X-Cart v4.1.11 released

JWait · #31 11-05-2008, 07:43 AM

We are using both, a site that was upgraded from 4.0.x to 4.1.10 and a new site using 4.1.11. No problems with 4.1.11 (but there are some limitations that I will address in a minute), but we did choose not to upgrade the 4.1.10 store to 4.1.11 because of some of the "security improvements" in the process.

Now the limitations. The 4.1.11 version, and the security patches for earlier versions create a scenario where only lowercase letters and numbers 0 through 9 may be used as usernames. This means that a customer can not use their email address, their name (usually capitalized), anything with hypens, dashes, dollar signs, etc, as part of their username. To compound this problem, there is no warning given to the customer other than the "Please make sure you properly filled in all the required fields!" type generic message.

More on this here http://forum.x-cart.com/showthread.php?t=41583

That said, you should probably use 4.1.11 and do the following.
1. Make the modification suggested at http://forum.x-cart.com/showthread.php?t=41583&page=4 ... Post #38.

Make a change in register.php to allow capital letters

Code:

if ((strcmp($uname_tmp, $uname) != 0) || (!preg_match("/^[a-z0-9_-]+$/s", $uname) && $uname != ""))

to

Code:

if ((strcmp($uname_tmp, $uname) != 0) || (!preg_match("/^[a-zA-Z0-9_-]+$/s", $uname) && $uname != ""))

2. Add a notation to skin1/main/register_account.tpl telling the customer to use letters and numbers only (we changed register.php to allow Caps).
In skin1/main/register_account.tpl, find

Code:

<td nowrap="nowrap">
{if $userinfo.login ne "" || ($login eq $userinfo.uname && $login ne '')}
<b>{$userinfo.login|default:$userinfo.uname}</b>
<input type="hidden" name="uname" value="{$userinfo.login|default:$userinfo.uname}" />
{else}
<input type="text" id="uname" name="uname" size="32" maxlength="32" value="{if $userinfo.uname}{$userinfo.uname}{else}{$userinfo.login}{/if}" />
{if ($reg_error ne "" and $userinfo.uname eq "" and $userinfo.login eq "") or $reg_error eq "U"}<font class="Star">&lt;&lt;</font>{/if}
{/if}
</td>

It is after where it says {* NOT anonymous account *}

and change it to

Code:

<td nowrap="nowrap">
{if $userinfo.login ne "" || ($login eq $userinfo.uname && $login ne '')}
<b>{$userinfo.login|default:$userinfo.uname}</b>
<input type="hidden" name="uname" value="{$userinfo.login|default:$userinfo.uname}" />
{else}
<input type="text" id="uname" name="uname" size="32" maxlength="32" value="{if $userinfo.uname}{$userinfo.uname}{else}{$userinfo.login}{/if}" />
{if ($reg_error ne "" and $userinfo.uname eq "" and $userinfo.login eq "") or $reg_error eq "U"}<font class="Star">&lt;&lt;</font>{/if}
{/if}
{$lng.txt_numbers_letters_only}</td>

Added {$lng.txt_numbers_letters_only} before the closing </td>

Then go to admin and in the languages section add the txt_numbers_letters_only variable. We used "(Letters and Numbers only)". This will place this text just to the right of where the customer enters their username when registering, and it seems to work fine.

marcelox7 · #32 11-06-2008, 06:48 AM

I try to delete a product and I got this message on the top of my page.

INVALID SQL: 1054 : Unknown column 'xcart_categories.categoryid' in 'on clause'
SQL QUERY FAILURE:SELECT IF(xcart_categories_lng.category != '', xcart_categories_lng.category, xcart_categories.category) as category FROM xcart_categories, xcart_products_categories LEFT JOIN xcart_categories_lng ON xcart_categories.categoryid = xcart_categories_lng.categoryid AND xcart_categories_lng.code = 'US' WHERE xcart_products_categories.productid = '1' AND xcart_products_categories.categoryid = xcart_categories.categoryid AND xcart_products_categories.main = 'Y'

Could you please hepl me out and let me know who to fix it. I just have a fresh install and 10 products.

Thanks!

Ene · #33 11-06-2008, 06:52 AM

Quote:

Originally Posted by marcelox7

I try to delete a product and I got this message on the top of my page.

INVALID SQL: 1054 : Unknown column 'xcart_categories.categoryid' in 'on clause'
SQL QUERY FAILURE:SELECT IF(xcart_categories_lng.category != '', xcart_categories_lng.category, xcart_categories.category) as category FROM xcart_categories, xcart_products_categories LEFT JOIN xcart_categories_lng ON xcart_categories.categoryid = xcart_categories_lng.categoryid AND xcart_categories_lng.code = 'US' WHERE xcart_products_categories.productid = '1' AND xcart_products_categories.categoryid = xcart_categories.categoryid AND xcart_products_categories.main = 'Y'

Could you please hepl me out and let me know who to fix it. I just I a fresh install and 10 products.

Thanks!

http://forum.x-cart.com/showthread.php?t=42499&page=2

marcelox7 · #34 11-06-2008, 07:04 AM

God bless you!

Thank you!

marcelox7 · #35 11-06-2008, 07:22 AM

Thanks Ene!

I got this error on my database: I delete a product before your patch. Could you please help me to fix this error?

Error: The table xcart_ge_products contains some records for which related data in the table xcart_products has not been found:
productid: 3

Thank you so much!

Ene · #36 11-06-2008, 09:08 AM

Quote:

Originally Posted by marcelox7

Thanks Ene!

I got this error on my database: I delete a product before your patch. Could you please help me to fix this error?

Error: The table xcart_ge_products contains some records for which related data in the table xcart_products has not been found:
productid: 3

Thank you so much!

Just delete all rows from the xcart_ge_products table.

marcelox7 · #37 11-06-2008, 10:02 AM

Thank you!

I have a last question... When I in admin and I create a new product...
I have: Product details/Thumbnail and Product image.
When I upload a photo to Thumbnail after I save it I have a option to delete it (perfect) but when I upload a photo to Product image after I save it I don't have a option to delete it just a option to change image...

How can I have a option as Thumbnail to delete image?

Thank you so much for all your help!

Light Speed · #38 11-07-2008, 08:27 PM

Quote:

Originally Posted by JWait

Now the limitations. The 4.1.11 version, and the security patches for earlier versions create a scenario where only lowercase letters and numbers 0 through 9 may be used as usernames. This means that a customer can not use their email address, their name (usually capitalized), anything with hypens, dashes, dollar signs, etc, as part of their username. To compound this problem, there is no warning given to the customer other than the "Please make sure you properly filled in all the required fields!" type generic message.

This will stop me from updating to 4.1.11

What would happen to customers that already had uppercase letters in usernames?

Uppercase AND lowercase AND symbols ARE A PART OF STRONG SECURITY!!!!!!
Why not just have all users log in as user and all admins log in as admin

Paul H · #39 11-07-2008, 10:13 PM

I imported all customers from my really old version and the there aren't many log in failures
I applied the JWait mod to allow capitals (thanks) All old customers can log in using their old details including capitals,spaces,underscore etc -why would x-cart make such a backward step??

JWait · #40 11-08-2008, 05:12 AM

Light Speed, Check the thread mentioned earlier
( http://forum.x-cart.com/showthread.php?t=41583 ) as it has a fix for this.
Also check page 4 of the same thread.

Please note that you need to pay attention to the variables "eregi" and "!preg_match" depending on what version you have (it really should be in your signature). You can choose to allow uppercase letters and symbols if you want to but since it is part of a security update I chose uppercase letters only as the thing added. It has no effect on existing customers or passwords, just new user names only.