.

    Reply
    • Philip Clarke says:

      I agree that the initial github commit would have been better if it had all the changes and I did it !

      What happened was that while Mano and I were discussing the various 5.3 issues we were both working our way through Yellow’s original patched version, then we found an inconsistency (in USPS I believe), Mano’s version was 2 weeks older than mine and when I tried to merge the two (and not knowing git at all) it killed the original with a “no fast forward updates permitted” message.

      The only solution was to get an original ZC and then merge in one and then the other and delete the branches to leave one “correct version” otherwise we were diverging down two differing paths. Which left only one correctly referenced file set on the “master” branch.

      I blame my git incompetence entirely.

      What I have done is replace ereg (and related) functions and split throughout every page. I stripped out zen cart’s affiliate links too as quite frankly I didn’t see why they should profit from a download that they disparaged and ignored the community’s request.

      The only changes I’ll be putting into github are any bug fixes or more incompatibilities found, very likely to have some improvement to the installation SQL to correctly set up the column types (I’ve found some characterset issues). I feel that a default timezone should be set and may include an extra configure file to do so as there’s an error generated for every call to time() if the zone is not set up server side, Mano believes that server side it would be set up, but my tests indicate that several hosts have not done this. The patched version is just that, a version that works, I have my own development that goes on top of it for adding new features so I’ve promised to keep the distinction so that a common code base is available.

      There is a big invoicing issue outside the USA. Currently I am not sure what to do with it. There’s always been a rounding problem with sales tax being calculated on each item and not the total which can be out by a few pence. But I had it confirmed on Friday that the invoice are Unlawful in the UK and Canada.

      The issue comes from courier delivery services. The courier service has a VAT/ GST component which is not being added onto the VAT. So the Shop owner is doing his returns, claiming back the tax on his courier invoices, and then adding what Zen tells him he’s charged in sales tax. This means that he’s accumulating a large deficit as time goes by as he’s not paying over the VAT included in the courier to the Tax man (quite unwittingly but still unlawful). I’m not sure of the exact terminology but the invoices are illegal, the non-payment is unlawful.

      There are also three other points that are unlawful in UK law for a zen cart generated invoice. The question is how I deal with it. Historically it is illegal to alter an invoice once issued, so I can fix it and then every invoice from re-installation would be correct, that still leaves a deficit though which will show up on audit. The UK is also “odd” in that if the shop owner used the royal mail, then tax is not applicable so there’s got to be hooks in there for the different country rules and the applicable rates in the shipping modules. I’ve asked for a volunteer to create a “deficit” module, but no takers so far and I’m jammed up trying to fix the actual issue.

      Philip.

      Reply
      • Dayo says:

        I suppose you can deal with the invoicing issue in your Shopgraded fork. I am sure that there is a myriad of things to be fixed in ZC but that means creating a fork like you have done and ZM has done. I think though that many users will like to stay with ZC for now and will prefer not to have radically different code from what the official team has in place which leads to I “Zencart 1.3.8a with all patches announced/issued by the ZC Team itself applied”.

        Reply
  51. Philip Clarke says:

    Tonight the latest version of Patched will be launched. In honour of Ajeh and her big bug list at number 42, it will be named 1.42

    Fixes I have carried out to the lookups and pricing functions have given a minimum of 20%, an average of 40% speed boost for database queries on the default shop. The increase in performance gets better with more categories/ products per shop and I’ll be blogging the whole series of changes, but I knocked up a demo so you could see what a bug fix can do.

    http://zen.shopupgraded.com is the default unpatched shop (obviously admin has been removed entirely).

    http://patched.shopupgraded.com is the improved performance bug fixed version.

    The amount of database queries is listed in the top right of the screen. The carts are running from the same database just in different folders, Patched 1.42 loads a couple of extra files because of the security bug fixes. This will go into github and sourceforge late tonight and is a backwards port of some elements of Shop Upgraded and uses an entirely new object we expect this to be copied into Zen Cart 1.3.9

    Reply
  52. nightowl says:

    would we still need to rename the admin folder ?

    Reply
  53. raimond says:

    Hi,

    I like this download, but at this moment we are at release Zen Cart v1.3.9g.

    Are all security updates en other updates in this download?

    Reply

Leave a Reply