v1.2.6 -> v1.3.5: What a B!TCH!

[webspacecreations]

I have just spent 2 days straight upgrading a site from v1.2.6 -> v1.3.5, so humor me as I vent a bit. I wouldn't have bothered with the update except for multiple notifications I have seen/ received regarding security risks, specifically SQL injection attacks. Vulnerability to SQL injection attacks in an e-commerce package isn't good. The mistake that I made here was failing to archive the database so that I could revert it to its 1.2.6 state. After taking the database through its numerous updates to reach v1.3.5 I installed the latest copy of ZenCart. Then I moved my client's template into the new directory and all hell broke loose! Things just didn't work. After reinstalling the v1.2.6 backup, the site worked until you try to log in/ checkout. I was in a Catch-22: I could spend a considerable amount of time trying to revert the database to its 1.2.6 state (but then the site would still be vulnerable) or I could just figure out why the template wasn't working with the new code.

This was a nightmare. 95% of the changes I had made to the 1.2.6 ZenCart were stored to the custom templates directory. The other 5% were made to the core code itself. Re-applying the changes to the core wasn't too difficult (not much to do), but the template files were EXTREMELY difficult. First, filenames have changed, or what was once a single file is now comprised of 2 or 3 new files. Talk about a wild goose chase trying to track down where the code now resides within the template directory. Moving code was a real headache, but even layout/ style elements have changed DRASTICALLY! In comparison to the small iterative changes I have seen in the past, v1.3.5 should have been numbered v2.0 or something to indicate that it is absolutely incompatible with the previous 1.2.x version. I don't expect major compatibility issues in point upgrades.

Once all the functionality was in place and layout was largely fixed, the next problem was CSS. Many of the CSS identifiers have gotten a name change FOR NO GOOD REASON! I was trying to figure out which old identifier translated to which new identifier. Although the identifier names have changed, their purpose remains largely unchanged. Why were CSS identifier names changed? That effectively breaks 100% of the v.1.2.x templates out there. My current solution isn't elegant (tacked old CSS onto the end of the new CSS and removed some of the easier to spot redundancies... for a whopping 32K CSS file).

I think the reality is this: if you're attempting to upgrade your site from 1.2.x -> 1.3.5, you're going to have to redesign your web site (unless you're using the default ZenCart template). This is the same problem I have seen with Linux distributions... you decide to upgrade to the latest version of Linux for security reasons and your apps break or your system won't start. The way the Linux world solves the problem is committing to supporting a particular distribution for x years. That is to say, there should have been a 1.2.6a -> 1.2.6b security upgrade which affects only the code that is unsecure.

Yes, ZenCart is free. Yes, ZenCart has done lots of good things for code that was derived from the stagnant osCommerce core. Until now I would not have hesitated to recommend it to others. But what I am observing is this: what started out as complex code is becoming increasingly complex as parts are split, then split again; code is deeply interwined in design elements; it seems that a lot of effort went into upgrading the default template from its original ugly orange design to a new CSS-based green design that is nearly as ugly (a waste of time); many plug-ins seem to no longer be compatible; and many of those plug-ins can no longer be found after the ZenCart site update.

I would prefer to see a focus shift from changing the way things work to IMPROVING the way things work. Focus on security. Focus on improved usability (the admin interface is a jumbled mess). By changing the whole template system, you throw away the valuable efforts others have put into building custom templates (some for free). By drastically changing the way the code works, you throw away the valuable effort developers have put into coding plug-ins.

It is not my intention to anger anyone. This is simply my perspective from "in the trenches." I hope it is taken as constructive criticism and a helpful warning to anyone else attempting a similar upgrade. Thanks for all the hard work ZenCart.

[DrByte]

Thanks for the feedback ... You'll see that many of your suggestions are being addressed in future releases, as outlined on the Roadmap: http://www.zen-cart.com/forum/showthread.php?t=36912

[Kim]

I'm sorry you never have taken the time or effort to keep your site up to date or to bother to read any of the announcements. The major change to the templates were made in v1.3.0 when we switched to a valid XHTML transistional template base.

Yes, the changes broke old 1.2 series templates and we warned folks ahead of time that the changes were coming... where were you?

[paulm]

I think the main lesson here is that you *always* have to make backups. If you do not have a full backup there is always a chance of loosing everything, and on a heavily modified shop that means loosing a lot of time/money.

Personally I would first make at least one full backup (files and database) and then work on a copy of this backup (while the old shop remains live). Then, after the upgrade is done, test the upgraded shop. And then, if you are confidend that all mayor function work as they should, switch from the old to the upgraded shop to the upgraded shop (probably after importing the database again, since customer/order data has changed).

And even if everything seems to work fine on the upgraded live shop, still keep a copy of the old one at hand for a while.

Recently a backup drive of mine crashed just before I went on holiday, and while I was on holiday the server was hacked, and even the backup system of the server failed Luckily I had a secondary backup (older, so it still took quite some time to bring it up to date again), but it confirms the importance of (multiple) backups.

There is at least one point I agree with though:

there should have been a 1.2.6a -> 1.2.6b security upgrade which affects only the code that is unsecure.

I think security is *very* important, and it would be great if we could have stable releases that stay supported for a while. Patches for these stable releases should only concern (mayor) bugs and securty fixes.

[seethrou]

The times for changed from v1.2.7 to v1.3.x now is seven months. And anyone who use the program and support the customers should keep an eye and noticed any changes and differents. Otherwise, who will care the other's profession.

For the security issues and one announcement was the below.
For people concerned about v1.2.x, you can tighten security here:.

Don't want to be rude or add salts, but from your post it seems still not prepare enough to stand alone.

.

[swguy]

I have just spent 2 days straight upgrading a site from v1.2.6 -> v1.3.5, so humor me as I vent a bit. I wouldn't have bothered with the update except for ...

Your invoices should come with a warning label that you don't bother staying up to date.

How would you feel if your doctor or dentist had this attitude? "Oh, the newest findings?
I don't bother with all of that!"

AND THEN you fecklessly didn't make a backup, contrary to recommendations,
http://www.zen-cart.com/forum/faq.ph...how_to_upgrade
you applied the changes to a live shop, contrary to recommendations,
http://www.zen-cart.com/forum/faq.ph...how_to_upgrade
and you have the temerity to complain??? And the shamelessness to blame others
for your problems??? And the nerve to tell the Zen Cart team how to run their
business???

sheesh.

[ronwong]

I am still on v1.2.6 and have not plans to upgrade because it is not a one step thing, all from 1.2.7 to 1.3.0 till now. It did not look like an easy thing. So I am happy with the old and sticking with it.

[swguy]

1.26 has known vulnerabilities which were fixed in 1.27.
Here are two reports. Others might exist - Google can find them.

http://www.frsirt.com/english/advisories/2006/0546
http://www.frsirt.com/english/advisories/2005/2728

I wish it weren't so, but unfortunately, there are jerks out there
who get their jollies by messing with your cart. Short of becoming
a security expert, keeping your software up to date is your best defense.

Good luck,
Scott

[imac]

Some good points. I have to agree with quite a few made on both sides, EXCEPT:

it seems that a lot of effort went into upgrading the default template from its original ugly orange design

Err...Well...Actually, I thought the the whole original woody Zen temple thing was elegant and quite cool. In fact it was the thing that first convinced me that Zen was standing out from the crowd and doing exactly what it said on the tin by heading in a more design-aware and shop owner friendly direction. OK, so it might be getting a little old-hat now and in need of a bit of a remake. But it never occurred to me to call it orange. And by no stretch of the imagination could you ever call it ugly. But I guess that puts me the old-fogey class, probably in a minority of 1.

to a new CSS-based green design that is nearly as ugly (a waste of time);

I've seen a lot of ugly sites around and might even own up to having designed some of them myself but to me the new green is a refreshing twist on an old favourite A small step which is comfortable to make, pays due respect to its ancestors, doesn't throw the baby out with the bathwater or frightern the horses but does offer a hint of fresh new pastures to come. It doesn't sit so well with the old install pages and masthead. If that's an indication that the focus of the core team is switching away from elegant design then it would be a pity. But with so much sparkling new code to crack through, it would be entirely understandable and hardly any cause for complaint. No way the shift from tables to CSS is a waste of time. For those of us under pressure to conform to things like the Disability Discrimination Act, this is actually a lifesaver!

Your invoices should come with a warning label that you don't bother staying up to date. How would you feel if your doctor or dentist had this attitude? "Oh, the newest findings?
I don't bother with all of that!"

Very true. But then again, how would you feel if you'd just paid for course of root canal treatment and the next week your dentist told you he'd have to dig it all out and start over again - at your expense. Because. for those of us who had clients who needed installations in the weeks and months before the release of 1.3 and had no choice but to go with 1.2.7, that's the kind of position we're in. I still haven't figured out how to explain that what I've installed for them is now insecure, but to upgrade I have to tear down the old template - which is where most of the work goes in - and bill them almost as much to rebuild it again. Point here being that I understand that even Microsoft don't have the resources to maintain all old versions for ever. But given that the template changes in 1.3 are such a massive leap forward, I for one would be grateful if the core team could give some thought to the advantages in maintaining user confidence in the whole project by putting out security releases for 1.2.7 for more than just a few months at least.

[zforrest]

Many of the CSS identifiers have gotten a name change FOR NO GOOD REASON! I was trying to figure out which old identifier translated to which new identifier. Although the identifier names have changed, their purpose remains largely unchanged. Why were CSS identifier names changed? That effectively breaks 100% of the v.1.2.x templates out there.

CSS is bound to change whenever you convert your template schema to a tableless design. It's interesting to see these discussions, because with many open-source projects like Wordpress or Joomla, this type of transition started many many versions ago. I've been working with Wordpress since 2003 and it has used CSS and tableless design all this time. Zen Cart, in my opinion, is still a young project. I know that store owners are not necessarily the most fantastic web designers, nor do they wish to be, but in the words of the immortal Dylan, "times...they are a-changin'." To answer you, CSS identifiers will change as time goes on. Eventually, things like semantic CSS will be incorporated, dynamic identifiers...(Disclaimer: I have no real knowledge of this, I'm only guessing). I'm sure that the changes you see are slow steady steps to ready you (and your stores) so such a shock won't be riveting.

I think the reality is this: if you're attempting to upgrade your site from 1.2.x -> 1.3.5, you're going to have to redesign your web site (unless you're using the default ZenCart template).

In my opinion, this should have happened a long time ago. Yes, you're going to have to redesign your site, or pay to have someone do it for you. There is also the option of learning things for yourself. To be honest, most of the Zen cart stores need better designs. To be even more honest, guys like me should start creating semantic, beautiful templates for zen cart users everywhere that are easy to use and well-documented. I have the knowledge. Knowing what's available in the templates download section, anything I put out would be an instantaneous hit. So maybe I should get off my ###### and contribute. I'll see what I can do.

Yes, ZenCart is free. Yes, ZenCart has done lots of good things for code that was derived from the stagnant osCommerce core. Until now I would not have hesitated to recommend it to others. But what I am observing is this: what started out as complex code is becoming increasingly complex as parts are split, then split again; code is deeply interwined in design elements; it seems that a lot of effort went into upgrading the default template from its original ugly orange design to a new CSS-based green design that is nearly as ugly (a waste of time); many plug-ins seem to no longer be compatible; and many of those plug-ins can no longer be found after the ZenCart site update.

Zen Cart is free. That's what is so good about it. Do you know how much VCommerce runs? When's the last time osCommerce has seen an update? Shopping carts are by their inherent nature--complicated. Whether you believe it or not, the Zen Cart team is doing a good job in taking consistent steps to making Zen Cart a more clean, cohesive, beautiful piece of code. I mentioned earlier that this project was still young, and it is. You have to remember that. Things will improve over time. But you have to take steps with them. Do the upgrades. Learn the new things. Get with the program. No one realizes that a big part of making Zen Cart work is YOU, the store owner. You are the biggest factor in improving Zen Cart. But with improvements come steps that must be taken. And it's easier to learn with everyone else than playing catch-up.

To help you in your endeavors, you should create what I call a "sandbox." This a duplicate of your live site somewhere that will allow you to make a redesign, or upgrade and test without screwing up your live site. From what I've read, this is highly recommended. I just upgraded my zen-cart from 1.3.02 --> 1.3.5. I have tons of mods and so I used winMerge to compare all the files. I made all my changes, upgraded the sandbox and did some testing. Satisfied that all my mods worked, I upgraded my live site. It was relatively smooth. Could the upgrade process be smoother? Yes. But this will occur as time goes on. In another year or two (I'm thinking 2.0 - 3.0 release versions), I think Zen Cart will finally be at a place where the upgrade process won't be a huge pain in the neck.

Anyway. I've said enough.