AndrewRavenwood Posted August 23, 2012 Share Posted August 23, 2012 Hi, This morning I found that an order had been placed on the site and that the 'person' making the order had not made payment through Paypal - currently the only means to make a payment on this shop. I was initially suspect when I looked at the address which doesn't seem to be valid. How is it possible to place the order without any record of it appearing in Paypal? Is this something that I can prevent? Is there potentially a loophole here, I dunno! Any words of wisdom from the more experienced? Opinions? Link to comment Share on other sites More sharing options...
Praful Kamble Posted August 23, 2012 Share Posted August 23, 2012 @@AndrewRavenwood There is possibility if someone directly come on order confirmation page by manually punching the url in browser. Which osc version are you using? Like post..hit LIKE button. osCommerce | Joomla | WordPress | Magento | SEO | CakePHP | CI Guaranteed Website Speed Optimization!! Link to comment Share on other sites More sharing options...
AndrewRavenwood Posted August 23, 2012 Author Share Posted August 23, 2012 @@Praful Kamble Using version 2.3.1. I will have to try that myself to see if it's possible. Link to comment Share on other sites More sharing options...
DogFoodIT Posted August 27, 2012 Share Posted August 27, 2012 @@AndrewRavenwood I think from memory if you bail on the PayPal screen the order will still be placed in your shop. Have a look at your PayPal settings you may need to create a new order status for unpaid PayPals. this is what i did. so if i get a customer not complete the PayPal checkout the order will sit in "Awaiting PayPal Payment" status. cheers. Link to comment Share on other sites More sharing options...
MrPhil Posted August 27, 2012 Share Posted August 27, 2012 Read these and see if they explain anything: www.oscommerce.com/forums/topic/387591-checkout-confirmation-exploit-with-opera/ and http://www.oscommerce.com/forums/topic/388544-security-issue-possible-to-purchase-without-payment/ Link to comment Share on other sites More sharing options...
AndrewRavenwood Posted August 28, 2012 Author Share Posted August 28, 2012 Thanks for the responses. @@DogFoodIT - I will do that should be simple enough. @@MrPhil Thanks for the link, seems like others have faced this before and there appears to be a fix linked to on the thread link that you provided. Link to comment Share on other sites More sharing options...
AndrewRavenwood Posted October 24, 2012 Author Share Posted October 24, 2012 Quick update: Over the time that the shop has been running we have had a couple of these events. An order comes in but not payment received. Yesterday I was using my 'fake' customer to check out some layout issues in the checkout process but did not proceed to Paypal as this was not a requirement of my testing - Later in the evening I noticed that the system had registered this as a confirmed order in exactly the same manner as the previous ones, therefore I can only assume that the previous 'fake' orders registered by the system were in fact potential customers who for whatever reason had decided not to continue with their order. To my mind I have encountered a bug which although causing initial confusion seems to be fairly harmless and not as originally thought an attempt by someone to bypass the payment step. Link to comment Share on other sites More sharing options...
MrPhil Posted October 25, 2012 Share Posted October 25, 2012 I would call it a bug if a customer can bail out at some point during (before?) the payment, yet it's still recorded as a sale elsewhere in the store. You wouldn't want to ship to them without having received a payment! If you can give the exact configuration (osC level, add-ons installed, PayPal service used, etc.) and where quitting causes this fake sale, I'm sure it would be useful information to the developers. I seem to recall hearing about a problem where customers were successfully making payments (via PayPal) yet the order was not showing up. This was traced to an incorrect configuration where PayPal was not returning to the correct place in the program flow after OKing the payment received. It's kind of a mirror image of your problem, but maybe it will give a clue? Link to comment Share on other sites More sharing options...
Guest Posted October 25, 2012 Share Posted October 25, 2012 @@AndrewRavenwood This was a known issue with v2.2 RC2a using PayPal standard where the customer would close the browser after they were redirected to PayPal to make payment. osCommerce would post the information prior to redirecting the customer and if the customer didn't return, you ended up with an order and no payment. With a CERT for PayPal Standard or an API for PayPal Express, that issue is eliminated. Chris Link to comment Share on other sites More sharing options...
AndrewRavenwood Posted October 25, 2012 Author Share Posted October 25, 2012 @@DunWeb It's interesting that it was a known issue in a previous version. It appears to still be an ongoing issue if my experience is anything to go by, as this particular install is version 2.3 and of course does have a Paypal generated certificate although I can't see that causing the issue if the customer doesn't get as far as the Paypal redirect. I am considering updating the install to the latest version but since a great deal of the site is heavily modified with many custom modules it may cause more problems than it solves. Link to comment Share on other sites More sharing options...
MrPhil Posted November 11, 2012 Share Posted November 11, 2012 It sounds like osC needs some code to check if payment was made, and if (apparently) not, to flag the order for further investigation (what does PayPal record), and possibly query (email the customer asking if they completed the order or bailed out). It shouldn't leave things hanging like this (post that the purchase is complete, before payment returns as complete). Link to comment Share on other sites More sharing options...
Guest Posted November 15, 2012 Share Posted November 15, 2012 I see the same problem in my 2.3.1 store all the time. As soon as someone lands on the checkout confirmation page, but then leaves, the shop registers an order and takes stock out of inventory. I work around it in the way suggested by DogfoodIT. It is a damn nuisance, but I am aware of the problem so it does no harm. Link to comment Share on other sites More sharing options...
♥14steve14 Posted November 15, 2012 Share Posted November 15, 2012 I too had a few problems like this, but the order status was not changed to an actual ordere status where I ship products. I think it was still at paypal pending. I just ignore these and cancel the order restocking the cart quantities. REMEMBER BACKUP, BACKUP AND BACKUP Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.