OXID eShop version 4.9.0 (CE + PE) & 5.2.0 (EE)

General hints for this package

  • OXID eShop 4.9.0/5.2.0 will be delivered including OXID eFire Extension PayPal v3.2.0 (standalone module) and mobile theme v1.3.0.
  • Runs on PHP 5.4 and PHP 5.3. Might run on PHP 5.2 (not tested any longer).
  • This patch includes security improvements (see below for details). We recommend to update as soon as possible.


See http://www.oxid-esales.com/en/support-services/documentation-and-help/oxid-eshop/installation/oxid-eshop-update-installation.html


Template changes have been done in this patch release. Please find detailed information about template changes in “templ_docu_admin/index.html” of the package and a tutorial about the template hierarchy and the override system here:


Fixed Bugs

Please find a list of fixed bugs for this and all intermediate releases in the changelog:

Features & Improvements

Up to 1.500 subshops possible (Enterprise Edition only)

Several changes regarding a new multishop solution were made in the existing core functionality. This was done to support more than 200 subshops that are possible up to this time. Now the OXID eShop Enterprise Edition can consist of maximum 1.500 subshops.

Performance improvements

Due to the fact that multishop data handling is organized via mapping tables now and not longer uses oxshopincl/oxshopexcl the performance could be encreased (performance report will follow). Also the Varnish cache flushing logic was improved (EE only). Additionally some remaining references to oxeec_class_file_paths.php were removed with 4.9/5.2. These effects will be noted positively in the performance of PE as well as CE.

Manage carrier tracking in admin

The formerly hard coded URL for the delivery tracking can now be configured in the admin panel, no need for writing a module any more:Master settings -> Core Settings -> Settings -> Other Settings -> Parcel service tracking URL. This feature, related to bug #2164, was contributed by @tabsl (Proudsourcing, thanks a lot!) with the pull request #94

Tracking URL config


Tax (VAT) ID online check available for PE and CE

While working on the fix for the bug #5806 we decided without further ado to make the TaxID (VAT ID) check available for PE and CE as well. Enjoy 🙂

Password field added to modules metadata

A new password field type was added to module metadata settings. It is stored in database the same way as a string, but displayed differently.

In admin there are password and password confirmation inputs for dealing with module passwords.
This is done because not all shop administrators should see passwords.
Work flow with password would be (shop module administrator panel → module settings):

  1. Both password and confirmation fields are shown as empty.
    The user can save all settings without setting password.
  2. User can enter and save password only when both password and password confirmation values match. Password is not visible when entered, only * instead of the entered character.
  3. When a password is set, the password confirmation field is not shown anymore and the password value is set to *****.
  4. After user edits this input, password confirmation input becomes visible at the bottom of the password field.
  5. If user does not edit password field, he can change all other settings – password will not be changed.
  6. If user edits password and enters same password to both password and confirmation inputs, password will be changed.
  7. If a user deletes all * from password field and leave both, the password and confirmation inputs empty, the password will be reset.

Email validation

The email validation was changed to be more generic. By default it allows longer top domain names and ‘+’ sign in the email name. Now JavaScript does only a very basic email check: in fact if an email address consists of three parts separated with ‘@’ and ‘.’. We also created the oxMailValidator class with the method isValidEmail. This class validates an email address by the REGEXP rule defined in the config parameter sEmailValidationRule. If additional rules are needed they can easily set in the sEmailValidationRule config parameter or by extending the oxEmailValidator class.

Removed features

Dynamic user groups

The function “dynamic user groups” (DGR) was removed. By using this feature, it was possible to assign a user group via URL, and not added to the prohibited user groups list.

Fields OXSHOPINCL/OXSHOPEXCL not used any longer

OXSHOPINCL/OXSHOPEXCL fields are no longer used. oxShopMetaData funtionality was removed. This class handled shop include/exclude fields and with their removal it lost it’s purpose. This means that all the relevant methods that were meant specifically for handling those fields are now also removed.

DTAUS export removed

In former OXID eShop versions in admin panel => order administration there used to be a button for downloading a DTAUS file for marked orders. This function was removed as the DTA/DTAUS format will no longer be accepted by the banks (was formerly used for domestic money transfer inside Germany, outdated by SEPA). For SEPA compliant exports we suggest to use a module instead. The following parts of the code were removed:

  • folder /core/phpdtaus/
  • aplication/models/oxdtausbuilder.php
  • related code from application/controllers/admin/order_overview.php

Important information for developers

Up to 1.500 subshops possible (Enterprise Edition only)

Subshops are no longer handled with the oxshopincl/oxshopexcl database fields. Instead of those, multishop tables now have mapping tables, i.e. oxarticles (multishop table) -> oxarticles2shop (mapping table for oxarticles). Shoplist handling was changed and can now be accessed via oxShop->getSubShopList() method. Several controllers were refactored and now use the shoplist differently (admin_mall, article_mall, category_mall).


public function unassignFromShop($aShopIds); // Now uses 1 required parameter instead of 2 optional ones.

This function now takes the shop ID array and deassigns the objects from a shop.

Check for modules metadata file added

In the admin panel there’s introduced a check if a module has all needed files. A new check was added for the modules metadata file. The shop would suggest to remove the module information and the saved configuration if the metadata file is missing.

Metadata generator

Metadata generator script helps to generate metadata files from configs table. This is because OXID eShop does not support modules without metadata from this version on. This script is intended to help module writers to adapt modules to the new shop version and to shop owners for easier migration to new shop versions.

The Metadata generator might be used together with OXID update. It requires the shop bootstrap which was introduced in OXID eShop version 4.7/5.0, modules in modules directory and modules information in the shop’s configs table. Module information will be in configs table if a module was activated at least once.

This module can be used with OXID eShop series 4.7/5.0 or 4.8/5.1 before updating to the next Shop version. It might also be used after update to Shop version 4.9/5.2

You can find more information in the project’s repository at GitHub

Module name length increased

The bug 5594 “module-name and value-name of module-settings limited by oxmodule-/oxvarname-field-length” was fixed by enhancing the module name and module value fields in the oxConfig table to 100 symbols. The module name can now store up to 93 characters, as we added the prefix “module:” to the module name. A module value can store up to 100 characters.

Ability to check if module is active in templates

A new method was introduced in order to check what module(s) in which version is or are active in OXID eShop:

isModuleActive($sModuleId, $sVersionFrom = null, $sVersionTo = null)

Language translations will generate error

Language translations: added a change for the non productive mode that will generate an error in the frontend and the backend if a language constant is missing. If the productive mode is activated, the frontend will display the not translated constant instead of the error message.

New field in oxcountry table

We added a new field: OXVATINPREFIX to the oxcountry table. This field will contain the VAT identification number prefix. The field was added as a fix to bug 4212.

Fields length was changed

In oxarticle table, the length of the fields OXEAN and OXDISTEAN was changed. More information can be found in this pull request. Thanks to for this contribution!

Page title construction logic moved

With the bug fix bug 4847 we moved the page title construction logic from the templates to the oxubase::getPageTitle() method. Consequently, we unified the usage for the page title construction in all main page templates – these now use the oxUbase::getTitle() method (used language constants replace with this method).

Security improvement: Dynamic Group assignment

  • Removed config parameter “aDeniedDynGroups”
  • Removed functions: oxUser::addDynGroup(), oxcmp_user::_assignDynGroup()
  • Removed fields: oxuser.OXDISABLEAUTOGRP

Security improvement: Dynamic security token check

The dynamic security token parameter check was expanded to all forms and action URLs performed for logged in user. In the template forms this dynamic security token parameter is added automatically, together with a hidden session ID form element. Therefore standard or custom forms working with the [{$oViewConf->getHiddenSid()}] template getter do not require any changes.
Actions submitted via the GET method over a URL, require an additional dynamic security token parameter added to the action URL from this version on. Such actions are “To wishlist” or “To notice list” where the action is performed by a visitor clicking on the link instead of submitting a form. In this case the dynamic security token value could be accessed via the [{$oViewConf->getSessionChallengeToken()}] template getter. When updating the templates the dynamic security token parameter must be added not only for standard links, but also for any custom action link URLs.

For example your custom “To wishlist” link should be changed the following way:

Old link:
<a href="[{$oViewConf->getSelfLink()}]?fnc=towishlist&aid=[{$sProductId}]">To wishlist</a>

Updated link:
<a href="[{$oViewConf->getSelfLink()}]?fnc=towishlist&aid=[{$sProductId}]&stoken=[{$oViewConf->getSessionChallengeToken()}]">To wishlist</a>

Security improvement: customer number can no longer be used as user name

It is not longer possible to log in with a customer number used as user name. This is to be seen as a security improvement: for a potential raider it is much easier to write a script to find out a number (integer) than a string.

Security improvement: changed the password encryption

As you might know, we used the cryptographic hash function MD5 plus an additional SALT hash in order to encrypt the user passwords in OXID eShop. Now MD5 became a bit outdated and for this reason, the security of a shop will not be certified. We decided to replace MD5 by the more modern cryptographic hash function SHA-2. Additionally the way the SALT hash was created was changed slightly.

No fear: your users will still have the possibility to log in properly, as long as your update ran through properly: we check the old and the new method, match if both hashes fit and let the user log in this way. There’s no need for requesting your users to re-new their passwords etc.

UTF-8 as default option during the setup

The character set UTF-8 is now default option during the setup of OXID eShop.

Dropped magic quotes support

Before, OXID eShop already worked only with magic quotes turned off. If they are turned on, the shop tried to turn them off and strip slashed from requests. Now as the support of magic quotes was dropped with PHP5.4 we removed this functionality from the code. Removed functions in oxfunctions.php: stripGpcMagicQuotes(), _stripMagicQuotes() Removed functions in oxUtils class: stripGpcMagicQuotes(), _stripQuotes()

Encoding of captcha code

The encoding of captcha code was changed, ROT13 is not used any longer. New classes oxEncryptor and oxDecryptor were created for the usage of the captcha code encryption and decryption.

eFire related classes

eFire related classes and templates were removed.

New Coding standards for PHP files applied

New PHP Coding Standards (partially PSR1 and PSR2) were applied. Please note that for this reason, you’ll find a lot of PHP files changed. Sorry for any inconvenience. We will provide the coding style guidelines as soon as possible.

Load additional information from OXID server

Enhanced the feature “Load additional information from OXID server”: Having this option activated, the shop establishes a connection to the OXID servers in order to provide additional information such as dynpages (AKA e-commerce services). With upcoming versions of OXID eShop it is planned to provide also other information like available new shop and module versions. Only for PE/EE users: this function will be used to check the application license online instead of in-application and for this reason can’t be switched off. Please note that no business sensitive data (users, orders etc.) will be submitted.

Introduced new class: oxUserAddressList

Due to the bug #04960 the user country title was not translated if user changed language in basket checkout. We fixed this, and now checkout always outputs user information in selected language. This bug appear because class oxAddress attribute oxCountryTitle was stored only in one language. User addresses list was created only from oxAddress table so country name was always in one language. We introduced new class oxUserAddressList. This class loads user addresses with country title in the correct language.

oxobject2category index OXMAINIDX is unique

OXMAINIDX(OXCATNID , OXOBJECTID) index in oxobject2category table is now unique, so please check this table for duplicate records before updating! (#05736)

Changed method processUrl()

While fixing the bug #05809 the method oxUtilsUrl::processUrl() was changed. It checks now if an external URL is passed and if so it does not add parameters (like session and language) to it.

Removed deprecated method getInstance()

Please note that the method getInstance(), marked as deprecated in 4.7/5.0, was removed with this release. This method was most likely often used in modules and was replaced by the refactored bootstrap process.
To see all removed deprecated function, variables, and functionality marked in previous versions:

3 replies

Trackbacks & Pingbacks

  1. […] Das Team der OXID eSales AG hat diese Woche die beta Version des nächsten Minor-Releases veröffentlicht. Alle Informationen zur neuen Version finden sich im OXID Wiki. […]

  2. […] Meine Erläuterungen beziehen sich auf die Version OXID CE 4.9.0. […]

  3. […] des Softwarepakets dar wie z.B. das Hinzufügen von neuen Funktionen. Ein Beispiel wäre ein Upgrade von der Version OXID 4.8.x zu der Version OXID 4.9.0, dort wurden einige neue Funktionen ergänzt wie z.B. Prüfung der Steuernummer oder die Funktion […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.