Welcome to Zen Cart®

Dear Zen Cart® User,

Zen Cart® is made available to you for your use, addition, changes, modification, etc. without charge, under Version 2 of the GNU General Public License.

While we do not charge for this software, donations are greatly appreciated, each time you install a new version, to help cover the expenses of maintenance, upgrades, updates, the free support forum and the continued development of this software for your online E-Commerce store.

Donations can be made on the Zen Cart® Team Page

We appreciate your support.
The Zen Cart® Team

About PHP versions

Zen Cart® v1.5.2 is compatible with PHP 5.2.10 through PHP 5.6

(Note: security features are stronger when using PHP 5.3.7 or newer.)

Upgrade Instructions

From v1.5.1 to v1.5.2

Simple: if you are using v1.5.1 already and have not customized any of the files listed in the changed_files-v1-5-2.html document, then simply replace those files with the new versions contained therein.

If you HAVE customized or altered certain files, simply re-do your customizations in the new version of those particular files by making the same changes needed.

If you are using Addons/Plugins that have made alterations to those files, it is best to compare those changed files against the original v1.5.1 files, and see what changes were there ... and then re-build those changes in the v1.5.2 file.

To v1.5.2 from v1.3.9h or older

If you are upgrading from a version OLDER than v1.5.1, then please do a standard complete site upgrade.

CHANGELOG - List of Changed Files

For a list of files that have been changed since v1.5.1, see changed_files-v1-5-2.html

Whats New ... Changes from v1.5.1 to v1.5.2

Improvements and Bugfixes Included Since v1.5.1


  • CHANGE-511 - Change DB functions from mysql to mysqli
  • CHANGE-491 - Timezone patch for PHP 5.3/5.4/5.5 (this makes the "timezone offset" plugin obsolete)
  • CHANGE-566 - Add Admin switch to relax PA-DSS "strong" password requirements when in Demo mode
  • CHANGE-432 - Numerous fixes for stricter PHP 5.4 compatibility
  • CHANGE-543 - Updates for PHP 5.5 Compatibility
  • CHANGE-350 - Improvements to queryFactory to better support sql caching
  • CHANGE-359 - Add advanced developer tool for Notifier Trace and a global eventID
  • CHANGE-412 - Increase length of session key field due to changes in PHP defaults
  • CHANGE-421 - Update Authorize.net modules to support CAD and UK currencies
  • CHANGE-427 - Fix Memory Leak with PHP 5.3/5.4
  • CHANGE-434 - Add additional SSL detection checks to accommodate more poorly configured hosting companies
  • CHANGE-450 - Switch to SSL for contact-us form (when SSL is enabled)
  • CHANGE-452 - Add multiple-language and multiple-location support to the Store Pickup shipping module
  • CHANGE-454 - Made low-stock emails interceptable by notifier/observer
  • CHANGE-524 - Fix SaleMaker issues on Discount Quantity
  • ISSUE-54 - Session handling improvements
^^ Back to Top ^^


  • CHANGE-196 - Fix issue with Store-pickup module vs taxes
  • CHANGE-225 - Handle use of comma as decimal point for Gift Voucher
  • CHANGE-235 - Fix for create_account_success doesn't honor session timeout
  • CHANGE-274 - Installer improvement - alert if new version available at install time
  • CHANGE-309 - Changes to avoid spam flags on Admin Emails about payment/shipping modules, and prevent autoresponder replies to newsletters and contact-us emails
  • CHANGE-323 - Fix rounding error with attributes and salemaker
  • CHANGE-315 - Performance tuning with .htaccess tweaks
  • CHANGE-332 - Update PayPal WPS to prevent mistakenly entering localized country domain for accessing PayPal services (per PayPal change Q3-2012)
  • CHANGE-341 - Updates to observer/notifier code to better support legacy procedural code
  • CHANGE-343 - Fix various language wording and dist-configure examples vis a vis the logs foldername
  • CHANGE-345 - Fix typo in whos_online legend
  • CHANGE-346 - Fix outdated language in configuration menu help texts, mainly around the name of the logs folder
  • CHANGE-347 - Fix TRY currency in PayPal modules
  • CHANGE-348 - Fix Secunia advisory SA50574 - XSS in admin login.php
  • CHANGE-351 - Fix EZ-Pages Table of Contents links not displaying (if queryCache enabled, such as was added in v1.5.1)
  • CHANGE-352 - Fix attributes controller fatal error after upgrade
  • CHANGE-353 - Fix for password_forgotten generates log file
  • CHANGE-354 - Installer now bypasses APC and other caching mechanisms during zc_install, to prevent confusion caused by caching of files which require alteration.
  • CHANGE-355 - Fix redirect error when product is not General
  • CHANGE-361 - Fix blank page problem caused by clash with output_handler in hosting configuration
  • CHANGE-362 - Fix for template_filename not selecting for admin-initiated emails
  • CHANGE-363 - Trap for constant-not-found errors with badly-configured admin plugins
  • CHANGE-364 - Fix installer error: Failed to initialize storage module: memcache
  • CHANGE-365 - Fix missing noindex,nofollow missing on "forgotten" screen in admin
  • CHANGE-368 - Installer was allowing browser to remember old form data
  • CHANGE-371 - Fix for checkout_shipping creating debug logs when shipping method fails to generate methods
  • CHANGE-378 - Fix for Downloads of virtual products fail when site is Down For Maintenance
  • CHANGE-386 - Fix CURL/SSL Vulnerabilities
  • CHANGE-389 - Fix confusion about password reset message
  • CHANGE-392 - Fix coupon_admin.php contains double <p><p> tag
  • CHANGE-396 - Removed nde-basic.css because it is obsolete since v1.5.0
  • CHANGE-397 - Fix Developers Tool Kit where Line number values in results were off by one
  • CHANGE-398 - Store Manager log purge improvements
  • CHANGE-403 - Fix PayPal EC to prevent use of ImmediatePayment when AuthOnly is selected
  • CHANGE-411 - Increase size of fields in tables for admin profiles
  • CHANGE-413 - Change date/time display format in admin header to be consistent with configured preference
  • CHANGE-416 - Prevent unauthorized information disclosure with editor
  • CHANGE-417 - Fix for issue where email confirmation gets truncated on the < symbol in product names
  • CHANGE-422 - Fix overzealous regex for handling IPv6
  • CHANGE-424 - Fix PayPal Micropayments bug which was preventing non-micro payments from working if micropayments credentials were present
  • CHANGE-425 - Fix for: Deleted ez-pages didn't trigger a 404 not found. Disabled pages were still reachable. Now sends to home page and shows message.
  • CHANGE-429 - Suppress HTML-formatting in PHP error messages, to aid in eliminating accidental posting of private links when requesting help
  • CHANGE-432 - Fix several issues causing warnings in debug logs due to PHP 5.4 compatibility
  • CHANGE-435 - Set reply-to header in admin copy of order-confirmation email - to make for easier replying to customers
  • CHANGE-437 - Set proper exclusion metatags to prevent gv_faq pages from being spidered/indexed
  • CHANGE-442 - Fix HTML id=reviewsContent already defined error in reviews sidebox
  • CHANGE-444 - Fix missing 'echo' and centerboxes in tpl_product_info_noproduct.php
  • CHANGE-451 - Fix canonical link handling for cases where the site operates entirely in SSL
  • CHANGE-455 - Improve zen_get_all_get_params to accommodate plugin issues throwing PHP Warning: strlen() expects parameter 1 to be string
  • CHANGE-459 - Fix inconsistencies in some zc_install help text
  • CHANGE-463 - Add insulation to protect against inaccessible products caused by errors in custom-written product types (where mistakenly type=0)
  • CHANGE-464 - Fix PHP warning: Use of undefined constant SUPERUSER_PROFILE ...
  • CHANGE-470 - Fix missing closing table row in /admin/orders.php
  • CHANGE-471 - Fix a couple small logic bugs in table_block.php
  • CHANGE-472 - Improve caching for product-type settings
  • CHANGE-474 - Fix boolean typo on comparison in ot_cod_fee module
  • CHANGE-476 - Fix for zen_mail doesn't always use default template for non-english use
  • CHANGE-478 - Fix Incorrect base_href in admin-sent HTML emails in some configurations
  • CHANGE-484 - Quantities added to cart should adjust to stock rather than just a message
  • CHANGE-487 - a Simplify filesmatch rules in htaccess by adding case-insensitivity flag
  • CHANGE-487 - b Add webm permission to htaccess rules for media-playback and downloadable-files
  • CHANGE-489 - Added additional notifiers to order.php class
  • CHANGE-491 - Improvements to automated timezone detection
  • CHANGE-497 - Improvements to date/time display in admin header
  • CHANGE-498 - Fix proxy-detection support for EXCLUDE_ADMIN_IP_FOR_MAINTENANCE and zen_get_ip_address() vs $_SERVER['REMOTE_ADDR']
  • CHANGE-506 - Fix robots tag in admin pages
  • CHANGE-509 - Fix minor incorrect variable declaration in option_values_manager.php
  • CHANGE-514 - Improve Developers Tool Kit to allow the search of single and double quotes
  • CHANGE-519 - Add more error checking in check_page()
  • CHANGE-520 - Remove inline javascript and tags which may not be stripped correctly in product listings etc
  • CHANGE-521 - Fix error on Incorrect integer value: products_priced_by_attribute
  • CHANGE-526 - Additional notifier to allow additional validation in account_edit page
  • CHANGE-527 - Add configuration-settings-search to Developers Toolkit, credit B.Bellamy,torvista (makes the search_configuration_keys plugin obsolete)
  • CHANGE-528 - Updates to valid cart issues with attributes and changes prior to checkout
  • CHANGE-529 - Fix variable initialization in Shipping Estimator
  • CHANGE-532 - Init system - move navigation history to after init_sanitize
  • CHANGE-544 - phpMailer upgrade
  • CHANGE-545 - Allow countries to be flagged as available/unavailable for shipping (built from a combination of code backported from v2 and a contribution by lat9)
  • CHANGE-546 - Init system - Relocate version constants to the beginning of the autoloader process.
  • CHANGE-547 - Utilities updates - CURLtester update
  • CHANGE-548 - Fix PHP Notice: Only variable references should be returned by reference
  • CHANGE-549 - Fix for PHP Notice: Object of class queryFactoryResult could not be converted to int
  • CHANGE-550 - Fix PHP Notice: Constant ATTRIBUTES_PRICE_FACTOR_FROM_SPECIAL already defined
  • CHANGE-551 - PHP Notice: Undefined index: freeshipper
  • CHANGE-559 - Fix for Shipping Estimator which was causing shipping modules to request quotes twice
  • CHANGE-562 - ironlady github pull request - Add webfont files support to .htaccess whitelist
  • CHANGE-563 - Fix zone misspelling in latin1 encoding. Add translations in utf8 version.
  • CHANGE-565 - Incorporate the Fix_Cache_key utility code into ZC Admin core (thus the plugin by the same name is now obsolete)
  • CHANGE-568 - Add storeowner-definable session timeout limit
  • CHANGE-570 - Add notifier hook to provide ability for Admin Activity Logs be exportable to CLFS or other standard format (PA-DSS feature)
  • CHANGE-573 - Rename Email HTML switch setting text and description to be clearer
  • CHANGE-574 - Add strict check to some admin pages to protect against invalid variables created by plugins that don't clean up after themselves, like MagneticOne stuff
  • CHANGE-575 - update spiders.txt
  • CHANGE-580 - torvista pull request 11 - locale addition for Windows servers
  • CHANGE-593 - PayPal - Change to Pending Reason responses, required one table schema change
  • CHANGE-594 - PayPal API changes - July 2013 (A: deprecated some rarely-used parameters)
  • CHANGE-594 - PayPal API changes - July 2013 (B: Updated treatment of currencies which don't support decimal places)
  • CHANGE-595 - Expand locale support for PayPal to perform better matching and to include PayPal's latest updates
  • CHANGE-601 - Relax PA-DSS "strong" password requirements - sql upgrade changes
  • CHANGE-605 - Fix error in PayPal Standard - PHP Fatal error: Using $this when not in object context
  • CHANGE-591 - Fix Australia address format to remove comma
  • CHANGE-609 - PR12 - Address formats for Belgium, Netherlands
  • CHANGE-610,614,617 - lat9 $param1 array output reduction in notifier trace
  • CHANGE-611 - Sanitize all known get parameters.
  • CHANGE-612 - Sanitize all known get parameters.
  • CHANGE-616 - For consistency and PHP 5.4 compatibility $_SESSION['shipping'] should always be treated as an array
  • CHANGE-619 - Improve speed of stores with over 10,000 products
  • CHANGE-621 - Set defaults on Developers Toolkit pulldowns to improve ease of use
  • CHANGE-622 - Fix issues with ot-coupon for ship/free combo
  • CHANGE-626 - Fix fresh install error if cache table is damaged or database has no tables
  • CHANGE-632 - Change PayPal modules to use /logs/ directory for logging
  • CHANGE-638 - Fix review-text stripping html characters into wrong symbols
  • CHANGE-639 - Fix XSS display problem in back-end preview screen
  • CHANGE-666 - minor typo in option_name.php language file
  • CHANGE-667 - Constant OFFICE_IP_TO_HOST_ADDRESS already set
  • CHANGE-671 - Change default address-format layout for Sweden
  • ISSUE-52 - Change admin rules to allow pass"phrases" by permitting the use of spaces
^^ Back to Top ^^

Help and Support

For additional help and support, visit the Zen Cart® FAQ and the Zen Cart® Support Forum.

Zen Cart® is derived from: Copyright 2003 osCommerce

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE
and is redistributable under Version 2 of the GNU General Public License.

O S I Certified
This software is OSI Certified Open Source Software.
OSI Certified is a certification mark of the Open Source Initiative.

Copyright 2003 - 2013 Zen Ventures, LLC

Zen Cart®