ValleyRoaster Posted December 10, 2006 Share Posted December 10, 2006 You may not have it if you didn't install the latest contrib. In that case, you're safe! See my earlier post with a link to the contrib. The fix is in the authorizenet_aim file. Quote Life Is Too Short, Enjoy Your Coffee! Pete Link to comment Share on other sites More sharing options...
jonw118 Posted December 10, 2006 Share Posted December 10, 2006 See my earlier post with a link to the contrib. The fix is in the authorizenet_aim file. I followed Coffee Barns suggestions, and it's working. THANK YOU!!!! That's the fix for this. Quote Link to comment Share on other sites More sharing options...
♥Vger Posted December 10, 2006 Author Share Posted December 10, 2006 I have asked the moderators to delete the update from Weiyin (Oct 19th). Vger Quote Link to comment Share on other sites More sharing options...
ValleyRoaster Posted December 10, 2006 Share Posted December 10, 2006 Now that we have the CVV problem fixed. How do we pass the card number to Authorize.net and NOT store it on our database. Previous versions didn't store the numbers. Perhaps I need to try and create my own version. But I am hoping that someone else may be working on it now! Quote Life Is Too Short, Enjoy Your Coffee! Pete Link to comment Share on other sites More sharing options...
Iggy Posted December 10, 2006 Share Posted December 10, 2006 Now that we have the CVV problem fixed. How do we pass the card number to Authorize.net and NOT store it on our database. Previous versions didn't store the numbers. Perhaps I need to try and create my own version. But I am hoping that someone else may be working on it now! Or even better just store xxxx-xxxx-xxxx-0000 That might be handy when chatting with customers. Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
Iggy Posted December 10, 2006 Share Posted December 10, 2006 Hey there, What about stealing some functionailty from the card zapper contribution? Just thinking but perhaps, if the Ausitn Renfroe style fix isn't favored, then a function like this could be called at the end of the authnet process to clear the card automagically from the database right after it's been inserted? A kludge for sure but keeps this contrib from having to monkey checkout_process etc around. <?php // // Modification by D.Watts - 04/05/2005 // Zap all but last 4 digits of credit card number // $sql="SELECT `cc_number` FROM orders WHERE `orders_id`=('$order');"; $result=mysql_query($sql); if (! $result) { die ("Unable to select cc_number [$sql]"); } else { $row = mysql_fetch_assoc($result); $ccnum = $row['cc_number']; $newnum = substr($ccnum, -4, $ccnum); $newnum = "xxxxxxxxxxxx" . $newnum; $sql="UPDATE `orders` SET `cc_number`='$newnum' WHERE `orders_id`=('$order');"; $result=mysql_query($sql); if (!$result) die ("Unable to zap card [$sql]"); } ?> Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
Iggy Posted December 10, 2006 Share Posted December 10, 2006 Hmmm, Looks like I'm going to get an education in payment modules :) So, on line 174 of array('title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CREDIT_CARD_NUMBER, 'field' => substr($this->cc_card_number, 0, 4) . str_repeat('X', (strlen($this->cc_card_number) - 8)) . substr($this->cc_card_number, -4)), we're already obfuscating the number for display in checkout_confirmation. With some finagling can we pass this value to the db? Where does the db insert take place? Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
ValleyRoaster Posted December 10, 2006 Share Posted December 10, 2006 Why is the code worded like this on the old versions? The array seemed to not store the data. $form_data = array( 'x_login' => MODULE_PAYMENT_AUTHORIZENETAIM_LOGIN, 'x_tran_key' => MODULE_PAYMENT_AUTHORIZENETAIM_PASSWORD, 'x_ADC_Delim_Data' => 'TRUE', 'x_ADC_URL' => 'FALSE', 'x_version' => '3.1', 'x_type' => 'AUTH_ONLY', 'x_method' => MODULE_PAYMENT_AUTHORIZENETAIM_METHOD, 'x_amount' => number_format($order->info['total'], 2), 'x_card_num' => $cc_array['card_number'], 'x_exp_date' => $cc_array['expiration'], 'x_card_code' => $cc_array['card_code'], 'x_email_customer' => MODULE_PAYMENT_AUTHORIZENETAIM_EMAIL == '1' ? 'TRUE': 'FALSE', 'x_email_merchant' => MODULE_PAYMENT_AUTHORIZENETAIM_EMAIL_MERCHANT == '1' ? 'TRUE': 'FALSE', 'x_cust_id' => $customer_id, 'x_first_name' => $order->customer['firstname'], 'x_last_name' => $order->customer['lastname'], 'x_address' => $order->billing['street_address'], 'x_city' => $order->billing['city'], 'x_state' => $order->billing['state'], 'x_zip' => $order->billing['postcode'], 'x_country' => $order->billing['country']['title'], 'x_phone' => $order->customer['telephone'], 'x_email' => $order->customer['email_address'], 'x_ship_to_first_name' => $order->delivery['firstname'], 'x_ship_to_last_name' => $order->delivery['lastname'], 'x_ship_to_address' => $order->delivery['street_address'], 'x_ship_to_city' => $order->delivery['city'], 'x_ship_to_state' => $order->delivery['state'], 'x_ship_to_zip' => $order->delivery['postcode'], 'x_ship_to_country' => $order->delivery['country']['title'], 'x_customer_ip' => $HTTP_SERVER_VARS['REMOTE_ADDR'], 'x_description' => 'Items from Our Coffee Barn', When the newer _aim code is this way. // Populate an array that contains all of the data to be submitted $submit_data = array( x_login => MODULE_PAYMENT_AUTHORIZENET_AIM_LOGIN, // The login name as assigned to you by authorize.net x_tran_key => MODULE_PAYMENT_AUTHORIZENET_AIM_TXNKEY, // The Transaction Key (16 digits) is generated through the merchant interface x_relay_response => 'FALSE', // AIM uses direct response, not relay response x_delim_data => 'TRUE', // The default delimiter is a comma x_version => '3.1', // 3.1 is required to use CVV codes x_type => MODULE_PAYMENT_AUTHORIZENET_AIM_AUTHORIZATION_TYPE == 'Authorize' ? 'AUTH_ONLY': 'AUTH_CAPTURE', x_method => 'CC', //MODULE_PAYMENT_AUTHORIZENET_AIM_METHOD == 'Credit Card' ? 'CC' : 'ECHECK', x_amount => number_format($order->info['total'], 2), x_card_num => $_POST['cc_number'], x_exp_date => $_POST['cc_expires'], x_card_code => $_POST['cc_cvv'], x_email_customer => MODULE_PAYMENT_AUTHORIZENET_AIM_EMAIL_CUSTOMER == 'True' ? 'TRUE': 'FALSE', x_email_merchant => MODULE_PAYMENT_AUTHORIZENET_AIM_EMAIL_MERCHANT == 'True' ? 'TRUE': 'FALSE', x_cust_id => $_SESSION['customer_id'], x_invoice_num => $new_order_id, x_first_name => $order->billing['firstname'], x_last_name => $order->billing['lastname'], x_company => $order->billing['company'], x_address => $order->billing['street_address'], x_city => $order->billing['city'], x_state => $order->billing['state'], x_zip => $order->billing['postcode'], x_country => $order->billing['country']['title'], x_phone => $order->customer['telephone'], x_email => $order->customer['email_address'], x_ship_to_first_name => $order->delivery['firstname'], x_ship_to_last_name => $order->delivery['lastname'], x_ship_to_address => $order->delivery['street_address'], x_ship_to_city => $order->delivery['city'], x_ship_to_state => $order->delivery['state'], x_ship_to_zip => $order->delivery['postcode'], x_ship_to_country => $order->delivery['country']['title'], x_description => $description, What is the difference between $_POST and $cc_array ? I too am getting a lesson in payment modules! Quote Life Is Too Short, Enjoy Your Coffee! Pete Link to comment Share on other sites More sharing options...
Iggy Posted December 10, 2006 Share Posted December 10, 2006 (edited) With some finagling can we pass this value to the db? Where does the db insert take place? Just keeping some notes :) The db insert happens in /includes/classes/order.php Specifically $this->info = array('currency' => $order['currency'], 'currency_value' => $order['currency_value'], 'payment_method' => $order['payment_method'], 'cc_type' => $order['cc_type'], 'cc_owner' => $order['cc_owner'], 'cc_number' => $order['cc_number'], 'cc_expires' => $order['cc_expires'], using values passed into it from /includes/modules/payment/authorizenet_aim.php function process_button() { // Hidden fields on the checkout confirmation page $process_button_string = tep_draw_hidden_field('cc_owner', $_POST['authorizenet_aim_cc_owner']) . tep_draw_hidden_field('cc_expires', $this->cc_expiry_month . substr($this->cc_expiry_year, -2)) . tep_draw_hidden_field('cc_type', $this->cc_card_type) . tep_draw_hidden_field('cc_number', $this->cc_card_number); if (MODULE_PAYMENT_AUTHORIZENET_AIM_USE_CVV == 'True') { $process_button_string .= tep_draw_hidden_field('cc_cvv', $_POST['authorizenet_aim_cc_cvv']); } A little above function process_button there's // Display Credit Card Information on the Checkout Confirmation Page function confirmation() { global $_POST; if (MODULE_PAYMENT_AUTHORIZENET_AIM_USE_CVV == 'True') { $confirmation = array(//'title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CATALOG_TITLE, // Redundant 'fields' => array(array('title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CREDIT_CARD_TYPE, 'field' => $this->cc_card_type), array('title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CREDIT_CARD_OWNER, 'field' => $_POST['authorizenet_aim_cc_owner']), array('title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CREDIT_CARD_NUMBER, 'field' => substr($this->cc_card_number, 0, 4) . str_repeat('X', (strlen($this->cc_card_number) - 8)) . substr($this->cc_card_number, -4)), array('title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CREDIT_CARD_EXPIRES, 'field' => strftime('%B, %Y', mktime(0,0,0,$_POST['authorizenet_aim_cc_expires_month'], 1, '20' . $_POST['authorizenet_aim_cc_expires_year']))), array('title' => MODULE_PAYMENT_AUTHORIZENET_AIM_TEXT_CVV, 'field' => $_POST['authorizenet_aim_cc_cvv']))); where the card is munged for display on the confirmation page. So I'm thinking it should be possible to name another variable in function process button to pass the munged CC number to the database instead of the real one while letting the real one get passed to curl for processing. Am I off the reservation here? Comments appreciated! Iggy Edited December 10, 2006 by Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
Iggy Posted December 10, 2006 Share Posted December 10, 2006 (edited) Why is the code worded like this on the old versions? The array seemed to not store the data. What is the difference between $_POST and $cc_array ? I too am getting a lesson in payment modules! This may or may not be helpful. 1. Don't know 2. $_POST is used for posting strings and $cc_array (and everything it encompasses) is the string that would be posted Or did I misunderstand the question? Iggy Edited December 10, 2006 by Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
Iggy Posted December 10, 2006 Share Posted December 10, 2006 (edited) Hmmm again, So poking around in contributions I found Credit Card Encryption which does some nifty things; mostly it shows the way to plopping your own function into checkout_process (which, BTW, means my posts above are pretty much irrelevant). Quick and dirty In checkout_process.php around line 57 just after $order_totals = $order_total_modules->process(); add $cc_new_value = substr($HTTP_POST_VARS['cc_number'], 0, 4) . str_repeat('X', (strlen($HTTP_POST_VARS['cc_number']) - 8)) . substr($HTTP_POST_VARS['cc_number'], -4); and around line 92 replace 'cc_number' => $order->info['cc_number'], with 'cc_number' => $cc_new_value, and walla 4111XXXXXXXX1111 in orders :) Now wrap the above in a conditional to check for whether you're using authnet or not and that should be the fix. If you're only using authnet and no other payment modules or you want to ensure you neveer eveer store cc numbers you don't have to bother. Thanks to JTHLA504 for showing the way. And would someone run this on a live AuthNet account to confirm? Thanks, Iggy Edited December 10, 2006 by Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
Iggy Posted December 10, 2006 Share Posted December 10, 2006 OK, the above works fine with Authnet in test mode (confirmation emails are recieved) and I get what I expect in the admin 4007XXXXX0027 Someone want to confirm it's workability please? Thanks, Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
♥Vger Posted December 10, 2006 Author Share Posted December 10, 2006 Iggy - if you wish to talk to yourself could you please do it offline? I get an email confirmation of every post made in this thread and you're filling up my Inbox. Vger Quote Link to comment Share on other sites More sharing options...
Iggy Posted December 11, 2006 Share Posted December 11, 2006 Iggy - if you wish to talk to yourself could you please do it offline? I get an email confirmation of every post made in this thread and you're filling up my Inbox. Vger Just thought I was working the problem there as best I could Vger. Are you inviting me to only post when I know the answer definitively to a speculative question? Or not at all? Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
ValleyRoaster Posted December 11, 2006 Share Posted December 11, 2006 OK, the above works fine with Authnet in test mode (confirmation emails are recieved) and I get what I expect in the admin 4007XXXXX0027 Someone want to confirm it's workability please? Thanks, Iggy Sorry Vger for all the posts but I sure liked having Iggy do some leg work for us out here! Iggy I just did the full package of the Credit Card Encryption and one test run with it in live mode with one of my own cards and it worked just fine! card number is encrypted in my orders table in my database! Now I am going to encrypt them all. At the same time someone else checked out with Paypal IPN and that worked also! Quote Life Is Too Short, Enjoy Your Coffee! Pete Link to comment Share on other sites More sharing options...
♥Vger Posted December 11, 2006 Author Share Posted December 11, 2006 Iggy - when you've got something to say that's fine, but most of your recent posts have been "thinking out loud" type of posts - and it's those that I don't want clogging up my Inbox. Vger Quote Link to comment Share on other sites More sharing options...
Iggy Posted December 11, 2006 Share Posted December 11, 2006 Iggy - when you've got something to say that's fine, but most of your recent posts have been "thinking out loud" type of posts - and it's those that I don't want clogging up my Inbox. Vger I would have been happy to have been schooled on why any of those wouldn't work and that was why I posted them. But I get what you're after. Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
mrbones Posted December 11, 2006 Share Posted December 11, 2006 Is this module safe to use? I'm setting up this shopping cart for the first time for a client and they need an Authorize.net gateway. I'm sure you'll all slam me for this, but I don't see how I can use this shopping cart for a national client with all these problems or potential problems. When something like this arises I can't just come on here and plead for a fix and get one a few days later. I'd lose my job. I'll gladly pay for a shopping cart that works and has some support. If I was using it for my own website, then maybe. Then I'd only have myself to answer to, but when it's a client, it'll just equal bad news. Good luck guys. Quote Link to comment Share on other sites More sharing options...
♥Vger Posted December 11, 2006 Author Share Posted December 11, 2006 The problem is - you can't use any Shopping Cart software for "a client" unless you yourself are prepared to put the time in and learn how to fix things for yourself. If you don't know how to fix things then what service are you actually selling to them? You really can't expect to sell a client software which is freely available and then pop along here and ask other people to sort out problems for you for free. Paid-for shopping cart software is fairly rare, and good support for paid software is even rarer. The only solution is to choose one particular piece of shopping cart software and then spend the time to learn how it works, what any potential problems are, and how to fix them. Once you have those skills you can charge your clients accordingly. Vger I'm sure you'll all slam me for this, but I don't see how I can use this shopping cart for a national client with all these problems or potential problems. When something like this arises I can't just come on here and plead for a fix and get one a few days later. I'd lose my job. I'll gladly pay for a shopping cart that works and has some support. If I was using it for my own website, then maybe. Then I'd only have myself to answer to, but when it's a client, it'll just equal bad news. Good luck guys. Quote Link to comment Share on other sites More sharing options...
♥Vger Posted December 11, 2006 Author Share Posted December 11, 2006 Encrypting credit card data in the database does not meet the legal requirements, because you're still storing cedit card data there. And if someone manages to access the osC admin panel then they can access the credit card data in its unencrypted format. This would be the easiest way of gaining access to the credit card data from the database in its unencrypted format because the admin panel is the least secure area - even with password protection.. The only solution is to remove these entries from both checkout_process and includes/classes/order.php: 'cc_type' => $order->info['cc_type'], 'cc_owner' => $order->info['cc_owner'], 'cc_number' => $order->info['cc_number'], 'cc_expires' => $order->info['cc_expires'], Vger I would have been happy to have been schooled on why any of those wouldn't work and that was why I posted them. But I get what you're after. Iggy Quote Link to comment Share on other sites More sharing options...
Iggy Posted December 11, 2006 Share Posted December 11, 2006 Encrypting credit card data in the database does not meet the legal requirements, because you're still storing cedit card data there. And if someone manages to access the osC admin panel then they can access the credit card data in its unencrypted format. This would be the easiest way of gaining access to the credit card data from the database in its unencrypted format because the admin panel is the least secure area - even with password protection.. The only solution is to remove these entries from both checkout_process and includes/classes/order.php: 'cc_type' => $order->info['cc_type'], 'cc_owner' => $order->info['cc_owner'], 'cc_number' => $order->info['cc_number'], 'cc_expires' => $order->info['cc_expires'], Vger Valid as well. If you look at what I posted it actually zaps the middle 8 numbers using the same setup as the CC display on checkout confirmation; which is what I was after. You could just null the value in checkout_process too 'cc_number' => $order->info['cc_number'], Iggy Quote Everything's funny but nothing's a joke... Link to comment Share on other sites More sharing options...
♥Vger Posted December 11, 2006 Author Share Posted December 11, 2006 I'm not 100% sure this will work, but it appears to on an offline installation of a default osCommerce website. Access the db using phpMyAdmin, go to the 'orders' table and set the four cc_ entries to varchar(0) Vger Quote Link to comment Share on other sites More sharing options...
apple8500 Posted December 11, 2006 Share Posted December 11, 2006 I'm using the latest version of the AIM module, posted by bokeeffe on August 23. (I was using the more recent version and encountered the bug with CVV codes beginning in 0, so I have rolled my installation back to this version.) I'm experiencing a problem when customers checkout using a coupon code: the total amount on checkout_payment.php displays correctly, as does the total that appears in admin/orders.php and in the email that's sent to the customer, but the amount that's transmitted to Authorize.net is incorrect and doesn't include the coupon discount! My CCGV installation is the latest package posted on 11/7/06 by mauriziomagnino, with the fix posted on 11/28. Both available here: http://www.oscommerce.com/community/contributions,282 Any suggestions? Thanks. Quote Link to comment Share on other sites More sharing options...
♥Vger Posted December 11, 2006 Author Share Posted December 11, 2006 The last post in that thread for CCGV by mauriziomagnino (deleted at my request) was to tell people to use CCGV(trad) instead, because it works, and directing people to the CCGV(trad) support thread. This was after he had been responsible for 6 out of the last 7 updates to CCGV himself - not exactly inspiring. The reason I had his post deleted, flattering though it was, was because of all of the people who were coming to my support thread for CCGV(trad) for help with CCGV - which is in a mess. This is my roundabout way of saying "uninstall CCGV and install CCGV(trad) in its place". Vger Quote Link to comment Share on other sites More sharing options...
apple8500 Posted December 11, 2006 Share Posted December 11, 2006 Great, thanks for the clarification! I'm gradually learning the ropes. The last post in that thread for CCGV by mauriziomagnino (deleted at my request) was to tell people to use CCGV(trad) instead, because it works, and directing people to the CCGV(trad) support thread. This was after he had been responsible for 6 out of the last 7 updates to CCGV himself - not exactly inspiring. The reason I had his post deleted, flattering though it was, was because of all of the people who were coming to my support thread for CCGV(trad) for help with CCGV - which is in a mess. This is my roundabout way of saying "uninstall CCGV and install CCGV(trad) in its place". Vger Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.