Welcome to Zen Cart™ ...

The Zen Cart™ software is made available to you for use, additions, changes, modifications, etc. without charge, under the GNU General Public License.

While we do not charge for this software, donations are greatly appreciated each time you download a new version, to help cover the expenses of maintenance, upgrades, updates, the free support forum and the continued development of this software for your online e-commerce store.

Donations can be made at: The Zen Cart™ Team Page

We appreciate your support.
The Zen Cart™ Team

Zen Cart™ is derived from: Copyright 2003 osCommerce
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE
and is redistributable under the GNU General Public License

This software is OSI Certified Open Source Software.
OSI Certified is a certification mark of the Open Source Initiative.

Upgrade Instructions from v1.3.7 to 1.3.8

If you are upgrading from Zen Cart v1.3.7, the process is simple:
- compare all the changed files with the files on your own site... and re-apply your customizations to the new files
- upload the new files (with your customizations added) to your site
- upload the zc_install folder to your server, and run zc_install/index.php
... select Database Upgrade from the System Inspection screen. Apply the required updates.

If you are upgrading from a version prior to v1.3.7, please follow the instructions in the "how to upgrade" documentation in the /docs folder.


  • SECURITY: Please be sure to review and apply the Site Security Recommendations to your site prior to taking your shop "live". If you are uncertain about how site security applies to you, talk to your web host to ensure that you have proper measures in place.

  • Low-risk XSS Vulnerability found and fixed.

  • NEW: Combine Shopping Cart Contents .... If customer logs in and had items in their saved shopping cart, they are now taken to their cart and shown a message alerting them to the fact that those items have been merged with their new cart. This warning can be disabled via switch in admin: Admin->Configuration->Stock->Show Notice of Combining Shopping Cart on Login

  • Sideboxes for New/Featured/Special can now contain more than 1 product. Also, the randomizing of the selected products has been improved. The number of items to be shown can be set in Admin->Configuration->Maximum Values

  • PayPal Website Payments Pro added, for US and UK merchants.

  • PayPal IPN Users: If you are using the PayPal IPN payment module, you will need to Remove and re-Install the PayPal module in Admin->Modules->Payment->PayPal in order to take advantage of the bugfixes in the module. (Write down your settings first, for easier re-configuration!)
    WHEN YOU RECONFIGURE, be sure to also setup PDT token information if you'd like faster completion of transactions.

  • PayPal Express Checkout Users: A change was made to this module to allow friendlier logging of problems to the Administrator. If you are using the PayPal Express Checkout payment module, you will need to Remove and re-Install the module in Admin->Modules->Payment in order to make this work properly. (Write down your settings first, for easier re-configuration!)
    If you don't remove+reinstall it, you will have some blank spaces in your configuration settings when you attempt to edit it next.

  • Authorize.net SIM module users ... you'll need to record your settings, remove the module, and re-install it, and then re-enter your configuration settings. MD5 support was added, meaning that you can set an MD5 validation key in your Authorize.net account and in the module, making sure that the communications are double-validated before payment is accepted. Prevents spoofing.

  • Authorize.net eCheck module added ... If you have an account with Authorize.net and wish to offer eCheck payment options, the built-in module will handle this for you.

  • USPS module updated ... USPS has made some changes in the last 6 months, some announced, some not. The module has been updated to accommodate these changes.
    You will need to Remove and re-Install the module in Admin->Modules->Shipping in order to make this work properly. (Write down your settings first, for easier re-configuration!)

  • Stylesheet changes:
    - media manager ... converted IDs to Classes: .mediaTitle, .mediaTypeLink
    - textarea ... removed float:left
    ADDED NEW STYLE SELECTORS for Shipping Estimator output:
    - #shoppingcartBody #shippingEstimatorContent
    - .seDisplayedAddressLabel
    - .seDisplayedAddressInfo
    - .seShipTo


Since version 1.2, Zen Cart™ has had a major overhaul of the templating system for v1.3. As such, you have two options:
  • upgrade your existing template by applying the new stylesheet and moving a few lines of code around; or
  • the best way to have almost-tableless and much tidier template code, is to make a new template (based on template_default or the new "green" classic introduced in v1.3.5) and carefully re-apply your own customizations to the new template system.

For further information on template upgrading, see the support-forum discussion on this topic.

CHANGELOG - List of Changed Files

For a list of files that have been changed since v1.3.7, see the changelog-v1-3-8.html

Whats New ...

The following improvements and bugfixes are included in v1.3.8 since v1.3.7:

  • Added: login pages now have a built-in security token, which prevents XSRF and other hacks
  • Added: Ability to ban user accounts via admin (edit customer)
  • Added: Home & Per-page metatags can now be defined in the meta_tags.php language file
  • Added: EZ-Page metatags can now be defined in the meta_tags.php language file
  • Added: additional pages added to robots-exclusion list prevent indexing of non-product pages
  • Added: Admin server-info page now reports database-size info and various PHP settings
  • Added: If customer logs in and had items in their saved shopping cart, they are now taken to their cart and shown a message alerting them to the fact that those items have been merged with their new cart.
  • Added: Quick Customer address listing of whole address book
  • Added: manufacturer pulldown can skip manufacturers with no associated products
  • Added: warning in admin if Welcome Coupon is approaching expiry.
  • Added: Admin orders are now searchable on product name or model, or order number
  • Added: Month numbers added to CC expiry dates in pulldowns of core payment modules
  • Added: Customer comments can be included on packing slip and invoice
  • Added: Authorize.net E-Check module added
  • Added: nochex_apc payment module added and integrated with core
  • Enhanced: Authorize.net SIM module overhaul, including MD5 hash support, CVV, debug
  • Enhanced: Authorize.net AIM module improvements, including MD5 hash support, capt/void
  • Enhanced: Customers page in admin now shows open GV balances, and is sortable on same
  • Enhanced: Textarea counter for text-input-attribute fields improved to ignore spaces and CR
  • Enhanced: Improvements to the affiliate-feedback info during checkout-process
  • Enhanced: PayPal IPN now supports PDT to allow real-time-handling of PayPal Standard transactions without having to wait for IPN in all cases. Requires that merchant has enabled PDT and enters their encryption key/token.
  • Enhanced: Session security improved with additional sanitization

  • Change: CSS -- Some template ID tags changed to classes because rendered from inside a loop
  • Change: Updated some payment modules to display "not configured" alerts if appropriate
  • Change: table CAPTIONs moved into lang file for upcoming-products code
  • Change: USPS - updates to handle various 2007 changes made by USPS
  • Change: Installer now also sets shipping country to match store country during initial setup
  • Change: Installer now detects CURL support more effectively
  • Change: added CURL testing script and IPN communication check tool to extras folder
  • Change: magic_quotes_sybase is now disabled at runtime if server has it enabled
  • Change: paypal IPN postbacks no longer use SSL due to so many hosts not having SSL support in their fopen wrapper configurations.
  • Change: added worio.com and panscient spiders to spider detection list
  • Change: "NF" changed to "NL" for province of Newfoundland Canada
  • Change: PayPal IPN now uses init_system instead of ipn_application_top, to minimize likelihood of addons causing IPN transactions to fail.
  • Change: ezpages now uses mediumtext field type instead of the smaller text type
  • Change: payment modules no longer able to store entire CC/CVV numbers. PCI rules.
  • Change: admin activity log now tracks login attempts, thus allowing identification of brute-force login tries; also stores longer referrer data
  • Change: db structure change to db_cache and session tables, allowing larger datatypes
  • Change: hard-coded delimiters on attribute prices and weights moved to _info language files
  • Change: renamed "Credit Card" module in admin to "Credit Card - Offline Processing" for clarity
  • Change: admin payment modules are now more friendly when discovering mismatched language files vs payment modules, ie: for cases where newbies upload files to wrong place
  • Change: default minimum city length set to 2 instead of 3, per code suggestion
  • Change: whos_online referrer data truncated to suit database data type restrictions
  • Change: orders_products_attributes field changed from BLOB to TEXT since not binary
  • Change: admin can send newsletters to self for testing purposes
  • Change: customer_firstname added to $_SESSION
  • Change: ezpages links no longer include &chapter=0
  • Change: added field-definition checker to sniffer class
  • Change: split_page_results now handles 'distinct' queries
  • Change: payment modules accepting credit cards now give the number and name of months
  • Change: SMTP email password now shows as **** in admin instead of plain text
  • Change: ot_total order-total module can no longer be 'removed' via admin, for safety
  • Change: zen_order_id fields in paypal and linkpoint_api tables changed to order_id to prevent confusion encountered by folks fiddling in raw database export files
  • Change: email system improvements to minimize dumping due to content challenges
  • Change: basic support added for Gmail mail support as long as webhost supports SSL/TLS
  • Change: partial CC digits now included in order-confirmation email
  • Change: if problems found with configure.php, instead of going directly to zc_install, we now present a more friendly page with some instructions and FAQ links
  • Change: Added audience entry for "non-purchasing" customers for sending newsletters to
  • Fix: Optimized the way cpath is calculated ... runs faster now, and is more relevant in subcats
  • Fix: Centerboxes now generate URLs containing relevant cPath
  • Fix: CURL proxy recommendation for GoDaddy updated to named FQDN instead of IP
  • Fix: Admin session-fixation problem fixed
  • Fix: Downloads occasionally would croak if buffering was enabled
  • Fix: login and create-account code synchronized
  • Fix: improvements to featured/special modules for faster db queries
  • Fix: XHTML validation fixes to several sideboxes
  • Fix: Added missing CC types
  • Fix: numerous MySQL5 fixes
  • Fix: version-history display in admin was always skipping the current version date info. Fixed.
  • Fix: some noindex pages were missing from the robots-skip list
  • Fix: invalid cPath pages were being spidered improperly
  • Fix: minor performance improvements on options_values_manager for attribute-heavy sites
  • Fix: remove three cases where php short tags were used, standardizing on long tags.
  • Fix: paypal ipn module now supports the locale code for all countries, in accordance with their updated api spec
  • BugFix: Always Show Category wasn't always showing proper category for feature/new/special
  • BugFix: tax-rate calc fixed in admin product-edit page
  • BugFix: Prices were not displaying on quantity discounts if store-status mode was set to 1
  • BugFix: upcoming products were not selected properly due to a time miscalc
  • BugFix: Coupon/GV Tax calculations improved
  • BugFix: 100% coupon calculation improvements
  • BugFix: Group Pricing module updated to use new tax recalculation logic, added consistency
  • BugFix: tax calc functions improved
  • BugFix: Minimum Order feature bug repaired
  • BugFix: fix popen() vulnerability in the 3rd-party phpMailer system
  • BugFix: disabled CURL warnings in payment modules when module inactive
  • BugFix: products_price_manager was not properly handling non-entered values in MySQL5
  • BugFix: products_price_manager fixed default product selection for empty categories
  • BugFix: products_price_manager fix calculation on discounts to work with from Price and Special
  • BugFix: linkpoint_api payment module fix for empty fields
  • BugFix: developer toolkit improvements to handle quotes better
  • BugFix: order_total module would occasionally not properly detect template override
  • BugFix: metatag bug was causing call-for-price products to show a 0.00 price in title bar
  • BugFix: timeout template was missing /div if customer was logged in
  • BugFix: GV/Coupon resets were not always happening after completion of purchase
  • BugFix: closed several unclosed dir->open() calls which were consuming extra resource handles
  • BugFix: some search checkboxes not being remembered when returning to search page
  • BugFix: download filesize info was not showing if the download had expired
  • BugFix: download button was showing even if downloads had expired, in certain cases
  • BugFix: download expiry details occasionally incorrect in admin
  • BugFix: coupon-admin would sometimes not display restricted products properly
  • BugFix: additional sanitization of email addresses before sending emails
  • BugFix: table/zone rate modules missing percentage charges on last setting if based on price
  • BugFix: navigation issues in admin product price manager tools
  • BugFix: email format-selection fields were not stored properly if not shown to customer
  • BugFix: payment modules didn't always submit the proper referrer IP address if proxied
  • BugFix: default currency selector anomalies fixed
  • BugFix: rich-text editor bug in metatag section (shouldn't be activated), same on newsletters
  • BugFix: page-not-found header bug resolved
  • BugFix: admin version-display had extraneous code
  • BugFix: data-type enforcement changes in multiple places
  • BugFix: categories-icon link and image didn't always properly match listing
  • BugFix: fix missing flag for customer comments on listing
  • BugFix: fix ability to use extra-boxes folder with gv menu
  • BugFix: removed hard-coded language content from contact-us page
  • BugFix: email system traps for extraneous @ and spaces, and provide friendlier error messages
  • BugFix: additional-images module problem in PHP5 fixed
  • BugFix: when customer-forced-to-login mode is active, privacy page was being blocked
  • BugFix: duplicate-key bug on db_cache method
  • BugFix: Free Charger payment module had order-status conflict with $0 orders caused by GV
  • BugFix: added 5-min timer to Store Manager update actions
  • BugFix: Fix dropdown errors when Alpha sorter is disabled and stopping normal Cats and Manufacturer dropdown from displaying
  • BugFix: some category name html was showing in metatags
  • BugFix: when add-to-cart doesn't redirect to shopping cart, sometimes product_id was lost
  • BugFix: text-only emails were missing the email-disclaimer text
  • BugFix: 'SHOW_PRODUCT_INFO_COLUMNS_ALSO_PURCHASED_PRODUCTS' key was updated incorrectly from v127 to v130. Is now fixed by upgrading database.
  • BugFix: media manager template was using duplicate CSS IDs. Changed to classes in stylesheet
  • BugFix: tell-a-friend "back" button invalid ALT text
  • BugFix: zen_clean_html function wasn't stripping all required tags
  • BugFix: fixed missing body tag on salemaker editor
  • BugFix: trim trailing spaces from image data, which were causing empty image placeholders
  • BugFix: empty html content in emails now handled properly
  • BugFix: shipping estimator pages not rendering consistently, also fixed address display
  • BugFix: shipping estimator was not showing quotes if module limited to certain zone
  • BugFix: UPS - updated Worldwide Saver option
  • BugFix: Fix bug on shopping-cart with shipping by price where attributes prices were not being included/excluded for Virtual or Always Free Shipping products
  • BugFix: Fix Order Totals to not include javascript code for coupon names
  • BugFix: Discount Coupons were missing start and end dates on HTML/TEXT emails
  • BugFix: admin no longer asks for customer fax number if disabled
  • BugFix: no longer shows "send a GV" after GV balance is fully used
  • BugFix: coupon-restriction page had conflicts in naming of some html objects, breaking inputs
  • BugFix: if you deleted the active language but didn't switch to another one before adding another, then you'd end up with blank product/category names/descriptions for the new lang
  • BugFix: specials-expiry wasn't honoring midnight properly
  • BugFix: admin order-search no longer mistakenly loses search criteria if empty info entered
  • BugFix: fix ez-pages behaviour -- incorrect use of target=_blank
  • BugFix: fix missing fax/phone information on create-account "extra" emails
  • BugFix: use native session_write_close to ensure session stuff is always written out, regardless
  • BugFix: HTML emails were not always sharing full footer details with text emails
  • BugFix: HTML emails were now always showing proper line-breaks between product details
  • BugFix: HTML emails from payment modules weren't sending content properly
  • BugFix: restored sort order to the list of products on a purchase
  • BugFix: company name missing on edit of additional addresses
  • BugFix: record-company filter wasn't properly filtered for records, and was focused on music
  • BugFix: fixed notifier typo in order class
  • BugFix: some payment modules were not using "default" order-status properly, thus orders could disappear from list unless searched for specifically
  • BugFix: split-login-page mistaken error messages removed
  • BugFix: PDF downloads were sometimes encountering symlink errors, or streaming bad data. Now captures those errors. Also handles filenames containing symbols
  • BugFix: changed download timeout to 20 minutes if server allows it, to aid in larger downloads not ending prematurely
  • BugFix: restrictions were not being passed to newly created sub-categories
  • BugFix: item shipping was mistakenly resetting order count
  • BugFix: tpl_main_page had wrong ID-- is now indexHome on home page
  • BugFix: Fixed Salemaker error on popup for More Info missing Categories Name
  • BugFix: group pricing division-by-zero error when tax amount was 0
  • BugFix: customer_authorization problem fixed, including left/right/header/footer issues
  • BugFix: when deleting categories, meta-tag data wasn't being removed properly
  • BugFix: prevent drawing of extra fieldsets on checkout-shipping page if modules disabled
  • BugFix: document-general price was showing sale pricing ... but shouldn't
  • BugFix: shipping estimator page was showing weights differently from shopping cart
  • BugFix: media manager interface in admin wasn't handling pagination properly
  • BugFix: text-only emails from coupon-admin weren't including description
  • BugFix: text emails weren't including disclaimers properly, thus getting rejected in some cases
  • BugFix: PayPal Express checkout wasn't passing coupon discounts or shipping taxes properly
  • BugFix: fmod_round problems resolved -- was causing problems with min/max calcs
  • BugFix: text-only email "previews" in admin weren't handling line-breaks correctly
  • BugFix: coupon code wasn't releasing properly post-order or on invalid product
  • BugFix: admin tax-class page was allowing deletion of actively-assigned tax classes
  • BugFix: PayPal Express Checkout button was enabled even if module was restricted or if order was over the 10,000 USD threshold
  • BugFix: use onKeyUp instead of onChange in coupon-redemption field (onchange is for pulldowns)
  • BugFix: search engine spiders could trigger PHP errors in shopping_cart sidebox
  • BugFix: techsupp.php was using php "short" tags in a few places. Changed to normal tags.

Dec 10 Update

A few bugs were fixed between the original Nov 30 2007 release and Dec 10.
As such, the following fixes affected the indicated filenames:

  • SMTP email protocol typo was blocking SMTP-based emails from being delivered
  • Database Upgrade page could sometimes give a blank screen if there was an error
  • Authorize.net payment modules - there was confusion about MD5 issues. A notation about "max length: 20" was added to help clarify
  • PayPal Website Payments Pro - UK options weren't showing clearly
  • Installer had some problems with some IIS servers not detecting paths properly

Affected files:

  • /includes/classes/class.smtp.php
  • /includes/modules/payment/authorizenet.php
  • /includes/modules/payment/authorizenet_aim.php
  • /includes/modules/payment/authorizenet_echeck.php
  • /includes/modules/payment/paypaldp.php
  • /includes/modules/payment/paypalwpp.php
  • /zc_install/includes/classes/installer.php
  • /zc_install/includes/modules/pages/system_setup/header_php.php

Zen Cart™ Copyright 2007