Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Have you seen a quote -> " <- Break An Order Before?


NodsDorf

Recommended Posts

We just had a couple orders get charged (Auth.net) but not added to the OSC order history, while that is something I seen happen many times before with PayPal, I have never seen it happen with Auth.net. The only odd thing about this was the customer had a company name like Bob"s Restoration, in which he used the double quote > " < instead of the single quote > ' <.

 

I scanned my last 3 years worth of customers an not a single other case of a person using the " in the company name nor do we show any other charges not able to be matched with orders, the only commonality is that both the orders were the same customer, both had the company name with the double quote in it. I have to wonder, has anybody seen this happen before due tot he double quote?

Link to comment
Share on other sites

Hi llchy, thanks for the comment. I'm just not sure that is the case, I am able to process a test order with a company name that contains a " using the Payment At Store option. I guess I need to run a credit card through Auth.net with a company name containing a quote to be sure the " is the problem.

 

I was asking just to see if others had noticed this a potential issue.

Link to comment
Share on other sites

Just wanted to confirm this as a bug:

If a customer has a double quote in there company name the order will still be processed at auth.net but will not generate an order at your store.

 

Today:

I ran our credit card using Company Name Containing a " once again the payment was accepted by Auth.net but we received no order, and the checkout_payment.php throws an error.

This of course will likely cause the customer to try again, getting charged yet again with no order. It could potentially make your company look very bad once a person sees these charges posted to their credit cards.

 

I'll post a fix as soon as I confirm one.

Link to comment
Share on other sites

It's not a bug, just incorrect code. You need to add the addslashes function to wherever that name is being loaded into the database like,

addslashes($product_info['products_name'])

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

One could argue it is a bug since it has nothing to do with anything I changed from the vanilla 2.3.1 code.

 

Here is the stock code....

create_account.php & address_book_process.php

if (ACCOUNT_COMPANY == 'true') $company = tep_db_prepare_input($HTTP_POST_VARS['company']);

 

Which calls this function

includes/functions/database.php

function tep_db_prepare_input($string) {
   if (is_string($string)) {
  return trim(tep_sanitize_string(stripslashes($string)));
   } elseif (is_array($string)) {
  reset($string);
  while (list($key, $value) = each($string)) {
    $string[$key] = tep_db_prepare_input($value);
  }
  return $string;
   } else {
  return $string;
   }
 }

Which also calls this function

includes/functions/general.php

function tep_sanitize_string($string) {
   $patterns = array ('/ +/','/[<>]/');
   $replace = array (' ', '_');
   return preg_replace($patterns, $replace, trim($string));
 }

 

There is no vanilla removal of the " that I can see.

Link to comment
Share on other sites

Try adding htmlspecialchars, I am not sure how that would affect other things.

 

return trim(tep_sanitize_string(stripslashes(htmlspecialchars($string))));

 

If what happens when paying with auth.net does not happen when paying COD (for example), then the issue is with auth (or the auth module), not the core code of osc surely?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...