Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PayPal_Shopping_Cart_IPN


devosc

Recommended Posts

This means you no longer have to specify the IPN url in your PayPal account profile.
But then this is a security problem? Since now the return path is printed in the code? Edited by djmonkey1

Do, or do not. There is no try.

 

Order Editor 5.0.6 "Ultra Violet" is now available!

For support or to post comments, suggestions, etc, please visit the Order Editor support thread.

Link to comment
Share on other sites

  • Replies 1.1k
  • Created
  • Last Reply

Top Posters In This Topic

which return path, if you mean the path the customer is returned to, well that existed anyway, but now with IPN you verify the transaction and prevent the customer from successfully checking out if the payment is invalid, pending, (or if there was a communications error whilst trying to verify thre transaction with PayPal), but at present the customer will still be able to checkout, but you will get an email telling you that either there was a communications error or you've been hacked.

 

In regard to the path to the catalog/ipn.php file, I posted earlier in this thread how to protect the file so that only PayPal can communicate with it.

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

I opened my paypal.php to insert the code mentioned earlier

$paypal_fields .= tep_draw_hidden_field('notify_url', tep_href_link('ipn.php', '', 'SSL'));

 

I found TWO sections where it says return $paypal_fields;

 

So which one do i insert the code:

 

      if(MODULE_PAYMENT_PAYPAL_METHOD == 2) {

        //Customer Order Details

        for ($i=0; $i<sizeof($order->products); $i++) {

          $index = $i+1;

          $paypal_fields .= tep_draw_hidden_field('item_name_'.$index, $order->products[$i]['name']).

          tep_draw_hidden_field('item_number_'.$index, $order->products[$i]['model']).

          tep_draw_hidden_field('quantity_'.$index, $order->products[$i]['qty']).

          tep_draw_hidden_field('amount_'.$index, number_format($order->products[$i]['final_price']* $currencies->get_value($my_currency),2));

          $paypal_fields .= tep_draw_hidden_field('tax_'.$index, number_format($order->info['tax'] * $currencies->get_value($my_currency),2));

          //Customer Specified Product Options: PayPal Max = 2

          if ($order->products[$i]['attributes']) {

            for ($j=0, $n=sizeof($order->products[$i]['attributes']); $j<2; $j++) {

              if($order->products[$i]['attributes'][$j]['option']){

                $paypal_fields .= $this->_drawPayPalOptionSet($j,$index,$order->products[$i]['attributes'][$j]['option'],$order->products[$i]['attributes'][$j]['value']);

              } else {

                $paypal_fields .= $this->_drawPayPalOptionSet($j,$index,' ',' ');

              }

            }

          } else {

            for ($j=0; $j<2; $j++) {

              $paypal_fields .= $this->_drawPayPalOptionSet($j,$index,' ',' ');

            }

          }

        }

      } else { //method 1

        $item_number;

        for ($i=0; $i<sizeof($order->products); $i++) {

          $item_number .= ' '.$order->products[$i]['name'].' ,';

        }

        $item_number = substr_replace($item_number,'',-1);

        $paypal_fields .= tep_draw_hidden_field('item_number', $item_number);

      }

      return $paypal_fields;

    }

 

    function _drawCustomerDetails(&$order) {

      //Customer Details - for those who haven't signed up to PayPal

      //Telephone is problematic so left out for now.

      $paypal_fields = tep_draw_hidden_field('email', $order->customer['email_address']) .

      tep_draw_hidden_field('first_name', $order->customer['firstname']) .

      tep_draw_hidden_field('last_name', $order->customer['lastname']) .

      tep_draw_hidden_field('address1', $order->customer['street_address']) .

      tep_draw_hidden_field('address2', '') .

      tep_draw_hidden_field('city', $order->customer['city']) .

      tep_draw_hidden_field('state', tep_get_zone_code($order->customer['country']['id'],$order->customer['zone_id'],$order->customer['zone_id'])) .

      tep_draw_hidden_field('zip', $order->customer['postcode']);

      //User Country Preference

      //Note: Anguilla[AI], Dominican Republic[DO], The Netherlands[NL] have different codes to the iso codes in the osC db

      $paypal_fields .= tep_draw_hidden_field('lc', $order->customer['country']['iso_code_2']);

      return $paypal_fields;

    }

 

 

Thanks

Link to comment
Share on other sites

In regard to the path to the catalog/ipn.php file, I posted earlier in this thread how to protect the file so that only PayPal can communicate with it.

Greg,

Can you please let me know the post number where you talk about protecting

ipn.php?

Thanks

bhawmik

Link to comment
Share on other sites

Hi Greg,

 

can you please clearify whether it is possible to set the auto-return URL in Paypal so that a customer gets redirected directly after payment to osCommerce?

 

My return URL in paypal is set to http://www.mydomain.com/catalog/checkout_process.php (mydomain.com is an example here). When i make a payment i can see a page from paypal which says it redirects me in 10 seconds back to the shop. The next page is blank, the order is not processed from within osCommerce but the payment is done i.e. i receive an email from paypal saying that i received the amount from a customer.

 

When i deactivate the Auto-Return 'Feature' from within Paypal, everything is fine except that the customer has to click a button to get back to the shop (orders are processed ok from both IPN and oscommerce).

 

I am a bit confused because i read from other people (like Cornelius for example) that the auto return feature does function with your contrib. I did also add:

 

      $paypal_fields .= tep_draw_hidden_field('notify_url', tep_href_link('ipn.php'));

 

to the function _getPayPalFields in /includes/modules/payment/paypal.php but from my understanding this has nothing to do with the new auto return ability in paypal but with the confirmation URL you had to set before using this new code.

 

I would be grateful if you could clearify this.

 

Thanks in advance,

Marcus

Link to comment
Share on other sites

I installed the PayPal_Shopping_Cart_IPN and when I click on

admin - customers - paypal IPN

I get this error:

 

Warning: main(includes/languages/english/paypal_ipn.php): failed to open stream: No such file or directory in /hsphere/local/home/*******/*********/admin/paypal_ipn.php on line 14

 

Warning: main(): Failed opening 'includes/languages/english/paypal_ipn.php' for inclusion (include_path='.:/usr/local/lib/php') in /hsphere/local/home/*******/********/admin/paypal_ipn.php on line 14

 

I am very new to all this stuff. Help?

Link to comment
Share on other sites

bhawmik, page 5

 

mattwho, looks like you didn't upload the language file into directory: admin/includes/english/

 

marcmerz,

At present the automatic return does not work as intended, because you end up with to orders, one created by the IPN and the second when the customer returns to the site.

 

The IPN that the customer would normally bring with them when they return is not included in the automatic redirect process, and osC is allowing the checkout process to proceed, this can be sorted out because if an extra parameter is added to the return url then when they return to the site if this parameter exists then the order process can be skipped and the customer taken to the checkout_success page. Because the IPN received actually generates the order.

 

But all this more clearly exposes the security hole in using 3rd party payment gateways, but with IPayPal's PN it is possible to immediatly verify the transaction authenticity when the customer returns to the site, unfortunately at present this does mean that the customer must click the continue button.

 

Quick 2 Step Auto-Return Work Around Fix

This will simply skip the order process and redirect the customer to checkout_sucess.php (assuming that the PayPal independent IPN is successfully sent and received).

 

In catalog/includes/modules/payment/paypal.php

[1] Find

} else {
 //PayPal did not authorize this transaction or there may have been problems
 //communicating with them, If there were no communication problems then someone is
 //trying a blatant hack, so send the store owner msg to that effect and let the
 //them continue as per default osC scenario
 $msg = "A transaction occured but PayPal did not verify it, this could be due to a "
 ."communications error, but it could also be an attempted hack.\r\n"
 ."Customer $customer_id, {$order->customer['firstname']} {$order->customer['lastname']} has been "
 ."allowed to continue their order.\r\n"
 ."Please Check Your PayPal account.\r\n\r\n";
 $ipn->send_email('Invalid Customer Transaction',$msg);
 unset($msg);
 return false;
}

and replace with

} else if (isset($HTTP_GET_VARS['refer']) && $HTTP_GET_VARS['refer'] == 'paypal') {
 $cart->reset(true);
 // unregister session variables used during checkout
 tep_session_unregister('sendto');
 tep_session_unregister('billto');
 tep_session_unregister('shipping');
 tep_session_unregister('payment');
 tep_session_unregister('comments');
 tep_redirect(tep_href_link(FILENAME_CHECKOUT_SUCCESS, '', 'SSL'));
} else {
 //PayPal did not authorize this transaction or there may have been problems
 //communicating with them, If there were no communication problems then someone is
 //trying a blatant hack, so send the store owner msg to that effect and let the
 //them continue as per default osC scenario
 $msg = "A transaction occured but PayPal did not verify it, this could be due to a "
 ."communications error, but it could also be an attempted hack.\r\n"
 ."Customer $customer_id, {$order->customer['firstname']} {$order->customer['lastname']} has been "
 ."allowed to continue their order.\r\n"
 ."Please Check Your PayPal account.\r\n\r\n";
 $ipn->send_email('Invalid Customer Transaction',$msg);
 unset($msg);
 return false;
}

[2] Find

$paypal_fields .= tep_draw_hidden_field('return', tep_href_link(FILENAME_CHECKOUT_PROCESS, '', 'SSL')) .

and replace with

$paypal_fields .= tep_draw_hidden_field('return', tep_href_link(FILENAME_CHECKOUT_PROCESS, 'refer=paypal', 'SSL')) .

Edited by gregbaboolal

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

Some things should be mentioned about the Auto-Return Work Around.

[1] Because the current state of this contribution only accepts 'Completed' transactions, i.e . the money was successfully transfered from the customers account to your account, the above fix will not generate an order when the payment is 'Pending', but it didn't do this in the first place anyway - and I have not seen any comments about Pending payments in the thread so far.

 

[2] One reason for still using the IPN methodology is because of the transaction details provided by PayPal of the customer.

 

[3] If PayPal are unable to send the IPN asap (they try over a period of four days, then some confusion might occur if the customer then trys to view their account order history.

But so far, I have not noticed any problems with the turn around time of PayPal's IPN, before I was assuming that the IPN was actually being sent prior to the customer clicking the PayPal 'continue' button etc...

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

Greg,

 

thank you very much for your quick response and your detailed instructions. I did the changes you mentioned (with the auto return feature being activated in paypal) and just tried another purchase:

 

1. For payment the customer is directed to Paypal

2. He logs in to Paypal and clicks on 'Pay'

3. He gets to a screen which tells him that he will be redirected back to the originating website.

4. The redirect does in fact happen with your amended URL (i.e. not the same url like given in the paypal setting on their website but with the URL from tep_draw_hidden_field('return', tep_href_link(FILENAME_CHECKOUT_PROCESS, 'refer=paypal', 'SSL')) and the ?refer=paypal is in the URL which means that the setting on the paypal is overruled by the 'return' field (as expected).

 

Nevertheless:

1. the browser gives a blank page and i do not get back to the shop.

2. i still have the product in my shopping cart when i go to the shop afterwards (manually) which means that the cart did not get reset.

3. i did not receive an IPN which also explains that

4. i do not have any order showing on the admin side from oscommerce and

5. The shop _does_ receive an email from paypal saying that paypal confirms a payment (with all transaction details).

 

Weird.

 

When i deactivate the auto-return feature on the paypal website and click on the continue button on the second page after payment is done, i get redirected (again with the url we defined in the 'return' variable) and everything is fine.

 

To me it seems that there is something wrong with the meta-refresh on paypals side. I just do not understand that the auto-return feature seems to function with some people (i.e. Cornelius) unless i misunderstood his posting concerning this fact.

 

Regards,

Marcus

Link to comment
Share on other sites

Marcus,

I really need get round to updating the contrib, I think your problem is because of the exit statements, in the catalog/includes/classes/paypal/ipn.php class constructor:

function paypal_ipn($email,$post_vars='',$session_id,$debug='0')

Find the exit statements and remove or comment them out. Logically these exits should not be occuring with a vaild PayPal IPN, but I might be overlooking something, and others have reported similar problems which seemed to of been resolved by the above suggestion.

Edited by gregbaboolal

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

Marcus,

I really need get round to updating the contrib, I think your problem is because of the exit statements, in the catalog/includes/classes/paypal/ipn.php class constructor:

function paypal_ipn($email,$post_vars='',$session_id,$debug='0')

Find the exit statements and remove or comment them out. Logically these exits should not be occuring with a vaild PayPal IPN, but I might be overlooking something, and others have reported similar problems which seemed to of been resolved by the above suggestion.

Greg,

 

You are a STAR !!!

 

That was exactly it.

 

I got redirected to the website, i have a order showing in the admin area, i got an confirmation email from paypal, but

 

I did not receive an IPN (at least there is none showing in the admin area for this order).

 

I guess this is because of the adjustment i made like you said. I will try to reverse the changes from your 'Quick 2 Step Auto-Return Work Around Fix' and see whether just by commenting out the exit statements in funtion paypal_ipn i do get redirected (including valid order processing via IPN) as well.

 

Regards,

Marcus

Link to comment
Share on other sites

Actually reversing the changes does not help for the IPN. Everything worked like before but i do not receive any IPN anymore. Give it some time. I will either use the way with your Quick 2 Step fix and auto return on the paypal website being active accepting the fact that orders are processed fine but not receiving IPN's or (what i prefer) to deactivate the auto return feature for the moment and being able to receive IPN. To me this second option seems to be more safe because

 

1. You have instant confirmation about the payment status because of the IPN and

2. The processing in osCommerce is ok (IPN together with the order)

 

The worst case is, that the customer is not returning to the website because he does not click on continue. But the order processing and payment notification is not influenced by that (i.e. you are ok).

 

Thanks for your time and have a nice weekend.

 

Best regards,

Marcus

Link to comment
Share on other sites

Have you adjusted any of the session setting in the admin section, if so this would cause the IPN not to be stored, the whole point is that it should and does with the deafult settings (all false).

 

To skip the sessions detection stuff for the independent PayPal - osC IPN look in application_top.php

 

in the latter part of the file you will see the session detection statements, wrap each one around with the following IF statement:

 

if (substr(basename($PHP_SELF), '', -4) != 'ipn' ) {

Code.....

}

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

Please disregard my last post and see this one:

 

Actually reversing the changes does not help for the IPN.

 

Even worse: The order details are completely screwed up and you do not receive an IPN but i guess you already knew this. You said before, that paypal is not including any post data when using its meta-refresh.

 

The order is now from root1 root1 with these details:

 

root1 root1

1 Way Street

NeverNever, California 12345

United States

 

and an email adress being [email protected]

 

So, where are we(?)

 

a) I will either use the way with your Quick 2 Step fix and auto return on the paypal website being active accepting the fact that orders are processed fine but not receiving IPN's or (what i prefer)

B) to deactivate the auto return feature for the moment and being able to receive IPN's again.

 

To me this second option seems to be more safe because

 

1. You have instant confirmation about the payment status because of the IPN and

2. The processing in osCommerce is ok (IPN together with the order)

 

The worst case is, that the customer is not returning to the website because he does not click on continue. But the order processing and payment notification is not influenced by that (i.e. you are ok).

 

Thanks for your time and have a nice weekend.

 

Best regards,

Marcus

Link to comment
Share on other sites

Also, make your in your PayPal account you have a tick in the checkbox to enable IPN, you don't need to specify a url. At first it might complain that you need to specify a valid url, but delete the http:// bit and save. Basically (it seems) you should have it switched on and you don't need a url speficied.

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

Marcus, you shouldn't be having any problems, verify the above (including your PayPal account profile).

 

I assume all the admin/configuration/session settings are false.

 

See what happens.

 

BTW, root1 one was me B) I wanted to see what was happening. so you would not of received an IPN for those transaction(s?).

 

Also check your email; The contrib is in full debug mode by default, so you should at least be getting some feedback even if the IPN is not stored.

Edited by gregbaboolal

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

Have you adjusted any of the session setting in the admin section, if so this would cause the IPN not to be stored, the whole point is that it should and does with the deafult settings (all false).

 

To skip the sessions detection stuff for the independent PayPal - osC IPN look in application_top.php

 

in the latter part of the file you will see the session detection statements, wrap each one around with the following IF statement:

 

if (substr(basename($PHP_SELF), '', -4) != 'ipn' ) {

Code.....

}

 

Yes, i have changed my session settings for 'Prevent Spider Sessions' and 'Recreate Session' (both set to true). I am wrapping the session detection statements for these two settings right now and report back.

 

Regards,

Marcus

Link to comment
Share on other sites

Once you think it is working or at least communicating, read this thread post,

 

http://www.oscommerce.com/forums/index.php?sho...ndpost&p=291418

 

Basically, some further checks are made to make sure that the transaction

information is the same as what is in the shopping cart, but some people have

been having problems, so it is suggested to remove the IF statement accordingly.

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

Marcus, you shouldn't be having any problems, verify the above (including your PayPal account profile).

 

I assume all the admin/configuration/session settings are false.

 

See what happens.

 

BTW, root1 one was me  B)  I wanted to see what was happening. so you would not of received an IPN for those transaction(s?).

 

Also check your email; The contrib is in full debug mode by default, so you should at least be getting some feedback even if the IPN is not stored.

 

The changes i made in Admin -> Session ('Prevent Spider Sessions = TRUE' and 'Recreate Session = TRUE') do not cause any problems. Wrapping the if statements in application.php with your code did not make any difference when testing. Maybe this information is useful for you for the further development. See my next posting concerning my experiences.

 

For the root1: How did you manage to insert an order in my system via testing? :blink: I have protected my /catalog/ipn.php so basically you (and no-one else) should be able to access it. This is what i put in my .htaccess:

 

<Files ipn.php>
Order deny,allow
Deny from all
Allow from notify.paypal.com
</Files>

 

And of course you are right. I did not (and could not) receive any IPN for this transaction (it was one order i received from root1)

 

Regards,

Marcus

Link to comment
Share on other sites

Greg,

 

Ok, after some extensive (and not very succesful) testings with the auto return feature setting on the paypal website i made two experiences (*sigh*):

 

1. 'If it aint broke don't fix it' and

2. Do not try to do some coding after 1 am in the morning.

 

Before i started playing with the auto return feature i had a working setup. Visitors were able to checkout using paypal, after clicking 'Pay' i received an IPN and an order was generated and if they clicked on continue they were redirected to the shop and i received a duplicate IPN. So basically everything was fine.

 

Then i started to play with the auto return feature and my whole setup went havoc. The meta-refresh redirect gave a blank screen, the shopping cart did not reset, i did not receive any IPN from paypal after they clicked on 'Pay', there was no order generated in OsC but i did receive the paypal email confirmation that i received a valid payment.

 

Well, ok.

 

I then added your code adjustments (including commenting out the if statement in /catalog/ipn.php if ($ipn_cart->valid_payment($ipn,$cart,$currency) ) { ) and on first sight i was happy because now the visitor got redirected fine back to the shop, an order was generated in OsC, i did receive the email confirmation from paypal BUT i never received an IPN after clicking on 'Pay'.

 

I then tried to reverse the changes i made for the auto return feature in my code, i deactivated the auto return feature on paypal website but i was not able to get the IPN working again after clicking on 'Pay' (i.e. i still did not receive an IPN) BUT AFTER clicking on continue i received TWO IPN's where the second one was not being recognized as a duplicate and i got two orders inserted in OsC (order numbers x and x+1). Furthermore i received a lot of emails like:

 

Subject: PayPal IPN: unknown transaction type

Text:

'I received an unkown post from 64.4.241.140

Are you running any tests?

 

At this point (about 2 am in the morning) i gave up and went to bed.

 

This morning i had a look again at my code making sure to reverse everything i changed within the last 24 hours and voila: I am up and running again with my setup which means:

 

1. The auto return feature in paypal website is deactivated

2. IPN is activated (and always was during my tests). Changes: I have deleted the URL because of adding your

$paypal_fields .= tep_draw_hidden_field('notify_url', tep_href_link('ipn.php'));

 

in funtion _getPayPalFields (/includes/modules/payment/paypal.php) one or two days ago.

 

3. Immediately after clicking on 'Pay' i do receive an IPN

5. The order gets generated in OsC as well

6. I do also get paypals email confirmation about having received a valid payment

7. If i click on 'Continue' i receive a duplicate IPN and another email saying i should check my paypal account.

8. I do not have to uncomment the if statement in /catalog/ipn.php

 

Everything is back to normal and i am happy again :D

 

To reiterate my previous post: I began my testing with the Admin -> Session settings 'Prevent spider sessions = TRUE' and 'Recreate Session = TRUE' and everything else being set to false. After your postings i changed these two to FALSE as well which did not help.

 

So....

 

1. I will again backup all my files knowing that the way they are configured now they does work

2. I am happy to assist you in testing the auto return feature to iron out problems

3. I am not sure (because i do not have enough knowledge) but to me it seems that activating the auto return feature causes havoc to the generation of the IPN

 

Let me know what you think. If you want you can also contact me via email to do some testing and last but not least, get yourself a donation possibilty setup so that i am able to give you something back of what you offered to me (us).

 

Best regards,

Marcus

Link to comment
Share on other sites

How did you manage to insert an order in my system via testing?
This is easy to do (as such). Just before clicking on your confirmation, if you view the source and find the osCsid, copy it, now click the confirmation button and you are taken to PayPal. Now open up another browser and type in the url to your checkout_prosess.php and append the osCsid, i.e. '?osCsid=fd321dsf23', now you could also append the '&refer=paypal' which is supposed to happen upon the automaitc redirect (but this time an order should not be created).

 

Yeah, I had not fully tested getting around the spiders/sessions issue, it was just a quick suggestion. Will look more later.

 

When you said that you had IPN deactivated, does that mean in your PayPal account profile it says IPN 'off'. Because I noticed I had to have mine 'on' but not specify a url, getting PayPal to allow you to switch it 'on' but without a url seemed buggy, I think I just deleted the pre-prompted 'http://' from the field and it then allowed me to save whilst having it enabled.

 

Another unkown factor that could be coming into play is the locale, from the US it seems ok for me but, a] I don't see the the option for a customer to proceed without having to create an account (login) and b] outside the US I'm not sure if all these features and been effectively implemented yet (I don't know).

 

Well you're happy then ok, because (in advent of the Auo-Return) I'm gradually becoming more confident that the IPN is still an essential piece of information about the transaction, however (*) it would be seem nice to have both IPN and the auto-return going. Maybe somebody else here could let us know whether the 'Auto-Return Work Around' is working for them?

 

* I previously thought that having the auto-return feature would increase the possiblity of being able to make spoof payments, but given the above work around, I think it is actually better (for the general case/usage), i.e. the order is no-longer created by the customer when they return to the site, but actually created by the PayPal-osC IPN. This means that you could prevent spoofing, but it also heavily relys upon the fact on getting the IPN (in time?) but then again previously if the customer didn't click the continue button you would of been none the wiser (except for the PayPal confirmation email), so I think everything balances out and I haven't experienced any significant delays in receiving an IPN.

 

 

the GreatZorglub, I did, sorry I got distracted here and there, I will look again later today to see if I can spot anything.

Edited by gregbaboolal

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...