[ic] Really need some help

davideth at whojamadoogle.com davideth at whojamadoogle.com
Fri Apr 3 19:47:00 UTC 2026 

I believe that this is a major flaw that could affect all interchange users. It even is present in the demo!

_____________

I have an urgent problem. using  Interchange 5.10.0 © 2002-2009 under
CentOS v7.9.2009 STANDARD kvm


Apparently, there is a glitch in interchange ( I also found it in the current demo online as well )
that allows unacceptable characters in the userdb file and possibly others as well. .

An order was placed, process, and credit card was filed, however, the
userdb files is almost empty    It has the user name, item, date, but
incorrect order total as there was a shipping charge. The order was
properly logged to tracking.asc and all details are there. email was
sent correctly to customer and to our orders@ .



from log "Saved user information to user database: SUCCESS"

  From error.log

72.xx.xxx.xxx xxxxxxxxx:72.xx.xxx.xxx - [13/February/2026:14:24:52
-0600] huldapag /cgi-bin/cart.cgi/ord/finalize Report posted HCPZ56522
... -- http_user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Edg/144.0.0.0 remote_addr=72.xx.xxx.xxx
72.xx.xxx.xxx xxxxxxxxx:72.xx.xxx.xxx - [13/February/2026:14:24:52
-0600] huldapag /cgi-bin/cart.cgi/ord/finalize display special page

However, this us what was saved in userdb:

User Name:   u06940     Account Status:   INACTIVE     Total Sales:
   $40.00     Last login:   Dec 31, 1969 6:33 pm
Customer Details
Customer:
Company:
Home phone:
Work phone:
Email:

Billing Details
Same as shipping address

Shipping Details
Name:
Address:
City:
Country:
Status     Order Number     Order Date     Shipped to     Number of
items     Subtotal     Total
Pending     HCPZ56522     Feb 13, 2026 14:24     ,     1  $40.00  $40.00

Any idea why this happened?

Any suggestions as to how the database can be fixed/corrected?

I do have previous orders from the customers, is there a way to copy
from one customer id to another?

I would actually like to change the userid in the transactions, order,,
etc is possible.


Ah, found the error message!

72.xx.xxx.xxx xxxxxxxxx:72.xx.xxx.xxx - [13/February/2026:14:24:52
-0600] huldacpz /cgi-bin/cart.cgi/ord/finalize set_slice error as called
by Vend::UserDB: DBD::Pg::st execute failed:

  >>>>>ERROR:  value too long for type character varying(64) at
/usr/local/interchange/lib/Vend/Table/DBI.pm line 1420.

  query was:update "userdb" SET
"address1"=?,"address2"=?,"b_country"=?,"city"=?,"company"=?,"country"=?,"email"=?,"fname"=?,"lname"=?,"mv_shipmode"=?,"phone_day"=?,"state"=?,"zip"=?,"updated"=?,"preferences"=?
WHERE "username" = 'u06940'
  values were xxx
72.xx.xxx.xxx xxxxxxxx:72.xx.xxx.xxx - [13/February/2026:14:24:52 -0600]
huldacpz /cgi-bin/cart.cgi/ord/finalize Report posted HCPZ56522  ... --
http_user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Edg/144.0.0.0 remote_addr=72.xx.xxx.xxx
72.xx.xxx.xxx xxxxxxxx:72.xx.xxx.xxx - [13/February/2026:14:24:52 -0600]
huldacpz /cgi-bin/cart.cgi/ord/finalize display special page

When so critical, why is there not a trap for excess characters or
character length?

   I can not find any checking or limiting on this problem for many
fields including fname, lname, address, company city, telephone, etc.

Same for shipping or billing.


Am I missing a script or config file to check or limit string length?


I would think that something this critical would have a default error
checking. I know that it was in 4.9.2

_____________


The only thing xxx-ed out were specific IP information. Everything else was empty fields.

The excess data was in the field company name, however, I tried every
field including fname, lname, address, phone, billing name, billing
address, etc. There is NO field length checking for any fields. Why????

This message appears if any field is too long but the order is generated
with a blank data stored and the customer is sent a order
acknowledgement and the payment is charged.

So, the customer has an order acknowledgement but the company has a
blank record. The record has a userid but no data in the userdb except
the userid, not data in transactions, no data in orderln, etc.

As I said, a massive failure.

Not gripping, just concerned.


David

_____________________


/I went to the Interchange demo and created the errors there. Have 4 
screen grabs. //Placed an order //Received an order acknowledgement: //I then tried to login //Checking the userdb: //And //Note the fields. were blank/

Try it, the demo is flawed as well.

More information about the interchange-users mailing list