Jump to content

zoeticlight

Members
  • Content count

    21
  • Joined

  • Last visited

1 Follower

Profile Information

  1. THANK YOU!!! THANK YOU!!! THANK YOU!!!!!!!!!! I was getting a [TEP_STOP] error and it was all because of a bad query based off of a URL with the brackets. My URL was: .../products_id=71{2}21{3}33 which came from the shopping_cart.php page, and it wasn't working. This was because I had put a custom SQL query in my includes/boxes/whats_new.php page and it was creating the [TEP_STOP] error. I cannot tell you how long I searched this forum until I came across your post. THANK YOU!!!!!
  2. Thanks for the reply. I have to respectfully disagree unless you're talking about an earlier discussion before I brought up the subject. If that's the case, then I'll have to re-read all 15 pages again. Perhaps I missed it. If that's not what you meant, then this is your first response to my new discoveries. To reiterate, I heeded your advice with regards to updating to the newest version, and that didn't fix the problem. I then went to a raw installation of osCommerce without any contributions and the problem still existed. I even went a step further and picked a handful of random live shops, created an account, and proceeded to make my way through the checkout process. I then specifically entered in invalid data for the credit card information, and in every case, the problem mimicked mine exactly. So this tells me that the problem is not something specific to me, but with osCommerce.
  3. Vger, I think I found a bug. The install instructions state that the following code needs to be added to checkout_payment.php, but it also needs to be added to checkout_confirmation.php: <script language="JavaScript" type="text/javascript"> <!--hide function newwindow() { window.open('cvv_help.php','jav','width=500,height=550,resizable=no,toolbar=no,menubar=no,status=no'); } //--> </SCRIPT> p.s. It would be nice if you could respond to my other posts. I understand if you're busy, though. I'm just saying that it would be nice. Have a good day. Mike
  4. Vger, I've done a little more testing, and it appears that the problem lies in the design structure of osCommerce. The code is currently written to not allow any HTML code to be passed through the URL, which is a good thing. But the problem is that the variables for the error messages, which are defined in catalog/includes/languages/english/english.php, have HTML hard-coded into the string. For example: define('TEXT_CCVAL_ERROR_INVALID_DATE', 'The expiry date entered for the credit card is invalid.<br>Please check the date and try again.'); define('TEXT_CCVAL_ERROR_INVALID_NUMBER', 'The credit card number entered is invalid.<br>Please check the number and try again.'); define('TEXT_CCVAL_ERROR_UNKNOWN_CARD', 'The first four digits of the number entered are: %s<br>If that number is correct, we do not accept that type of credit card.<br>If it is wrong, please try again.'); As a result, when these variables are passed to the URL as a $_GET variable using urlencode(), then decoded using urldecode(), and finally parsed using tep_output_string_protected(), everything is doing what it's supposed to do properly, including the prevention of HTML code to be passed through the URL. But the problem is that the defined variables have HTML that has been specifically included with the intention to pass through the URL and output on the page correctly. Please run the following script and you'll see what I mean: <?php function tep_parse_input_field_data($data, $parse) { return strtr(trim($data), $parse); } function tep_output_string($string, $translate = false, $protected = false) { if ($protected == true) { return htmlspecialchars($string); } else { if ($translate == false) { return tep_parse_input_field_data($string, array('"' => '"')); } else { return tep_parse_input_field_data($string, $translate); } } } function tep_output_string_protected($string) { return tep_output_string($string, false, true); } define('TEXT_CCVAL_ERROR_INVALID_NUMBER', 'The credit card number entered is invalid.<br>Please check the number and try again.'); echo "<b>TEXT_CCVAL_ERROR_INVALID_NUMBER:</b><br>" . TEXT_CCVAL_ERROR_INVALID_NUMBER; echo "<br><br>"; $urlencode= urlencode(TEXT_CCVAL_ERROR_INVALID_NUMBER); echo "<b>\$urlencode:</b><br>" . $urlencode; echo "<br><br>"; $urldecode= urldecode($urlencode); echo "<b>\$urldecode:</b><br>" . $urldecode; echo "<br><br>"; echo "<b>tep_output_string:</b><br>" . tep_output_string($urldecode); echo "<br><br>"; echo "<b>tep_output_string_protected:</b><br>" . tep_output_string_protected($urldecode); echo "<br><br>"; ?> So the conclusion is that either the defined variables cannot have HTML code in them, tep_output_string() has to be used instead of tep_output_string_protected(), or the variables should be passed using $_POST instead of $_GET. Do you agree? Any other ideas? Mike
  5. Hi Vger, Well, I'm still having this problem. And truth is, it has absolutely nothing to do with your Authorize Net AIM module. In fact, the problem occurs using the stock Credit Card payment module. Also, I've done some more testing and the bug seems to be in the base installation of osCommerce. At first, I updated my files with the OsCommerce 051113 update as you suggested, but that didn't fix the problem. I then started with a fresh copy of OsCommerce without any contributions at all, not even Register Globals. The problem still exists. Do you have any ideas why this is happening? I tested it with osCommerce 2.2 Milestone 2 Update 051113 and absolutely NO CONTRIBUTIONS installed. I used the standard Credit Card payment module, entered in the valid testing credit card number during checkout, and entered in an invalid date, such as January 2006. The error message displays as follows: Credit Card Error! The expiry date entered for the credit card is invalid.<br>Please check the date and try again. I just spent the last couple of hours modifying and testing this problem. I simply can't believe that no one else is experiencing this problem when it happens to me on a clean installation of osCommerce. Thanks for your help. It's much appreciated. Mike
  6. Hi Vger, Thanks for the info. I'm currently using osCommerce 2.2-MS2, which I downloaded a little over a year ago and have been heavily modifying it ever since. So, if there is a newer version with security patches available, integrating the changes might be a little difficult. So if there are pertinent patches that are recommended I integrate, do you have a suggestion as to the easiest way? If there is no easy way, then perhaps I should reinstate tep_output_string_protected and use a string replace to properly format the text? If I have the latest version, any ideas on why I'm running into this problem? Thanks in advance. Mike
  7. I just installed this payment module and it works great, right from the get-go!!!! However, during testing, I've noticed something weird with regards to the error messages displayed. Basically, the error messages for invalid date, invalid number, or invalid card are not displayed properly. The error messages originate in the URL as GET variables, such as: checkout_payment.php?payment_error=authorizenet_aim&error=The+expiry+date+entered+for+the+credit+card+is+invalid.%3Cbr%3EPlease+check+the+date+and+try+again The problem is that when displayed in a browser, the html code for a line break, <br>, is actually shown instead of inserting a line break. As a result, it looks like the following in the browser: Credit Card Error! The expiry date entered for the credit card is invalid.<br>Please check the date and try again. I took a look at the HTML source code for the page that is created, and you can see that the less-than and greater-than signs are spelled out as '&lt;' and '&gt;' <td class="main" width="100%" valign="top">The expiry date entered for the credit card is invalid.&lt;br&gt;Please check the date and try again.</td> I finally narrowed down the problem to the formatting of the error codes on checkout_payment.php. Around line 194, I changed the following code: <td class="main" width="100%" valign="top"><?php echo tep_output_string_protected($error['error']); ?></td> to: <td class="main" width="100%" valign="top"><?php echo tep_output_string($error['error']); ?></td> As a result, the error messages display properly with line breaks. Has anybody else had this problem? Credit Card Error! The expiry date entered for the credit card is invalid. Please check the date and try again.
  8. zoeticlight

    Paypay ipn 1.2 ?

    That's weird. It does seem to have suddenly disappeared. Too bad, though, cuz I thought it was actually a better contribution. I coudn't get v1.1 to work but I could get v1.2 to work with only a couple modifications.
  9. zoeticlight

    Session variable not globally defined

    I'm running into the same problem. Does anybody have any ideas?
  10. zoeticlight

    PAYPAL IPN DUMMIES GUIDE

    Sorry, but I had a brain fart. The above statement is wrong. /usr/bin/openssl is what you would set for OpenSSL Location. Your Working directory is actually a location for the payment module to store temporary files. You will need to make a directory for these temp files. I made one called "temp". So that would mean my full server path to it is: /usr/home/yourusername/public_html/temp/ (apparently the trailing slash is needed, but I've gotten it to work both ways.) Furthermore, you need to set permissions on this new folder to 777. So...here's the full list again with my correction: Your Private Key /usr/home/yourusername/public_html/paypal/privkey.pem Your Public Certificate /usr/home/yourusername/public_html/paypal/cacert.pem PayPals Public Certificate /usr/home/yourusername/public_html/paypal/paypal_cert_pem.txt Your PayPal Public Certificate ID GRYWK3YWT4QK4 Working Directory /usr/home/yourusername/public_html/temp/ OpenSSL Location /usr/bin/openssl
  11. zoeticlight

    PAYPAL IPN DUMMIES GUIDE

    Well, all of these setting are to get encryption working between your site and PayPal. I suggest that if you don't have IPN working yet, then you should work on that first and worry about this stuff last. Just keep your "Enable Encrypted Web Payments" set to "False" until you have IPN working and are ready to start with the encryption stuff. Anyway, once you have IPN working, you can move forward. This is what I did to get it going. First off, you need to know if openSSL is installed on your host server and what directory it resides in. If you're on a Unix server, then you can log in via SSH or telnet and use the following command to determine this: whereis openssl (sorry, I don't know the command if you're on a Windows server. I suggest you call your host and ask them.) If openSSL is installed, the command should output the directory. For me, it was: /usr/bin/openssl So this would be what you input as the "Working Directory". Next, I used openSSL to generate my own private key and self-signed certificate. If you got to www.openssl.org, there's plenty of information to help you. Specifically, go to http://www.openssl.org/docs/HOWTO/keys.txt to figure out how to create your own private key. And go to http://www.openssl.org/docs/HOWTO/certificates.txt to figure out how to create your own public certificate. In the meantime, the following commands sum it up. But remember to read the information at the above links. They profide some additional things you need to know. So once again, you'll need to be connected to your home directory on your webserver via SSH or telnet. To generate a private key: openssl genrsa -des3 -out privkey.pem 2048 To generate a public certificate: openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 Alright, from these two commands, you will have the following files: Private key: privkey.pem Public certificate: cacert.pem Upload these files to some location in your webserver. Let's say, for example, create a directory in your document root called 'paypal'. Now you need to define the exact server path to your files(just the same as you did with the location of openSSL). You do not want to use a URL or a relative path from your document root. For example, on my site I used the following: Your Private Key /usr/home/yourusername/public_html/paypal/privkey.pem Your Public Certificate /usr/home/yourusername/public_html/paypal/cacert.pem Alright, the next thing to do is get PayPals Public Certificate. Log into your sandbox account at PayPal. Click on the "Profile" tab and then click on "Encrypted Payment Settings". Click on the "Download" button to get PayPals Public Certificate. This will be named "paypal_cert_pem.txt". Upload this to your server to your newly created PayPal directory. Thus, the location will be something like the following: PayPals Public Certificate /usr/home/yourusername/public_html/paypal/paypal_cert_pem.txt Last is to get Your PayPal Public Certificate ID. First download Your Public Certficate to your local computer(cacert.pem); this is the file that you created with openSSL and placed in your new "paypal" directory on your webserver. Then log into your sandbox account at PayPal. Click on the "Profile" tab and then click on "Encrypted Payment Settings". Click on the "Add" button under "Your Public Certificates". You will be taken to another page where there will be a "Browse" button to allow you to upload your public certificate to PayPal. Then click the "Add" button. You will be brought back to the "Encrypted Payment Settings" page, and you should see a box under the heading, "Your Public Certificates". If you look in the box, you will see your "Cert ID". This is the value you enter for Your PayPal Public Certificate ID. So...we've done it! Your Private Key /usr/home/yourusername/public_html/paypal/privkey.pem Your Public Certificate /usr/home/yourusername/public_html/paypal/cacert.pem PayPals Public Certificate /usr/home/yourusername/public_html/paypal/paypal_cert_pem.txt Your PayPal Public Certificate ID GRYWK3YWT4QK4 Working Directory /usr/bin/openssl Of course, all of your values will be slightly different. But you should be able to figure out the rest. The only other thing to do is set "Enable Encrypted Web Payments" to "True." Good luck and let us know how it went.
  12. zoeticlight

    [Contribution]Paypal IPN - Devosc

    Check the /catalog/includes/modules/payment/paypay_ipn.php file. You'll notice around line 506 that that's where the email code starts. Good luck and hopefully this helps. mike
  13. zoeticlight

    Register Globals Support

    My bad...this function is actually: restore_contents()
  14. zoeticlight

    Register Globals Support

    Alright...I think I found a solution. But first off, I have to correct myself on point #1 noted above. In my haste, I wrote down the wrong outcome. This actually does not work properly. The revision is: 1. If the customer does not have any items stored in their cart from a previous session, adds one or more items to a cart, logs in, and continues to checkout, the $_SESSION['cartID'] variable WILL NOT have a valid ID number. The variable is registered, but the value is null. THIS DOES NOT WORK CORRECTLY. Anyway, after looking through the shopping cart class, it appears that a temporary unique ID number is never assigned when the customer's basket is restored from the database(whether it's got items or not) after they log in and go directly to checkout without adding any additional items. In fact, the cartID is only set when an item is added to or removed from the cart. So, to fix this, all I did was add the following line at the end of the cart_restore() function: // assign a temporary unique ID to the order contents to prevent hack attempts during the checkout procedure $this->cartID = $this->generate_cart_id(); Alright, I look forward to hearing a response from somebody a little more experienced than me. I've implemented this fix for now and will do some more testing, especially with "osCommerce PayPal IPN Module v1.0 For 2.2MS2", but I'd like someone else's opinion or thoughts. Perhaps I'm not seeing something that I should or there was a specific reason it was done this way. Mike
  15. zoeticlight

    Register Globals Support

    Alright, I've been racking my brain over this "osCommerce PayPal IPN Module v1.0 For 2.2MS2" contribution with the "Register Globals Off" contribution for days now. I'm just about to give up, but I'm too damn tenacious. At any rate, I've discovered something with regards to the $cartID session variable that I can't figure out, and it has absolutely nothing to do with the PayPal IPN module. Perhaps someone around here can explain. Here are the symptoms. 1. If the customer does not have any items stored in their cart from a previous session, adds one or more items to a cart, logs in, and continues to checkout, the $_SESSION['cartID'] variable WILL have a valid ID number. THIS WORKS CORRECTLY. 2. If the customer does not have any items stored in their cart from a previous session, logs in, adds one or more items to their cart, and continues to checkout, the $_SESSION['cartID'] variable WILL have a valid ID number. THIS WORKS CORRECTLY. 3. If the customer has items stored in their cart from a previous session, logs in, clears all items from their cart, adds one or more items to their cart, and continues to checkout, the $_SESSION['cartID'] variable WILL have a valid ID number. THIS WORKS CORRECTLY. 4. If the customer has items stored in their cart from a previous session, logs in, and continues to checkout without adding any additional items, the $_SESSION['cartID'] variable WILL NOT have a valid ID number. The variable is registered, but the value is null. THIS DOES NOT WORK CORRECTLY. 5. If the customer has items stored in their cart from a previous session, logs in, adds one or more items to their cart, and continues to checkout, the $_SESSION['cartID'] variable WILL NOT have a valid ID number. The variable is registered, but the value is null. THIS DOES NOT WORK CORRECTLY. 6. If the customer has items stored in their cart from a previous session, adds one or more items to their cart, logs in, and continues to checkout, the $_SESSION['cartID'] variable WILL NOT have a valid ID number. The variable is registered, but the value is null. THIS DOES NOT WORK CORRECTLY. To see this in action, I added the following short bit of debugging code to checkout_confirmation.php to tell me what the $_SESSION variables were when the customer reached the checkout_confirmation.php page: echo "<pre>"; print_r($_SESSION); echo "</pre>"; Find the following block of code around line 239 of checkout_confirmation.php: if (is_array($payment_modules->modules)) { if ($confirmation = $payment_modules->confirmation()) { ?> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <tr> <td class="main"><b><?php echo HEADING_PAYMENT_INFORMATION; ?></b></td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <tr> <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox"> <tr class="infoBoxContents"> <td><table border="0" cellspacing="0" cellpadding="2"> <tr> <td class="main" colspan="4"><?php echo $confirmation['title']; ?></td> </tr> <?php for ($i=0, $n=sizeof($confirmation['fields']); $i<$n; $i++) { ?> <tr> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> <td class="main"><?php echo $confirmation['fields'][$i]['title']; ?></td> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> <td class="main"><?php echo $confirmation['fields'][$i]['field']; ?></td> </tr> <?php } ?> </table></td> </tr> </table></td> </tr> <?php } } Add my debugging code at the end just before the last closing brace: if (is_array($payment_modules->modules)) { if ($confirmation = $payment_modules->confirmation()) { ?> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <tr> <td class="main"><b><?php echo HEADING_PAYMENT_INFORMATION; ?></b></td> </tr> <tr> <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td> </tr> <tr> <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox"> <tr class="infoBoxContents"> <td><table border="0" cellspacing="0" cellpadding="2"> <tr> <td class="main" colspan="4"><?php echo $confirmation['title']; ?></td> </tr> <?php for ($i=0, $n=sizeof($confirmation['fields']); $i<$n; $i++) { ?> <tr> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> <td class="main"><?php echo $confirmation['fields'][$i]['title']; ?></td> <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td> <td class="main"><?php echo $confirmation['fields'][$i]['field']; ?></td> </tr> <?php } ?> </table></td> </tr> </table></td> </tr> <?php } echo "<pre>"; print_r($_SESSION); echo "</pre>"; } Alright with that in place, you'll be able to see what the value is for the $_SESSION['cartID'] variable under the conditions I've outlined above. Also please note that this is not a problem with "osCommerce PayPal IPN Module v1.0 For 2.2MS2". In fact, these symptoms are still present when any of the payment modules are installed. So...I'm not sure if this is an osCommerce bug or a PHP bug. I'd love to hear what others think about this and if anyone else has come across this. Does anyone have a solution? Should this be submitted as a bug to the developing team?
×