Jump to content
Sign in to follow this  
freerangemum

HSBC secure-epayment module

Recommended Posts

I had a PM from a user asking which ISP I'm using to host my website with HSBC Secure-EPayments.

 

Because of the HSBC issue I've recently had to change my ISP to one that would work with this module.

 

I'm now using Swift Internet (http://www.swiftinter.net), I'm on a basic package which costs just over ?100 for a year.

 

I can run the HSBC module easily because there servers don't run PHP in safe-mode, so the LD_LIBRARY_PATH command can be executed without problems. They also give you access to there shared secure server, because as you all should know by now, you can't use HSBC Secure-payments without a secure server.

 

Anyway, if anybody's having trouble getting it working with there current ISP then a change might be the only answer.

 

Regards,

 

Neil Westlake

www.thedjbox.com

Share this post


Link to post
Share on other sites

Neil,

 

Firstly I would like to add my thanks to you for your hard work on this mod. I have it fully working no and am looking to go live after the weekend.

 

With regards to the order not submitting problem, my orders are showing up in the admin section as soon as the HSBC confirmation page appears. I believe that this is to with the 2nd Post, the reply from HSBC.

 

Not too sure about the code side of things, its all a bit over the top of my head. I have copied and tried everything on this forum and just had one little problem at the end with the order numbers. The orderid number was not being called and so in the file checkout_process I had to insert the line $orderid=$GLOBALS["OrderId"]; Prior to this I was getting the time related order being submitted to HSBC and then another orderid beign generated a few minutes later, depending on the length of time taken for the customer to process his details. The orders were close but not the same.

 

Anyhow, as I say this is now sorted and as far as I can make out there is no problem with customers closing there browser windows.

 

Thanks again for all of your hard work.

 

Cheers,

Richard.


Only Dead Fish Go With The Flow......

Share this post


Link to post
Share on other sites

Hi Everybody,

 

OK have now been banging my head over this for a few days now, i've read and re read this thread to try and work this out and to tell the truth its driving me nuts.

 

OK here goes, installed the mod and after a few mis inserts got to the stage where i am able to contatct the CPI but get kicked out with result code 10 and an orderhash but no hash!

 

Talked to HSBC who said 'you are nearly there' end quote.

 

can some one offer a pointer on this goto chech out and follow process until reach confirm at this point pressing it would return the above error so i did not but did view source as follows:-

<form name="checkout_confirmation" action="https://www.cpi.hsbc.com/servlet" method="post">
<input type="hidden" name="osCsid" value="c597d1b9ca033fcea2c482562c1d8604" />
<input type="hidden" name="CpiDirectResultUrl" value="https://sslrelay.com/www.secure.xxxxxxxxx.co.uk/catalog/checkout_process.php">
<input type="hidden" name="CpiReturnUrl" value="https://sslrelay.com/www.secure.xxxxxxxxx.co.uk/catalog/hsbc_return.php">
<input type="hidden" name="OrderDesc" value="OCPDirect Ltd order">
<input type="hidden" name="OrderId" value="04101-084047879">
<input type="hidden" name="PurchaseAmount" value="118000">
<input type="hidden" name="PurchaseCurrency" value="826">
<input type="hidden" name="StorefrontId" value="UKxxxxxxxxGBP">
<input type="hidden" name="TimeStamp" value="1081712447000">
<input type="hidden" name="TransactionType" value="Auth">
<input type="hidden" name="MerchantData" value="c597d1b9ca033fcea2c482562c1d8604">
<input type="hidden" name="BillingAddress1" value="65 lime street">
<input type="hidden" name="BillingCity" value="HULL">
<input type="hidden" name="BillingCountry" value="826">
<input type="hidden" name="BillingCounty" value="Humberside">
<input type="hidden" name="BillingFirstName" value="Andrew">
<input type="hidden" name="BillingLastName" value="McDonald">
<input type="hidden" name="BillingPostal" value="HU87AP">
<input type="hidden" name="ShopperEmail" value="andymac@nortex-products.com">
<input type="hidden" name="ShippingAddress1" value="65 lime street">
<input type="hidden" name="ShippingCity" value="HULL">
<input type="hidden" name="ShippingCountry" value="826">
<input type="hidden" name="ShippingCounty" value="Humberside">
<input type="hidden" name="ShippingFirstName" value="Andrew">
<input type="hidden" name="ShippingLastName" value="McDonald">
<input type="hidden" name="ShippingPostal" value="HU87AP">
<input type="hidden" name="Mode" value="T">
<input type="hidden" name="OrderHash">

 

now to me all looks ok except that rogue '/' at begining but the most worrying thing is no value for the orderhash field.

 

I am getting no error from apache or php, but i believe its not generating the hash to send to hsbc. Or it losing it somewhere.

 

PHP is compiled with SAFE_MODE set to OFF.

 

Background main shop on http then transferes to https to do checkout, is domain transfer losing hash, I just don't know.

 

no alterations to script, alteration to checkout_process.php 1 as described in docs 2nd as in Jose's post this thread about page 3ish and path to TestHash.e that i know is ok even thru http and https.

 

It's so frustrating to be so close yet so far away from a working shop.

 

Any help appreciated.

 

Thanks a bunch for listening.

Andrew


Literally, Laterally Thinking! If you cannot get through it, go round it.

Share this post


Link to post
Share on other sites

Andrew,

 

In the hsbc.php file (includes/modules/payment), make sure the testhash call lines look something like this:

 

   $path='/home/.sites/28/site1/.users/82/thedjbox/web/catalog/includes/modules/payment';
  putenv("LD_LIBRARY_PATH=$path");
  $cmd="$path/TestHash.e \"".MODULE_PAYMENT_HSBC_HASH."\" $cmd";

 

This is what I'm using on a Linux server with PHP not running in safe mode. Also make sure you have Testhash.e and libCcCpiTools.so both in the same directory as the payment module.

 

The $path should be from the root of the server as above.

 

Once this works ok, you'll have to follow the other hacks I've made in this forum to get the orders submitting properly aswell.

 

All the best.

 

 

Neil Westlake

www.thedjbox.com

Share this post


Link to post
Share on other sites

Hi Neil,

 

Have duble checked hsbc.php and have this for the gethash function:-

 

	//Function to generate a hash to perform the POST or to check received parameters
function getHash($fields)
{
 $cmd="";
 reset($fields);
 while(list($k,$v)=each($fields))
 {
	 $cmd.=" \"$v\" ";
 }
  
 //Path where the TestHash.e executable is located
 $path='/homepages/22/dxxxxxxxx/htdocs/cgi-bin';    

 putenv("LD_LIBRARY_PATH=$path");
 
 //Executes the TestHash to get the hash
 $cmd="$path/TestHash.e \"".MODULE_PAYMENT_HSBC_HASH."\" $cmd";
  
 $ret=exec($cmd);
  
 $ret=split(':',$ret);
 
 //Returns the hash
 $hash=trim($ret[1]);   	 
 return($hash);
}

 

The path variable does contain the true path as it matches the DIR_FS in shop config.

 

/cgi-bin is at moment chmod 755 also been chmod 777 along with contents, but still no joy.

 

this putenv call in above is there anyway that apache or php would stop it from working?

 

Thanks for the input so far if needed will give URL of and html to see php config on server.

 

Andrew


Literally, Laterally Thinking! If you cannot get through it, go round it.

Share this post


Link to post
Share on other sites

Andrew,

 

In hsbc.php add echo "Genreated Hash: ".$ret; in between:

 

 
$ret=exec($cmd);
$ret=split(':',$ret);

 

So that it looks like this:

 

 
$ret=exec($cmd);
echo "Genreated Hash: ".$ret;
$ret=split(':',$ret);

 

Then go to the checkout page and see if the order hash is being genertated.

 

If it's not then you need to sort this out first.

 

Regards

 

Neil Westlake

www.thedjbox.com

Share this post


Link to post
Share on other sites

Hi Neil,

 

Put the 'echo "Generated Hash: ".$ret;' where you said, but my fear was realised no Hash generated :(

 

Will no go and have words with 1&1 and ask why, shared server is supposed to be redhat with php compiled with safe mode off, but I have a feeling that they have disabled the ability to alter the LD_LIBRARY_PATH ENV variable.

 

Hard to know when they dont give access to the error logs!

 

Was trying to work out where and how to put a 'print .$ret' to check the hash but got lost with only having a few days php experimentation.

 

Will have to build a lin box again for home testing.

 

Again thanks.

Andy


Literally, Laterally Thinking! If you cannot get through it, go round it.

Share this post


Link to post
Share on other sites

HI all;

 

After Richard kindly sent me the files I'd been missing, I went through the forum and setup as many of the hacks/mods I could find.

 

After doing all this, I've run the shop (set to test) and I get this response :

 

Hacking atempt!- orderHash=UrXAWJUV7v4aIBBe0oocDi7yE80= hash=

 

From what I can tell, the "hash" is not being generated, but I've not seen this arise yet in this forum.

Unfortunately, the safe mode is set to on:

 

safe_mode On On

safe_mode_exec_dir /nonexec /nonexec

safe_mode_gid Off Off

safe_mode_include_dir no value no value

 

I have correctly specified paths to the testhash files etc (living in my cgi-bin), and everything else should be working...

Is the safe-mode the root cause of my problems?

 

Thanks In advance

 

Martin Sweeney.

Share this post


Link to post
Share on other sites
safe_mode_protected_env_vars  | LD_LIBRARY_PATH  |  LD_LIBRARY_PATH

 

Also, Just found this whilst looking through my php_info....does it bear any relevance to my problem?

 

M.

Share this post


Link to post
Share on other sites

Hi Neil

 

Been busy, but have got little further, it looks like martin has similar symptoms to my setup.

 

Any way got onto one and one my host, and even though php safe mode is set to off which would imply thyat putenv would work, aparently they have refused to allow me to modify my LD_LIBRARY_PATH.

 

Which means I cant even test the damn module :angry:

 

You pay hard earned cash for a pro hosting package, then they hoble you, and say well if you want to alter that you will have to go to a root server at double the cost. 'But I though paying this for a pro packege it would be allowable!' - How silly of me.

 

Anyway moan over with :lol:

 

Neil apart from your hosts allowing it to run, was it swiftinter.net, what other options are available? Have seen Webfusion.co.uk seems ok but will enquire about altering LD_LIBRARY_PATH.

 

Anyone else know a reasonably priced Host?

 

Andy


Literally, Laterally Thinking! If you cannot get through it, go round it.

Share this post


Link to post
Share on other sites

United Hosting are getting my hard earned cash.

 

They have had a toubled time in the couple of weeks since Ive been with them due to a server migration but all their customers seem more than happy with their long term performance. Now that things have settled down my site is up with the HSBC mod installed and everything seems well.

 

Their help forum is excellent with help coming quickly not only from the United Hosting team but also a very knowledgable and quick to assist group of customers.

 

Anyhow, worth checking out.

 

Richard.


Only Dead Fish Go With The Flow......

Share this post


Link to post
Share on other sites

Hi,

 

I too am having hell's own job getting this horrible HSBC system to work. I recommended worldpay too but our customer decided to go with this system, so we are stuck with it :< and have wasted probably 30 hours so far. However we are making some progress :

 

We have TestHash.e compiled and working on our server. We know our PHP scripts are accessing it and generating a hash. I thought this would be the end of the matter, but one final kick in the teeth seems to be that HSBC require the site to be SSL hosted, or at least the hsbc_return.php part of it. This sort of seems to me to defeat about 80% of the point of outsourcing creditcard handling but there we go.

 

Our ISP does not support SSL enabling a normally hosted website. BUT they do allow SSL space; that is, https://their.server.com/directory/

 

Ideally I want to run the shop fully from the client's domain (without SSL) then just have the return come back to the SSL version. Is there an easy way to move the hsbc_return.php script onto the SSL directory, and then alter the submitted form variable that tells hsbc's servlet where to return to? Its just that that way only the hsbc_return bit would have to live outside the rest of the site's directory structure?

 

Will this work? Or am I setting myself up for a million other problems?

 

Thanks..

 

AJ

Share this post


Link to post
Share on other sites

I am trying to get the HSBC payment module working.

 

At the moment, I am using my own Linux box until we decide the right hosting company for my customer.

 

I have put the hashtest file in my cgi-bin directory and the libCcCpiTools.so in my /usr/lib directory.

 

I have made the amendements as documented in checkout_process.changes

 

It looks like HSBC_ return.php has an extra line at the top by mistake so I removed that.

 

However, I get this error message back....before I see anything on the HSBC site.

 

arning: session_start(): Cannot send session cookie - headers already sent by (output started at /var/www/localhost/htdocs/te/hsbc_return.php:2) in /var/www/localhost/htdocs/te/includes/functions/sessions.php on line 67

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /var/www/localhost/htdocs/te/hsbc_return.php:2) in /var/www/localhost/htdocs/te/includes/functions/sessions.php on line 67
Hacking atempt!

 

 

Does anyone have any ideas?

 

Cheers.

Share this post


Link to post
Share on other sites

Chris,

 

This should simply be a case that you an echo or print statement above the application_top.php include.

 

You can check this be commenting out application_top.php in hsbc_return.php to see what the output is.

 

Remember you can't output anything before start_session() is called.

 

Hope this helps

 

Neil Westlake

www.thedjbox.com

Share this post


Link to post
Share on other sites

ok .. have copied the site over to their ssl directory service.

 

problem is.. (smacks head) this server has safe mode switched on!!!! So i have ssl side working OK but now i am hitting safe mode errors..

 

This really is starting to get silly...

 

Any one got any suggestions?

Share this post


Link to post
Share on other sites

Not being able to contact HSBC through working on another contract during the day, is there a definitive answer regarding the need for SSL hosting.

 

Ive got the hash key working, but no SSL as of yet.

 

I try to do a test payment and get transferred to HSBC's secure payment side, and get returned back to checkout_payment.php with the message 'The transaction failed because the Storefront was configured incorrectly'

 

I presume this is due to the lack of SSL ?


Andrew McDonald

w: http://www.webguru.uk.net

Share this post


Link to post
Share on other sites

HSBC say that your return page as a minimum must be hosted on SSL. In practice with OSC this probably means either hosting the whole site on SSL, or specifying a SSL server for the checkout pages.

 

So... Yep, sadly a SSL server is needed.

 

My overriding feeling is that this defeats about 50% of the point of outsourcing to a payment provider! Worldpay run the SSL for you, so to NetBanx, so do PayPal, so do.... etc etc etc etc... But not HSBC!

 

AJ

Share this post


Link to post
Share on other sites

Anyone got any suggestions.. I feel I am now on the final furlong..

 

I have hacked my hsbc_return script to display hash and order hash...

 

But..

 

Hacking atempt! - orderHash=2D652yAbIKNYTXpGaHs+7dnXiFk= hash=esjKsUytpvODNcj1mHIMlIcZbfA=

 

Anybody got any ideas what i could be missing? I have fixed the datestamp thing so it is just a number rather than 1.23423432E13 or whatever. So now I'm stumped!

 

Help ;)

 

AJ

Share this post


Link to post
Share on other sites

OK....can someone please email me their code that they have WORKING - Obviously with example urls in the code etc. It would be much appreciated.

 

cb@hrhdtr.net

 

I have my own Linux server ready and set that has Apache2 with PHP safe mode off and with all the files in the right place. I can worry about hosting for my customer later, both me and my customer would like to get this thing working first.

 

Buying an SSL certificate won't be an issue for us later down the road.

 

 

 

 

 

Cheers.

Share this post


Link to post
Share on other sites

Have had this from HSBC support... Basically I noticed his example hash he created putting quotes around some parts of the data and some not ;

 

for example :

 

testhash 2fYDf/XXlmm+55577LMtsBAbOCnUAPLZ https://secureserver/catalog/checkout_process.php https://secureserver/catalog/hsbc_return.php "company name order" 04110-041922552 608292 826 UK123123123GBP 1082474362000 Auth 6daea8808a2d23e0b006232b110532ef "Somewhere House, 45 Fred Road" "London" 826 kent fred bloggs "br2 3bc" email@domain "Somewhere House, 67 Dave Road" london 826 kent fred bloggs "br2 3bc" T

Hash value: TTwn9Px2X1gxJ+lTjnhIhdSahow=

 

This is a (depersonalised) version of his example hash.. Notice how he has put double quotation marks around fields with spaces in.... I queried him about this and his response was :---

 

"In regards to the quotes, if a field can have whitespace in it it will need

to be in suitable quotes.

 

for instance. "2 Curzon Road" in quotes would be seen as one entry, whereas

2 Curzon Road is seen as three seperate entries and can change what the

hash generated is."

 

Now i am confused. How is everyone else making it work if they are putting quotes around everything ??

 

AJ

Edited by AJPB

Share this post


Link to post
Share on other sites

Well that just about does it.

 

The reason mine was not working was..... An error with the hash key HSBC supplied. Notice : this is not that I typed it in wrong; HSBC verified that I had typed what they sent me exactly. THEY SUPPLIED A DUFF KEY :| I can't believe how incompetent they are. I have wasted two solid days on this rubbish, and as soon as they issue a new key it magically works..

 

**NEVER, EVER USE HSBC for epayments - TELL ALL YOUR FRIENDS AND CUSTOMERS**

 

Use Worldpay, Paypal, NetBanx, SecPay - WHOEVER just not HSBC.

 

An utter disgrace. What a waste of effort and time.

Share this post


Link to post
Share on other sites

I have this all working on my dev machine.

 

My client has a wefusion.co.uk account, but I don't understand how to get the secure server part working!

 

Can anyone help? wefusion.co.uk seem to use some shared secure server space with secure-websites.com.

 

I am very confused. Why can't these things be simple?

Share this post


Link to post
Share on other sites

Right, I now have it going to the HSBC pages OK, and looping back to the hsbc_return.php page which I've modified to ribs' specification. However now it goes around, without inserting a new order and says

 

"You Cancelled the Transaction"

 

or something like it at the top of the screen in white on a red background (within osC)..

 

Anyone got any ideas what might be causing this to happen - is it symptomatic of being in Test mode?

 

AJ

Share this post


Link to post
Share on other sites
Right, I now have it going to the HSBC pages OK, and looping back to the hsbc_return.php page which I've modified to ribs' specification. However now it goes around, without inserting a new order and says

 

"You Cancelled the Transaction"

 

or something like it at the top of the screen in white on a red background (within osC)..

 

Anyone got any ideas what might be causing this to happen - is it symptomatic of being in Test mode?

 

AJ

 

I seen something about your problem earlier on in this thread........Just have a search through the thread Alex.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×