Jump to content

Archived

This topic is now archived and is closed to further replies.

NodsDorf

Have you seen a quote -> " <- Break An Order Before?

Recommended Posts

We just had a couple orders get charged (Auth.net) but not added to the OSC order history, while that is something I seen happen many times before with PayPal, I have never seen it happen with Auth.net. The only odd thing about this was the customer had a company name like Bob"s Restoration, in which he used the double quote > " < instead of the single quote > ' <.

 

I scanned my last 3 years worth of customers an not a single other case of a person using the " in the company name nor do we show any other charges not able to be matched with orders, the only commonality is that both the orders were the same customer, both had the company name with the double quote in it. I have to wonder, has anybody seen this happen before due tot he double quote?

Share this post


Link to post
Share on other sites

If the double quotes is causing the error you should just add a php function to strip away the quotes from the field prior to using it.

 

str_replace('"', "", $string);

Share this post


Link to post
Share on other sites

Hi llchy, thanks for the comment. I'm just not sure that is the case, I am able to process a test order with a company name that contains a " using the Payment At Store option. I guess I need to run a credit card through Auth.net with a company name containing a quote to be sure the " is the problem.

 

I was asking just to see if others had noticed this a potential issue.

Share this post


Link to post
Share on other sites

Just wanted to confirm this as a bug:

If a customer has a double quote in there company name the order will still be processed at auth.net but will not generate an order at your store.

 

Today:

I ran our credit card using Company Name Containing a " once again the payment was accepted by Auth.net but we received no order, and the checkout_payment.php throws an error.

This of course will likely cause the customer to try again, getting charged yet again with no order. It could potentially make your company look very bad once a person sees these charges posted to their credit cards.

 

I'll post a fix as soon as I confirm one.

Share this post


Link to post
Share on other sites

It's not a bug, just incorrect code. You need to add the addslashes function to wherever that name is being loaded into the database like,

addslashes($product_info['products_name'])

Share this post


Link to post
Share on other sites

One could argue it is a bug since it has nothing to do with anything I changed from the vanilla 2.3.1 code.

 

Here is the stock code....

create_account.php & address_book_process.php

if (ACCOUNT_COMPANY == 'true') $company = tep_db_prepare_input($HTTP_POST_VARS['company']);

 

Which calls this function

includes/functions/database.php

function tep_db_prepare_input($string) {
   if (is_string($string)) {
  return trim(tep_sanitize_string(stripslashes($string)));
   } elseif (is_array($string)) {
  reset($string);
  while (list($key, $value) = each($string)) {
    $string[$key] = tep_db_prepare_input($value);
  }
  return $string;
   } else {
  return $string;
   }
 }

Which also calls this function

includes/functions/general.php

function tep_sanitize_string($string) {
   $patterns = array ('/ +/','/[<>]/');
   $replace = array (' ', '_');
   return preg_replace($patterns, $replace, trim($string));
 }

 

There is no vanilla removal of the " that I can see.

Share this post


Link to post
Share on other sites

Try adding htmlspecialchars, I am not sure how that would affect other things.

 

return trim(tep_sanitize_string(stripslashes(htmlspecialchars($string))));

 

If what happens when paying with auth.net does not happen when paying COD (for example), then the issue is with auth (or the auth module), not the core code of osc surely?


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

×