Welcome to Zen Cart®

Dear Zen Cart® User,

Zen Cart® is made available to you for your use, addition, changes, modification, etc. without charge, under Version 2 of the GNU General Public License.

While we do not charge for this software, donations are greatly appreciated, each time you install a new version, to help cover the expenses of maintenance, upgrades, updates, the free support forum and the continued development of this software for your online E-Commerce store.

Donations can be made on the Zen Cart® Team Page

We appreciate your support.
The Zen Cart® Team

About PHP versions

Zen Cart® v1.5.3 is compatible with PHP 5.2.10 through PHP 5.6, and MySQL 5.1 thru 5.6

(Note: security features are stronger when using PHP 5.3.7 or newer.)

Upgrade Instructions

Note: we mention both 1.5.2 and 1.5.3 here, because 1.5.2 was only released as a beta.
The incorporation of bcrypt for password security necessitated a version-number increase, hence the jump to 1.5.3.
This document only mentions the actual changes specific to 1.5.3. If you want to see the long list of 1.5.2-specific improvements, see the whatsnew_1.5.2.html file.

From v1.5.1 to v1.5.2 or v1.5.3

Simple: if you are using v1.5.1 already and have not customized any of the files listed in the changed_files-v1-5-2.html and changed_files-v1-5-3.html documents, then simply replace those files with the new versions contained as listed in those documents.

If you HAVE customized or altered certain files, simply re-do your customizations in the new version of those particular files by making the same changes needed.

If you are using Addons/Plugins that have made alterations to those files, it is best to compare those changed files against the original v1.5.1 files, and see what changes were there ... and then re-build those changes in the v1.5.3 file.

To v1.5.3 from v1.3.9h or older

If you are upgrading from a version OLDER than v1.5.1, then please do a standard complete site upgrade.

CHANGELOG - List of Changed Files

For a list of files that have been changed since v1.5.1, see the changed_files-v1-5-2.html and changed_files-v1-5-3.html documents

Whats New ... Changes from v1.5.2 to v1.5.3

Improvements and Bugfixes Since v1.5.2-beta2


  • CHANGE-432 - Numerous fixes for stricter PHP 5.4 compatibility
  • CHANGE-543 - Updates for PHP 5.5 Compatibility; Verified PHP 5.6-beta compatibility
  • CHANGE-89 - Convert to bcrypt for password security hashing (requires PHP 5.3.7 or newer)
  • CHANGE-359 - Add advanced developer tool for Notifier Trace and a global eventID
  • ISSUE-54 - Session handling improvements
  • ISSUE-82 - Fix odd PHP 5.4 quirk which triggers fatal error "Allowed memory size of --- bytes exhausted" when accessing SID constant
^^ Back to Top ^^


  • CHANGE-206 fix admin profiles code to also manage product types
  • CHANGE-311 - Data sanity check in customer login and admin customer mgmt to handle missing records resulting from bad imports or damaged data
  • CHANGE-446 - Cleanup: Remove duplicate code in update_product.php
  • CHANGE-564 - docs
  • CHANGE-591 - Fix Australia address format to remove comma
  • CHANGE-673 - Remove obsolete ssl-unclean-shutdown hack from admin
  • CHANGE-675 - Update country names to reflect changes in the ISO standards thru end of 2013
  • CHANGE-677 - Adjust admin categories code to stop triggering false-positive on security scan
  • CHANGE-678 - Adjust admin banner code to stop triggering a false-positive alert on security scan
  • CHANGE-679 - Adjust admin categories code to stop triggering false-positive on security scan
  • CHANGE-681 - Fix admin scenario of mixed content embedded on a page
  • CHANGE-682 - Adjust admin product-music code to stop triggering false-positive on security scan
  • CHANGE-683 - Backport compatibility fix
  • CHANGE-685 - Fix stock reduction problem with checkbox/attribute combinations in cart
  • CHANGE-686 - Changes to ensure output is correctly sanitized even in places protected by authentication requirements
  • CHANGE-689 - zc_install updates
  • CHANGE-690 - Add function to do lookup of latest version of plugins
  • CHANGE-691 - Retire obsolete compatibility functions
  • CHANGE-692 - CURL-force SSL3 on Cardinal connections
  • CHANGE-694 - Stopped admin send-mail page from drawing a huge dropdown list even when a single customer is pre-selected from customers screen
  • CHANGE-696 - Display of Product Categories is unclear and needs better layout
  • CHANGE-697 - Change core config entries to not use config-group-id 0 since many sloppy plugin authors delete those core settings
  • CHANGE-698 - Fix bugs in calls to zenCssButton()
  • CHANGE-706 - Clean up display of "php disabled functions" list in zc_install inspect screen
  • CHANGE-707 - Fix admin url autodetection to accommodate :port suffix in admin urls for local dev setups, and better handle shared-ssl configurations
  • CHANGE-708 - EZ Page Title Tag incorrect (introduced by CHANGE-425)
  • CHANGE-713 - zc_install problem with correctly detecting working dir on shared-SSL servers
  • CHANGE-715 - Fix Attributes Controller not accounting for Tax classes
  • CHANGE-716 - General file formatting and syntax cleanups
  • ISSUE-9 - Fix minor issue with model number display on product_reviews page
  • ISSUE-19 - Fix coupon-admin date check since mktime() doesn't support is_dst param anymore
  • ISSUE-23 - Clean up add to cart when non-numeric value is used and display message
  • ISSUE-51 - Add ability to autoload observer classes without needing to also create auto_loaders scripts
  • ISSUE-81 - class.base.php: Initialize static observer
  • ISSUE-82 - Fix odd PHP 5.4 quirk which triggers fatal error "Allowed memory size of --- bytes exhausted" when accessing SID constant
  • ISSUE-83 - lat9 requested more notifiers for order-class
  • ISSUE-87 - Fix payment module problem admin-side preventing use of Refund option
  • ISSUE-88 - Fix var assignment operator in ot_gv.php for Calculate Tax
  • ISSUE-89 - Update zenCssButton function and stylesheet to use CSS3 (courtesy of lat9 contribution)
  • ISSUE-90 - Add gTLD support for email addresses (like .marketing or .international)
  • ISSUE-116 - Make admin configure.php "cognizant" of /local subdirectory
  • ISSUE-131 - Change password fields to specify autocomplete=off
  • ISSUE-132 - Clean up some debug logging activity with payment modules
  • ISSUE-133 - Change error messages on password-forgotten screen
  • ISSUE-134 - Fix outputs for locate_configuration in DTK added by recent incorporation of lookup plugin
  • ISSUE-135 - Fix a potential XSS issue on the countries screen
  • ISSUE-136 - Fix frequently-reported scenario where redirect links could be abused to redirect to unverified destinations
  • ISSUE-137 - Add PCI DSS warning to the DB query-logging switch
  • ISSUE-138 - Riddler spider causing performance issues; update spiders.txt list
  • ISSUE-142 - Record Company/Record Artist cannot update language dependant fields
  • ISSUE-143 - Remove (previously commented-out) SecFilter rules from zc_install/.htaccess so aggressive hosting company security systems don't quarantine
^^ Back to Top ^^

Help and Support

For additional help and support, visit the Zen Cart® FAQ and the Zen Cart® Support Forum.

Zen Cart® is derived from: Copyright 2003 osCommerce

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE
and is redistributable under Version 2 of the GNU General Public License.

O S I Certified
This software is OSI Certified Open Source Software.
OSI Certified is a certification mark of the Open Source Initiative.

Copyright 2003 - 2014 Zen Ventures, LLC

Zen Cart®