Subject: hash_equals() TypeError on User Control Panel page - PHP 8.3 incompatib

  • Posts: 28
  • Thank you received: 0
  • Hikashop Business
5 days 7 hours ago #371939

-- HikaShop version -- : 6.4.1
-- Joomla version -- : 6.1.0
-- PHP version -- : 8.3
-- Browser(s) name and version -- : Chrome 148.0.7778..168
-- Error-message(debug-mod must be tuned on) -- : hash_equals(): Argument #2 ($user_string) must be of type string, null given

Environment

HikaShop Business: 6.4.1
Joomla: 6.1.0
PHP: 8.3
Server OS: Linux


Description
When a logged-in user navigates to the HikaShop User Control Panel page (frontend "My Account" / com_hikashop user view), a fatal PHP 8.3 error occurs, resulting in a 500 Internal Server Error. The page is completely inaccessible for all logged-in users.

Steps to Reproduce

Navigate to the frontend login page
Log in with a valid user account
Navigate to the User Control Panel page (/hu/fiokom or /en/my-account)
Page returns HTTP 500


Expected Behavior
The User Control Panel loads normally and displays the user's orders, account details, and related information.
Actual Behavior
HTTP 500 error. The page is completely inaccessible.

Error Message
TypeError: hash_equals(): Argument #2 ($user_string)
must be of type string, null given

Full Stack Trace
Function Location
1 () JROOT/administrator/components/com_hikashop/
classes/order.php:1834
2 hash_equals()
JROOT/administrator/components/com_hikashop/
classes/order.php:1834
3 hikashopOrderClass->loadFullOrder()
JROOT/components/com_hikashop/views/user/
view.html.php:297
4 userViewUser->cpanel_orders()
JROOT/components/com_hikashop/views/user/
view.html.php:245
5 userViewUser->cpanel()
JROOT/components/com_hikashop/views/user/
view.html.php:23
6 userViewUser->display()
JROOT/libraries/src/MVC/Controller/
BaseController.php:697
7 Joomla\CMS\MVC\Controller\BaseController->display()
JROOT/administrator/components/com_hikashop/
helpers/helper.php:2925
8 hikashopController->display()
JROOT/components/com_hikashop/controllers/
user.php:196
9 userController->cpanel()
JROOT/libraries/src/MVC/Controller/
BaseController.php:730
10 Joomla\CMS\MVC\Controller\BaseController->execute()
JROOT/administrator/components/com_hikashop/
helpers/helper.php:2903
11 hikashopController->execute()
JROOT/components/com_hikashop/hikashop.php:89

Root Cause Analysis
In administrator/components/com_hikashop/classes/order.php, the loadFullOrder() method contains the following check:
php$token = hikaInput::get()->getVar('order_token');
if(empty($token))
$token = $app->getUserState('com_hikashop.order_token');

if(empty($order->order_token) || !hash_equals($order->order_token, $token)) {
return null;
}
When a registered user (with a valid user_cms_id) accesses their own orders, $token is null because no order_token is present in the request or session — correctly so, since registered users should not need a token.
However, the code reaches this branch due to a logic flow issue: the elseif condition for registered users (hikashop_loadUser(false) != $order->order_user_id) is not evaluated first for orders being loaded in the cpanel context.
In PHP 8.3, hash_equals() now throws a TypeError when either argument is null, whereas in PHP 8.0–8.2 it would silently cast to string.
Suggested fix:
phpif(empty($order->order_token) || !hash_equals($order->order_token, (string)$token)) {
return null;
}

Impact

Severity: Critical — the User Control Panel is completely broken for all users on PHP 8.3
All registered users are unable to view their orders, account details, or any user-facing HikaShop functionality
The site redirects users to the login page, and after login, immediately returns a 500 error

Please Log in or Create an account to join the conversation.

  • Posts: 85615
  • Thank you received: 14036
  • MODERATOR
4 days 20 hours ago #371940

Hi smoothie,

Thank you for the detailed report and the stack trace, it was spot on. We have fixed it.

What was happening: in loadFullOrder(), the branch that validates a guest order's access token was being reached from the "My account" page for an order whose customer record is a guest-checkout one. On the account page there is no order token in the URL or session, so the token was null, and PHP's hash_equals() rejects a null second argument with the TypeError you saw. The check now treats a missing token as simply an invalid one (access denied), which is the behaviour that was always intended, instead of letting null reach hash_equals.

Two clarifications that may help you understand your own setup:

- This is not a PHP 8.3 specific issue. hash_equals() has rejected a non-string argument since PHP 8.0. The version is not the trigger, the data is.

- It does not affect all logged-in users. It only happens when the logged-in customer's order history contains a guest-checkout order (an order whose customer record has no linked Joomla user, i.e. a guest order). Customers whose orders were all placed while logged in take a different code path and were never affected. That is also why it is rarely seen and why it may not reproduce on a test site unless that exact situation exists.

Thanks again for the precise report.

The following user(s) said Thank You: smoothie

Please Log in or Create an account to join the conversation.

Time to create page: 0.058 seconds
Powered by Kunena Forum