Problem with users able to access orders of others?

I have a problem with the database.



A while ago, I lost some of the customer order data while I was doing an upgrade. I wasn't too worried about it because I have it all printed in hardcopies, so just left it at that.



I didn't lose any of the customer data, just a lot of the more recent order data.



But then what happened was that was that customers could see orders placed by other people…



So to fix it, I deleted all the orders from the cart (the whole history) and figured I'd start again.

I thought this had fixed the problem, but recently a customer told me that when he checked his old orders, he couldn't see his, but an order that belonged to someone else…



Now that the order database is building up again, the same problem is happening… The earliest customers can see the very first orders that are back in the database…



for example, customer 003 can see the 3rd order in the current customer order database even though it doesn't belong to him, customer 004 can see the order from the 4th order in the database even though it doesn't belong to him etc etc…



Its not a very secure way to store customer orders on behalf of CS-cart…



But the bigger problem is, how can i fix this?



As usual CS-cart has told me they don't support this kind of fix and they want to pan it out to their custom service… bunch of clowns…

This sounds frightening.



I have only just begun building my site, with horrific misunderstandings as to how to calculate shipping.





But what has happened to you is terrible.





I hope this is resolved well in the end. Fair play to you for keeping backup physical copies.

It's a massive breach of privacy…



The only way I can think to fix it is to delete ALL the customers and ALL the sales order data from the database so everything is reset to 0… which is something I'd like to avoid if I can.

Did you delete the data directly from the database?



The likely scenario is you have deleted certain data, but not all. Your database, in at least one or more tables, references the customer ID assigned to an order. Your “old” orders must have “new” customers ID stored.



Are you competent in SQL? You should be able to fix these issues using SQL, however, it's going to be rather difficult to do so without a backup of the database which shows the correct ID's (customer and order) before things 'broke'.

Ask a developer to help you out, if its a code issue it should be easier to fix (just replace the code). If you have corrupted data somehow it will be a mess.

bytraper - yes this is extremely worrying!



Without doing a lot of digging right now this must be caused by the user_id recorded in the order data being against the wrong User i.e. Order 123 owned by user_id 3 where it should be user_id 2 etc.



The tables that I can see that tie user_id and order_id are cscart_new_orders and cscart_orders



It seems likely that during your upgrade or at some other point your user_id's or order_id's or both(!) have become out of synch tying the wrong orders to the wrong customers.



I know this doesnt help a great deal but might explain what is going on…

I deleted the remaining orders directly from the cart.



if I delete all the users and all of the existing orders will this reset all the id's ?



Wilko you are right, this is exactly what I think has happened

bytraper…



StellarBytes is 100% correct; you would need a backup of the DB which contains the original data which has the correct user and order data with correct user_id to order_id mapping.



What you are suggesting should cure your problem in so far as by deleting ALL user and order data, any new data recorded should be correctly linked by user_id.



Do you have any backup of your user data so that you can import back in?

Remember when deleting orders that you are user 1 always, and the ids will not correspond correctly if you start at the first one being not you. I had this when upgrading from 2.25 to v3 was just a mismatch…all orders were out by 1 so viewing order 1000 would show order 1001



John

Ive only got hard copies of the data, I have backups but they are corrupt as far back as I have them…