[ic] Really need some help
davideth at whojamadoogle.com
davideth at whojamadoogle.com
Thu Mar 12 18:45:10 UTC 2026
That helps but the original problem is massive and needs fixing as well.
I believe that it is a major flaw that could affect all interchange users.
_____________
I have an urgent problem. using Interchange 5.10.0 © 2002-2009 under
CentOS v7.9.2009 STANDARD kvm
Apparently, there is a glitch in interchange that allows unacceptable
characters in the userdb file and possibly others as well. .
An order was placed, process, and credit card was filed, however, the
userdb files is almost empty It has the user name, item, date, but
incorrect order total as there was a shipping charge. The order was
properly logged to tracking.asc and all details are there. email was
sent correctly to customer and to our orders@ .
from log "Saved user information to user database: SUCCESS"
From error.log
72.xx.xxx.xxx xxxxxxxxx:72.xx.xxx.xxx - [13/February/2026:14:24:52
-0600] huldapag /cgi-bin/cart.cgi/ord/finalize Report posted HCPZ56522
... -- http_user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Edg/144.0.0.0 remote_addr=72.xx.xxx.xxx
72.xx.xxx.xxx xxxxxxxxx:72.xx.xxx.xxx - [13/February/2026:14:24:52
-0600] huldapag /cgi-bin/cart.cgi/ord/finalize display special page
However, this us what was saved in userdb:
User Name: u06940 Account Status: INACTIVE Total Sales:
$40.00 Last login: Dec 31, 1969 6:33 pm
Customer Details
Customer:
Company:
Home phone:
Work phone:
Email:
Billing Details
Same as shipping address
Shipping Details
Name:
Address:
City:
Country:
Status Order Number Order Date Shipped to Number of
items Subtotal Total
Pending HCPZ56522 Feb 13, 2026 14:24 , 1 $40.00 $40.00
Any idea why this happened?
Any suggestions as to how the database can be fixed/corrected?
I do have previous orders from the customers, is there a way to copy
from one customer id to another?
I would actually like to change the userid in the transactions, order,,
etc is possible.
Ah, found the error message!
72.xx.xxx.xxx xxxxxxxxx:72.xx.xxx.xxx - [13/February/2026:14:24:52
-0600] huldacpz /cgi-bin/cart.cgi/ord/finalize set_slice error as called
by Vend::UserDB: DBD::Pg::st execute failed:
>>>>>> ERROR: value too long for type character varying(64) at
/usr/local/interchange/lib/Vend/Table/DBI.pm line 1420.
>
> query was:update "userdb" SET
"address1"=?,"address2"=?,"b_country"=?,"city"=?,"company"=?,"country"=?,"email"=?,"fname"=?,"lname"=?,"mv_shipmode"=?,"phone_day"=?,"state"=?,"zip"=?,"updated"=?,"preferences"=?
WHERE "username" = 'u06940'
> values were xxx
72.xx.xxx.xxx xxxxxxxx:72.xx.xxx.xxx - [13/February/2026:14:24:52 -0600]
huldacpz /cgi-bin/cart.cgi/ord/finalize Report posted HCPZ56522 ... --
http_user_agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Edg/144.0.0.0 remote_addr=72.xx.xxx.xxx
72.xx.xxx.xxx xxxxxxxx:72.xx.xxx.xxx - [13/February/2026:14:24:52 -0600]
huldacpz /cgi-bin/cart.cgi/ord/finalize display special page
When so critical, why is there not a trap for excess characters or
character length?
I can not find any checking or limiting on this problem for many
fields including fname, lname, address, company city, telephone, etc.
Same for shipping or billing.
Am I missing a script or config file to check or limit string length?
I would think that something this critical would have a default error
checking. I know that it was in 4.9.2
_____________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.interchangecommerce.org/pipermail/interchange-users/attachments/20260312/6fece63e/attachment.htm>
More information about the interchange-users
mailing list