Jump to content
Sign in to follow this  
freerangemum

HSBC secure-epayment module

Recommended Posts

To keep everything neat & easy to find, please post anything related to the HSBC secure-epayments module here.

 

:D


I've had 3 children.........how hard can this be???

Share this post


Link to post
Share on other sites

First of all, thanks again for sorting this module out and posting it as a contribution. It is very much appreciated.

 

I have a question about the installation. The file checkout_process.changes has 2 instructions.

 

I take it the first one is a change to be made to the checkout_process.php file.

 

The second change seems not to relate to this file since the lines it mentions are present only in includes/modules/payments/hsbc.php. Is this the file that needs changing?

 

If so, why does it refer to $ordernum in the instruction, but $sequence is in the hsbc.php file.

 

I'm a little confused. Hope you can help.

 

Best Regards

Tim

Share this post


Link to post
Share on other sites

FreeRangeMum - sorry but I have a question. In the function getHash there is a call to the TestHash.e module using a path that is hard coded - is this the path from the root? I'm running with a vitual server so I'm not sure if this root information is available to me. Can you explain please.....

 

Andy

Share this post


Link to post
Share on other sites

Andy

 

Nothing to report back. I was waiting for the mod to come out before I registered to use the HSBC CPI so won't be able to properly test it for a few days.

 

Can you make out what's going on with the questions I asked before?

 

Cheers

Tim

Share this post


Link to post
Share on other sites

I'm out at another clients til later this afternoon so I haven't had chance to get to grips with it yet. My client has elected to use the CPI so I will be installing it and testing it very shortly - if not later today then tomorrow. One questions I do have left relates to the the server path adn some commetns made in previous posts about HSBC making it hard for people to install the code on shared servers and also why the code contribution calls TestHash.e not the 'production' code.

Share this post


Link to post
Share on other sites

we have set up the site and are also trying to link in with HSBC e-payments! but i am stuggling to see where to get started....

 

we have decided it is probably best to use the jave code given to us but how to link that into the oscommerce site is errrrrm....confusing me !!

 

can anyone give any guidance with where to start and/or what this hsbc module is about !!

 

thanks in advanced

 

G

Share this post


Link to post
Share on other sites

I installed the php provided in the Contribution, made the changes to the checkout_process and with a little bit of a struggle with the configuration I got the payment process to fire into the CPI URL. I've not had the transaction processed yet but I'll keep posting with updates.

Share this post


Link to post
Share on other sites

I've installed it but couldn't make the 2nd change to the checkout_process.php.

 

Any ideas?

 

Also, do I need to upload the hash generator or something?

 

And what part is on a secure server??

 

Thanks,

 

Alex

Share this post


Link to post
Share on other sites

I found the 2nd ammendment also in hsbc.php but rather than the quoted:

 

$ordernum = $t1.$r1;

 

I found:

 

$sequence = $t1.$r1;

 

Instead. I still has the

 

srand ((float) microtime() * 10000000);

$r1 = rand(100,999);

$t1 = date("yz-his");

 

above it! Should I change the $sequence to $ordernum

 

Alex

Share this post


Link to post
Share on other sites

Hello, all:

I'm Jos? Le?n, the developer of this contribution, here are some clarifications regarding the module:

--

Regarding the 2 step on checkout_process.php, this is only valid for Lynda's shop, it has some modifications that vary from the standard code, in any case, that line is to make match the order_id sent to the HSBC CPI with the order is being created when the order is processed, in the standard MS2 code, search for this line in checkout_process.php:

 

$insert_id = tep_db_insert_id();

 

And add this line just below:

 

if (!empty($_POST['OrderId'])) $insert_id=$_POST['OrderId'];

 

So it will look this way:

 

$insert_id = tep_db_insert_id();

if (!empty($_POST['OrderId'])) $insert_id=$_POST['OrderId'];

 

I don't have tested it throughtly but must work ;-)

--

Regarding the path where the TestHash.e is located, is hardcoded into the hsbc.php module, right here:

 

//Path where the TestHash.e executable is located

$path='/home/virtual/site131/fst/var/www/cgi-bin';

 

Yes, this is the path from the root, exactly as PHP sees the file system, so it can find it. If you have a virtual server you can place the executables and .so on any dir, and that dir must have execution permissions for everyone, or at least, for the apache user.

 

The problem with the HSBC Payment module is that you need to use an .so file to generate the HASH based on the user's private key, I have used the TestHash.e ready compiled executable to allow anyone which gets the module to use it, instead to write an entire new C program to generate that HASH. For those of you who doesn't know, there is a C version and a Java version, I supose you will prefer to use the C version in most cases. So TestHash.e is the "production" code, because it just generates the hash, the only thing I need to call the CPI properly.

 

Regarding the Java code..., well, is an option, but is faster to use the C version.

--

Regarding what you will need also to make it work, is the CPI kit you get when you contract the HSBC CPI, in this kit you will get the TestHash.e and the .so, needed to generate the hash which authenticates you against the CPI

--

 

I hope it helps!

 

Regards

--

Share this post


Link to post
Share on other sites

First of all, fantastic news on the new HSBC mod! I too greatly appreciate this mod being released to the public.

 

I've just been playing about with the mod for a few hours and as you might have guessed, I'm having a few problems. I'm getting back the dreaded CpiResultsCode = 10 -- "The transaction failed because of invalid input data." -- when I attempt to submit my order to HSBC's CPI.

 

I know my server is properly configured to talk to the CPI, as I have the TestHash working using the HSBC supplied CcResults.cgi and sample html files. To aid me (and anyone else reading!) with my debugging, I plugged the CcResults.e into the mod to see what data I'm getting back from the CPI. A sample result:

 

StorefrontId = <mystorefrontID> (fine)
   OrderId = 0437-070041326
   PurchaseAmount = 45496
   PurchaseCurrency = 826
   PurchaseDate = 1076180453955
   ShopperEmail = chris@***.co.uk
   MerchantData = 066f856a69f55d7f2c568fac166d7127 (appears to be my session ID)
   CpiResultsCode = 10 :(
   OrderHash = viVT6vpOLVxbmhM9fJ34slFMjIM=
   Hash Fields: <mystorefrontID>,0437-070041326,45496,826,1076180453955,chris@***.co.uk,066f856a69f55d7f2c568fac166d71
27,10
   Received OrderHash = viVT6vpOLVxbmhM9fJ34slFMjIM=
   Generated OrderHash = viVT6vpOLVxbmhM9fJ34slFMjIM=
   Hash validates = true

 

Everything looks fine to me, but HSBC just doesn't like it! Any ideas on what might be causing the CpiResultsCode = 10 ? I also tried stripping down the information sent to the CPI to be the bare minimum required by the CPI, but still no dice. I noticed from sniffing the parameters sent to the CPI that there were some extra fields being sent to the CPI. Parameters named 'x' and 'y'. I've heard that the CPI is EXTREMELY fussy about the fields it receives in a POST.

 

I am also using the STS simple template contrib, which doesn't seem to like the HSBC mod too :huh: -- and hsbc_return.php doesn't seem to work with safe mode enabled ($hash=$hsbc->getHash($post_2) == "") the but I can live with that for now, just want to get this mod working! Could this be the problem, that I need to disable safe mode? I can't easily test this, as I won't be able to disable it on my shared SSL server (I don't think).

 

Help!

Edited by Harald Ponce de Leon
Removed e-mail address

Share this post


Link to post
Share on other sites

Firstly I'd like to say a big thank you to Lynda for this contribution.

 

I've been waiting so long for this contribution, and now after 3 days solid of trying to get it to work, I feel my head cannot take anymore hair pulling.

 

Can anybody apart from Lynda say if they've had this contribution working?

 

The situation I have at the moment is, I'm testing it on my Windows XP box (Apache Server), using the TestHash.exe program to generate my Hash Key, when I submit the order it fires the CPI URL, but then returns back to hsbc_return.php with an error code 10 (Invalid Data).

I don't see any of the fields for inputting card details.

 

I've checked the Global fields and the OrderHash and the Hash values are different, is this where the problem is?

 

In the HSBC CPI manual it states you must have a secure connection between the store and the CPI, is this true?

 

In the the payment module hsbc.php, there is a line:

putenv("LD_LIBRARY_PATH=$path");

On my ISP's server it complains that it can't set this enviornment variable while in safe mode, how am I gonna get around this?

 

Why oh why can't anything be straight forward.

 

If anyone can answer any of my questions, I will be very grateful.

 

Thanks

 

 

Neil Westlake

thedjbox.com

Share this post


Link to post
Share on other sites

Neil:

 

I can't really help, but regarding the:

putenv("LD_LIBRARY_PATH=$path");

 

my host is on safe mode too, so I asked my host to install the HSBC .so library for me (at quite a cost) and removed the putenv line.

 

As far as I know, you NEED a secure (https) connection between yourself and the CPI. The two things above (library installation and secure server requirement) have forced me to pay top dollar for my hosting, and I'm not particularly happy about it seeing as E-Payments won't even work anyway! If anyone's reading this considering E-Payments as a card processor, all I can say is, 'FORGET IT! GO FOR WORLDPAY! If I could go back in time 3 months that's exactly what I would have done.'

Share this post


Link to post
Share on other sites

Hi Guys,

 

I got the guy that made the module to install it and set it up for me.

 

I'm using host europe hosting which I think is top class. Its Webfusion.co.uk in the UK (and Germany I think) and I pay ?150 a year and I've not needed to pay anything extra to enable features!

 

Jos? (HSBC e-payments module creater) installed it within a few days - I'm dead impressed.

 

For secure parts, I managed to find a shared one which will do, as it's not seen, and I got that for ?75/year - but Jos? manged to find one already on my account?! Strange! If you need any company details, please ask me, but I won't take up space here.

 

I agree, it's an arse, but when it works, its fab!

 

All the best,

 

Alex

Share this post


Link to post
Share on other sites

Ok, I've been working flat out trying to get to the bottom of the problems I was having with the HSBC module.

 

I now have the module working on my XP test server, and while doing so I found out quite a few things that will upset the HSBC CPI.

 

The first problem I had was the HASH key being returned was not the same, this was because I put in an Uppercase L instead of a Lowercase one in the CPI Hash key field. (easily done)

 

Then the CPI kept returning invalid data (Error 10), this was because I hadn't set my a server as a secure server. The send and return paths must start with HTTPS.

 

The final problem I was having, was when I finally got to the HSBC site, all the images were missing, and eveything I clicked returned a communication error.

This was because I set the URL with a trailing slash in the admin CPI URL field, the URL should be: https://www.cpi.hsbc.com/servlet, without a trailing slash.

 

If anybody is looking to set up a similar test site on there own PC, then I used OpenSA server, which includes the Apache server and the OpenSSL module pre-configured.

 

If you do run this on a Windows server, then I found that you must change the path in hsbc.php module to:

$path = "start /D \"C:\\Server\htdocs\catalog\hsbc\" /B";

and the $cmd line to:

$cmd="$path TestHash.exe \"".MODULE_PAYMENT_HSBC_HASH."\" $cmd";

 

Using the above set-up you would have to put the testhash.exe program in a folder called hsbc under the catalog directory.

 

Well, it's very late, I can now go to bed feeling a bit happier that I've acheived something.

 

Next problem is going to be installing it on my ISP's Linux server.

 

Neil Westlake

Share this post


Link to post
Share on other sites

Ok, a little update to my last post.

 

I contacted my ISP today about getting this module working on there Linux server and all I got was no, no and no.

 

No, we can't switch the PHP server off of safe mode.

No, you can't run an executable on our servers.

And no theres not really much we can do to help you get this working.

 

Needless to say I was not a happy person, so I called up HSBC and they told me that there is no other way to get this working if your ISP won't allow you execute a program on there server. Change your ISP to one that will they said.

 

In the end I gave up, and I've now decided to host my own website on my own server running Windows XP.

 

One last thing I found out that might be causing you problems getting this module working is the time. I found that on my Windows box the time in the hidden field that is sent to the CPI is something like: 1.076975461E+012 when it should be a 13 digit number.

 

So to get over this I did a quick hack to the hsbc.php module and replaced these lines:

 

$time=($time+(0*3600));

$time=$time*1000;

 

with:

 

$time = $time."000";

 

Very crude I know, but as a quick fix it works.

 

 

Neil Westlake

Share this post


Link to post
Share on other sites

Hi Neil,

 

Why don't you give webfusion.co.uk a go?

 

I've not even got a top account and I can host anything! It's got a great control panel, very good customer service and my programmer seemed to set everything up fine!

 

You get SSH which is what you need to run the executables (??) which I know you need...

 

Give it ago, I'm using SoHo - ?150/year.

 

Alex

 

P.S. I don't work for them, believe it or not!

Share this post


Link to post
Share on other sites

for further info:

 

the hsbc suppplied libs (.so and the TestHash.e) are for Redhat and wont run on FreeBSD systems!

 

Currently waiting to hear from hsbc developers on this

 

looking also to use the java version - can this contribution be used with the java cpi testhash??

Share this post


Link to post
Share on other sites

Hello,

I think with few modifications could run, but the time it takes to execute the java version it's infinite higher than the C one, also, most servers (afaik) doesn't run java, so...

 

The portion of code to change is when setting the LD_LIBRARY_PATH (not needed) and executing the testhash.e, I think results dumped out are in the same format.

 

Regards.

Share this post


Link to post
Share on other sites
Hello,

I think with few modifications could run, but the time it takes to execute the java version it's infinite higher than the C one, also, most servers (afaik) doesn't run java, so...

 

The portion of code to change is when setting the LD_LIBRARY_PATH (not needed) and executing the testhash.e, I think results dumped out are in the same format.

 

Regards.

could you advise me on how you would do this please as i'm not a programmer?

i.e could you rewrite that function so it would call the java testhash.

 

i'm running out of options on the C ones as the wont work on FreeBSD (my isp)

but I can run java so I'm prepaired to accept the higher wait time....

 

 

this is the only thing stopping me from getting cc payments working...

 

Regards

Simon.

Share this post


Link to post
Share on other sites

Wouldn't the Java version of the HSBC library work on FreeBSD? The getHash function in the HSBC contribution would have to be re-written to make the call, but it should work (providing there's no native code in the Java library).

 

I'm considering using this approach with a client who server runs FreeBSD.

 

-mike

Share this post


Link to post
Share on other sites
Wouldn't the Java version of the HSBC library work on FreeBSD? The getHash function in the HSBC contribution would have to be re-written to make the call, but it should work (providing there's no native code in the Java library).

 

I'm considering using this approach with a client who server runs FreeBSD.

 

-mike

I've been told that this is o.k, however I need the getHash function re-written ASAP - can anyone help me out here and paste the code.

 

this is waiting to go on a live shop

 

 

 

TA in advance

:D

Share this post


Link to post
Share on other sites

I'm planning on rewriting the getHash function for use with the Java class - but not for a couple of weeks - I'm waiting for the Java class from my client. I'll post it when I get it done.

 

-mike

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×