[ic] Multizip and Multistate do not require

Paul Jordan paul at gishnetwork.com
Fri Jan 8 17:46:23 UTC 2010

>> As standard ships, the Common Profile has among other things:
>>     state=multistate
>>     zip=multizip
>> I should mention that I do have MV_STATE_REQUIRED and MV_ZIP_REQUIRED
>> set
>> properly. With this, I was under the impression a zipcode and state
>> would be
>> required.
>> If the customer is not from the US or Canada, they can get through the
>> checkout without having a state or zipcode. I noticed this because I
>> was
>> getting autocreate failures with sporadic German customers that were
>> including their postal code  prefixed on the City, and leaving the
>> postal
>> code blank.
>> Anyway, to work as expected, one would really need this:
>>     state=multistate
>>     &and
>>     state=required
>>     zip=multizip
>>     &and
>>     zip=required
>> I'm submitting this to make sure this was the intended behavior, or is
>> there
>> in fact a bug.
>> Just to be clear, as Standard ships, auto-creates can fail.
> Hi Paul,
> A patch was made by Mike to prevent the autocreation from failing, see:
> http://github.com/interchange/interchange/commit/7a238b464b153673b2233dafcb4
> e914e1ba5d1f8
> This has been backported to 5.6.2 stable branch and is part of the current
> 5.6.2 download:
> http://ftp.icdevgroup.org/interchange/5.6/tar/interchange-5.6.2.tar.gz
> Only if you'd do an order desk entry you'd still run into the problem
> mentioned from the looks of it as there the password generation is still
> based on just the zipcode.


Thank you.

However I noticed it is no longer using the zip for the password. Was this 
also done for some security reason?

I ask because part of our RMA system has an option if they have no account - 
they sign in with their order number and zipcode. This looks up their 
username (UXXXX) and uses the zip for the password - which if I switch to 
randomized password, I'll have to rework this. Most non-account customers 
won't know their random password.

If there is a security risk by using zipcode then I'll make the change, 
otherwise it can wait.


More information about the interchange-users mailing list