Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[CONTRIBUTION] Authorize Net AIM module


Vger

Recommended Posts

Now that we have the CVV problem fixed. How do we pass the card number to Authorize.net and NOT store it on our database. Previous versions didn't store the numbers. Perhaps I need to try and create my own version. But I am hoping that someone else may be working on it now!

Life Is Too Short,

Enjoy Your Coffee!

Pete

Link to comment
Share on other sites

Now that we have the CVV problem fixed. How do we pass the card number to Authorize.net and NOT store it on our database. Previous versions didn't store the numbers. Perhaps I need to try and create my own version. But I am hoping that someone else may be working on it now!

 

Or even better just store xxxx-xxxx-xxxx-0000

 

That might be handy when chatting with customers.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Hey there,

 

What about stealing some functionailty from the card zapper contribution? Just thinking but perhaps, if the Ausitn Renfroe style fix isn't favored, then a function like this could be called at the end of the authnet process to clear the card automagically from the database right after it's been inserted?

 

A kludge for sure but keeps this contrib from having to monkey checkout_process etc around.

 

<?php

 

 

//

// Modification by D.Watts - 04/05/2005

// Zap all but last 4 digits of credit card number

//

$sql="SELECT `cc_number` FROM orders WHERE `orders_id`=('$order');";

$result=mysql_query($sql);

if (! $result) {

die ("Unable to select cc_number [$sql]");

} else {

$row = mysql_fetch_assoc($result);

$ccnum = $row['cc_number'];

$newnum = substr($ccnum, -4, $ccnum);

$newnum = "xxxxxxxxxxxx" . $newnum;

 

$sql="UPDATE `orders` SET `cc_number`='$newnum' WHERE `orders_id`=('$order');";

$result=mysql_query($sql);

if (!$result) die ("Unable to zap card [$sql]");

}

 

?>

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Hmmm,

 

Looks like I'm going to get an education in payment modules :)

 

So, on line 174 of

array('title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CREDIT_CARD_NUMBER, 'field' => substr($this->cc_card_number, 0, 4) . str_repeat('X', (strlen($this->cc_card_number) - 8)) . substr($this->cc_card_number, -4)),

 

we're already obfuscating the number for display in checkout_confirmation.

 

With some finagling can we pass this value to the db?

 

Where does the db insert take place?

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Why is the code worded like this on the old versions? The array seemed to not store the data.

$form_data = array(
	'x_login' => MODULE_PAYMENT_AUTHORIZENETAIM_LOGIN,
	'x_tran_key' => MODULE_PAYMENT_AUTHORIZENETAIM_PASSWORD,
	'x_ADC_Delim_Data' => 'TRUE',
	'x_ADC_URL' => 'FALSE',
	'x_version' => '3.1',
	'x_type' => 'AUTH_ONLY',
	'x_method' => MODULE_PAYMENT_AUTHORIZENETAIM_METHOD,
	'x_amount' => number_format($order->info['total'], 2),
	'x_card_num' => $cc_array['card_number'],
	'x_exp_date' => $cc_array['expiration'],
	'x_card_code' => $cc_array['card_code'],
	'x_email_customer' => MODULE_PAYMENT_AUTHORIZENETAIM_EMAIL == '1' ? 'TRUE': 'FALSE',
	'x_email_merchant' => MODULE_PAYMENT_AUTHORIZENETAIM_EMAIL_MERCHANT == '1' ? 'TRUE': 'FALSE',
	'x_cust_id' => $customer_id,
	'x_first_name' => $order->customer['firstname'],
	'x_last_name' => $order->customer['lastname'],
	'x_address' => $order->billing['street_address'],
	'x_city' => $order->billing['city'],
	'x_state' => $order->billing['state'],
	'x_zip' => $order->billing['postcode'],
	'x_country' => $order->billing['country']['title'],
	'x_phone' => $order->customer['telephone'],
	'x_email' => $order->customer['email_address'],
	'x_ship_to_first_name' => $order->delivery['firstname'],
	'x_ship_to_last_name' => $order->delivery['lastname'],
	'x_ship_to_address' => $order->delivery['street_address'],
	'x_ship_to_city' => $order->delivery['city'],
	'x_ship_to_state' => $order->delivery['state'],
	'x_ship_to_zip' => $order->delivery['postcode'],
	'x_ship_to_country' => $order->delivery['country']['title'],
	'x_customer_ip' => $HTTP_SERVER_VARS['REMOTE_ADDR'],
	'x_description' => 'Items from Our Coffee Barn',

 

When the newer _aim code is this way.

// Populate an array that contains all of the data to be submitted
  $submit_data = array(
  x_login => MODULE_PAYMENT_AUTHORIZENET_AIM_LOGIN, // The login name as assigned to you by authorize.net
  x_tran_key => MODULE_PAYMENT_AUTHORIZENET_AIM_TXNKEY,  // The Transaction Key (16 digits) is generated through the merchant interface
  x_relay_response => 'FALSE', // AIM uses direct response, not relay response
  x_delim_data => 'TRUE', // The default delimiter is a comma
  x_version => '3.1',  // 3.1 is required to use CVV codes
  x_type => MODULE_PAYMENT_AUTHORIZENET_AIM_AUTHORIZATION_TYPE == 'Authorize' ? 'AUTH_ONLY': 'AUTH_CAPTURE',
  x_method => 'CC', //MODULE_PAYMENT_AUTHORIZENET_AIM_METHOD == 'Credit Card' ? 'CC' : 'ECHECK',
  x_amount => number_format($order->info['total'], 2),
  x_card_num => $_POST['cc_number'],
  x_exp_date => $_POST['cc_expires'],
  x_card_code => $_POST['cc_cvv'],
  x_email_customer => MODULE_PAYMENT_AUTHORIZENET_AIM_EMAIL_CUSTOMER == 'True' ? 'TRUE': 'FALSE',
  x_email_merchant => MODULE_PAYMENT_AUTHORIZENET_AIM_EMAIL_MERCHANT == 'True' ? 'TRUE': 'FALSE',
  x_cust_id => $_SESSION['customer_id'],
  x_invoice_num => $new_order_id,
  x_first_name => $order->billing['firstname'],
  x_last_name => $order->billing['lastname'],
  x_company => $order->billing['company'],
  x_address => $order->billing['street_address'],
  x_city => $order->billing['city'],
  x_state => $order->billing['state'],
  x_zip => $order->billing['postcode'],
  x_country => $order->billing['country']['title'],
  x_phone => $order->customer['telephone'],
  x_email => $order->customer['email_address'],
  x_ship_to_first_name => $order->delivery['firstname'],
  x_ship_to_last_name => $order->delivery['lastname'],
  x_ship_to_address => $order->delivery['street_address'],
  x_ship_to_city => $order->delivery['city'],
  x_ship_to_state => $order->delivery['state'],
  x_ship_to_zip => $order->delivery['postcode'],
  x_ship_to_country => $order->delivery['country']['title'],
  x_description => $description,

 

What is the difference between

$_POST

and

$cc_array

?

 

I too am getting a lesson in payment modules!

Life Is Too Short,

Enjoy Your Coffee!

Pete

Link to comment
Share on other sites

With some finagling can we pass this value to the db?

 

Where does the db insert take place?

 

Just keeping some notes :)

 

The db insert happens in /includes/classes/order.php

 

Specifically

$this->info = array('currency' => $order['currency'],
'currency_value' => $order['currency_value'],
'payment_method' => $order['payment_method'],
'cc_type' => $order['cc_type'],
'cc_owner' => $order['cc_owner'],
'cc_number' => $order['cc_number'],
'cc_expires' => $order['cc_expires'],

 

using values passed into it from /includes/modules/payment/authorizenet_aim.php

	function process_button() {
  // Hidden fields on the checkout confirmation page
  $process_button_string = tep_draw_hidden_field('cc_owner', $_POST['authorizenet_aim_cc_owner']) . tep_draw_hidden_field('cc_expires', $this->cc_expiry_month . substr($this->cc_expiry_year, -2)) . tep_draw_hidden_field('cc_type', $this->cc_card_type) . tep_draw_hidden_field('cc_number', $this->cc_card_number);
  if (MODULE_PAYMENT_AUTHORIZENET_AIM_USE_CVV == 'True') {
	$process_button_string .= tep_draw_hidden_field('cc_cvv', $_POST['authorizenet_aim_cc_cvv']);
  }

 

A little above function process_button there's

 

	// Display Credit Card Information on the Checkout Confirmation Page
function confirmation() {
  global $_POST;

  if (MODULE_PAYMENT_AUTHORIZENET_AIM_USE_CVV == 'True') {
  $confirmation = array(//'title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CATALOG_TITLE, // Redundant
'fields' => array(array('title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CREDIT_CARD_TYPE,
		 'field' => $this->cc_card_type),
		array('title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CREDIT_CARD_OWNER,
	'field' => $_POST['authorizenet_aim_cc_owner']),
		array('title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CREDIT_CARD_NUMBER,
	'field' => substr($this->cc_card_number, 0, 4) . str_repeat('X', (strlen($this->cc_card_number) - 8)) . substr($this->cc_card_number, -4)),
		array('title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CREDIT_CARD_EXPIRES,
	'field' => strftime('%B, %Y', mktime(0,0,0,$_POST['authorizenet_aim_cc_expires_month'], 1, '20' . $_POST['authorizenet_aim_cc_expires_year']))),
		 array('title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CVV,
	'field' => $_POST['authorizenet_aim_cc_cvv'])));

 

where the card is munged for display on the confirmation page.

 

So I'm thinking it should be possible to name another variable in function process button to pass the munged CC number to the database instead of the real one while letting the real one get passed to curl for processing.

 

Am I off the reservation here?

 

Comments appreciated!

 

Iggy

Edited by Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Why is the code worded like this on the old versions? The array seemed to not store the data.

 

What is the difference between

$_POST

and

$cc_array

?

 

I too am getting a lesson in payment modules!

 

This may or may not be helpful.

 

1. Don't know

 

2. $_POST is used for posting strings and $cc_array (and everything it encompasses) is the string that would be posted

 

Or did I misunderstand the question?

 

Iggy

Edited by Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Hmmm again,

 

So poking around in contributions I found Credit Card Encryption which does some nifty things; mostly it shows the way to plopping your own function into checkout_process (which, BTW, means my posts above are pretty much irrelevant).

 

Quick and dirty

 

In checkout_process.php around line 57 just after

 

$order_totals = $order_total_modules->process();

 

add

  $cc_new_value = substr($HTTP_POST_VARS['cc_number'], 0, 4) . str_repeat('X', (strlen($HTTP_POST_VARS['cc_number']) - 8)) . substr($HTTP_POST_VARS['cc_number'], -4);

 

and around line 92 replace

'cc_number' => $order->info['cc_number'],

with

'cc_number' => $cc_new_value,

 

and walla 4111XXXXXXXX1111 in orders :)

 

Now wrap the above in a conditional to check for whether you're using authnet or not and that should be the fix. If you're only using authnet and no other payment modules or you want to ensure you neveer eveer store cc numbers you don't have to bother.

 

Thanks to JTHLA504 for showing the way.

 

And would someone run this on a live AuthNet account to confirm?

 

Thanks,

Iggy

Edited by Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

OK, the above works fine with Authnet in test mode (confirmation emails are recieved) and I get what I expect in the admin

 

4007XXXXX0027

 

Someone want to confirm it's workability please?

 

Thanks,

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Iggy - if you wish to talk to yourself could you please do it offline? I get an email confirmation of every post made in this thread and you're filling up my Inbox.

 

Vger

 

Just thought I was working the problem there as best I could Vger.

 

Are you inviting me to only post when I know the answer definitively to a speculative question? Or not at all?

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

OK, the above works fine with Authnet in test mode (confirmation emails are recieved) and I get what I expect in the admin

 

4007XXXXX0027

 

Someone want to confirm it's workability please?

 

Thanks,

Iggy

 

Sorry Vger for all the posts but I sure liked having Iggy do some leg work for us out here!

 

Iggy I just did the full package of the Credit Card Encryption and one test run with it in live mode with one of my own cards and it worked just fine! card number is encrypted in my orders table in my database! Now I am going to encrypt them all. At the same time someone else checked out with Paypal IPN and that worked also!

Life Is Too Short,

Enjoy Your Coffee!

Pete

Link to comment
Share on other sites

Iggy - when you've got something to say that's fine, but most of your recent posts have been "thinking out loud" type of posts - and it's those that I don't want clogging up my Inbox.

 

Vger

 

I would have been happy to have been schooled on why any of those wouldn't work and that was why I posted them. But I get what you're after.

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Is this module safe to use? I'm setting up this shopping cart for the first time for a client and they need an Authorize.net gateway.

 

I'm sure you'll all slam me for this, but I don't see how I can use this shopping cart for a national client with all these problems or potential problems. When something like this arises I can't just come on here and plead for a fix and get one a few days later. I'd lose my job. I'll gladly pay for a shopping cart that works and has some support. If I was using it for my own website, then maybe. Then I'd only have myself to answer to, but when it's a client, it'll just equal bad news.

 

Good luck guys.

Link to comment
Share on other sites

The problem is - you can't use any Shopping Cart software for "a client" unless you yourself are prepared to put the time in and learn how to fix things for yourself. If you don't know how to fix things then what service are you actually selling to them?

 

You really can't expect to sell a client software which is freely available and then pop along here and ask other people to sort out problems for you for free.

 

Paid-for shopping cart software is fairly rare, and good support for paid software is even rarer.

 

The only solution is to choose one particular piece of shopping cart software and then spend the time to learn how it works, what any potential problems are, and how to fix them. Once you have those skills you can charge your clients accordingly.

 

Vger

I'm sure you'll all slam me for this, but I don't see how I can use this shopping cart for a national client with all these problems or potential problems. When something like this arises I can't just come on here and plead for a fix and get one a few days later. I'd lose my job. I'll gladly pay for a shopping cart that works and has some support. If I was using it for my own website, then maybe. Then I'd only have myself to answer to, but when it's a client, it'll just equal bad news.

 

Good luck guys.

Link to comment
Share on other sites

Encrypting credit card data in the database does not meet the legal requirements, because you're still storing cedit card data there. And if someone manages to access the osC admin panel then they can access the credit card data in its unencrypted format. This would be the easiest way of gaining access to the credit card data from the database in its unencrypted format because the admin panel is the least secure area - even with password protection..

 

The only solution is to remove these entries from both checkout_process and includes/classes/order.php:

 

'cc_type' => $order->info['cc_type'], 
'cc_owner' => $order->info['cc_owner'], 
'cc_number' => $order->info['cc_number'], 
'cc_expires' => $order->info['cc_expires'],

 

Vger

I would have been happy to have been schooled on why any of those wouldn't work and that was why I posted them. But I get what you're after.

 

Iggy

Link to comment
Share on other sites

Encrypting credit card data in the database does not meet the legal requirements, because you're still storing cedit card data there. And if someone manages to access the osC admin panel then they can access the credit card data in its unencrypted format. This would be the easiest way of gaining access to the credit card data from the database in its unencrypted format because the admin panel is the least secure area - even with password protection..

 

The only solution is to remove these entries from both checkout_process and includes/classes/order.php:

 

'cc_type' => $order->info['cc_type'], 
'cc_owner' => $order->info['cc_owner'], 
'cc_number' => $order->info['cc_number'], 
'cc_expires' => $order->info['cc_expires'],

 

Vger

 

Valid as well. If you look at what I posted it actually zaps the middle 8 numbers using the same setup as the CC display on checkout confirmation; which is what I was after.

 

You could just null the value in checkout_process too

 

'cc_number' => $order->info['cc_number'],

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

I'm not 100% sure this will work, but it appears to on an offline installation of a default osCommerce website.

 

Access the db using phpMyAdmin, go to the 'orders' table and set the four cc_ entries to varchar(0)

 

Vger

Link to comment
Share on other sites

I'm using the latest version of the AIM module, posted by bokeeffe on August 23. (I was using the more recent version and encountered the bug with CVV codes beginning in 0, so I have rolled my installation back to this version.)

 

I'm experiencing a problem when customers checkout using a coupon code: the total amount on checkout_payment.php displays correctly, as does the total that appears in admin/orders.php and in the email that's sent to the customer, but the amount that's transmitted to Authorize.net is incorrect and doesn't include the coupon discount!

 

My CCGV installation is the latest package posted on 11/7/06 by mauriziomagnino, with the fix posted on 11/28. Both available here: http://www.oscommerce.com/community/contributions,282

 

Any suggestions?

 

Thanks.

Link to comment
Share on other sites

The last post in that thread for CCGV by mauriziomagnino (deleted at my request) was to tell people to use CCGV(trad) instead, because it works, and directing people to the CCGV(trad) support thread. This was after he had been responsible for 6 out of the last 7 updates to CCGV himself - not exactly inspiring.

 

The reason I had his post deleted, flattering though it was, was because of all of the people who were coming to my support thread for CCGV(trad) for help with CCGV - which is in a mess.

 

This is my roundabout way of saying "uninstall CCGV and install CCGV(trad) in its place".

 

Vger

Link to comment
Share on other sites

Great, thanks for the clarification! I'm gradually learning the ropes.

 

The last post in that thread for CCGV by mauriziomagnino (deleted at my request) was to tell people to use CCGV(trad) instead, because it works, and directing people to the CCGV(trad) support thread. This was after he had been responsible for 6 out of the last 7 updates to CCGV himself - not exactly inspiring.

 

The reason I had his post deleted, flattering though it was, was because of all of the people who were coming to my support thread for CCGV(trad) for help with CCGV - which is in a mess.

 

This is my roundabout way of saying "uninstall CCGV and install CCGV(trad) in its place".

 

Vger

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...