-- HikaShop version -- : 6.4.1
-- Joomla version -- : 6.1.0
-- PHP version -- : 8.3
-- Browser(s) name and version -- : Chrome 148.0.7778..168
-- Error-message(debug-mod must be tuned on) -- : hash_equals(): Argument #2 ($user_string) must be of type string, null given
Environment
HikaShop Business: 6.4.1
Joomla: 6.1.0
PHP: 8.3
Server OS: Linux
Description
When a logged-in user navigates to the HikaShop User Control Panel page (frontend "My Account" / com_hikashop user view), a fatal PHP 8.3 error occurs, resulting in a 500 Internal Server Error. The page is completely inaccessible for all logged-in users.
Steps to Reproduce
Navigate to the frontend login page
Log in with a valid user account
Navigate to the User Control Panel page (/hu/fiokom or /en/my-account)
Page returns HTTP 500
Expected Behavior
The User Control Panel loads normally and displays the user's orders, account details, and related information.
Actual Behavior
HTTP 500 error. The page is completely inaccessible.
Error Message
TypeError: hash_equals(): Argument #2 ($user_string)
must be of type string, null given
Full Stack Trace
Function Location
1 () JROOT/administrator/components/com_hikashop/
classes/order.php:1834
2 hash_equals()
JROOT/administrator/components/com_hikashop/
classes/order.php:1834
3 hikashopOrderClass->loadFullOrder()
JROOT/components/com_hikashop/views/user/
view.html.php:297
4 userViewUser->cpanel_orders()
JROOT/components/com_hikashop/views/user/
view.html.php:245
5 userViewUser->cpanel()
JROOT/components/com_hikashop/views/user/
view.html.php:23
6 userViewUser->display()
JROOT/libraries/src/MVC/Controller/
BaseController.php:697
7 Joomla\CMS\MVC\Controller\BaseController->display()
JROOT/administrator/components/com_hikashop/
helpers/helper.php:2925
8 hikashopController->display()
JROOT/components/com_hikashop/controllers/
user.php:196
9 userController->cpanel()
JROOT/libraries/src/MVC/Controller/
BaseController.php:730
10 Joomla\CMS\MVC\Controller\BaseController->execute()
JROOT/administrator/components/com_hikashop/
helpers/helper.php:2903
11 hikashopController->execute()
JROOT/components/com_hikashop/hikashop.php:89
Root Cause Analysis
In administrator/components/com_hikashop/classes/order.php, the loadFullOrder() method contains the following check:
php$token = hikaInput::get()->getVar('order_token');
if(empty($token))
$token = $app->getUserState('com_hikashop.order_token');
if(empty($order->order_token) || !hash_equals($order->order_token, $token)) {
return null;
}
When a registered user (with a valid user_cms_id) accesses their own orders, $token is null because no order_token is present in the request or session — correctly so, since registered users should not need a token.
However, the code reaches this branch due to a logic flow issue: the elseif condition for registered users (hikashop_loadUser(false) != $order->order_user_id) is not evaluated first for orders being loaded in the cpanel context.
In PHP 8.3, hash_equals() now throws a TypeError when either argument is null, whereas in PHP 8.0–8.2 it would silently cast to string.
Suggested fix:
phpif(empty($order->order_token) || !hash_equals($order->order_token, (string)$token)) {
return null;
}
Impact
Severity: Critical — the User Control Panel is completely broken for all users on PHP 8.3
All registered users are unable to view their orders, account details, or any user-facing HikaShop functionality
The site redirects users to the login page, and after login, immediately returns a 500 error
HIKASHOP ESSENTIAL 60€The basic version. With the main features for a little shop.
HIKAMARKETAdd-on Create a multivendor platform. Enable many vendors on your website.
HIKASERIALAdd-on Sale e-tickets, vouchers, gift certificates, serial numbers and more!
MARKETPLACEPlugins, modules and other kinds of integrations for HikaShop
