Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PayPal IPN no longer needed......


only2empires

Recommended Posts

I am using the PayPal module that is provided with osCommerce. I have my redirect page in PayPal set to http://www.xxxxxxx.com/catalog/checkout_process.php and when a customer uses PayPal as their method of payment it automatically returns them to the store where it finishes the checkout process and moves them to the checkout success. I receive a copy of the order transaction in my email, the PayPal notification and the order shows up in my admin section. No more notes in the store asking the customer to PLEASE click continue after paying at PayPal!!! And no more struggling to get the PayPal IPN working properly :D

 

One thing I did find out however, is that I had the Must Agree To Conditions contribution added which shows the text and box to check mark before confirming the order. This started a looping effect after making a payment through PayPal and caused the customer to return to the Payment section of the store indicting that they must agree to the terms.....which then the customer thought the order didn't go through and processed again. Results: double order. Once I removed the contribution and just left a text noting that "By confirming your order, you are agreeing to our Terms & Conditions" (with the link attached), it worked beautifully. No more looping.

 

This was tested many times by myself and a friend and works super now, thanks to PayPal and their upgrade!

Link to comment
Share on other sites

Cathy,

 

The new PayPal Auto-Return feature might be adequate for your needs, but it should be mentioned that PayPal recommends IPN as the preferd method instead of the Auto-Return feature. Firstly the Auto-Return feature does not provide any information about the PayPal transaction and secondly the Auto-Return feature exemplifies the security hole in the payment process - thus showing how to spoof payment transactions.

 

Quite often I see people refer to the PayPal IPN contribution and it is not neccessarily clear as to exactly which one they are referring to.

Recently the PayPal_Shopping_Cart_IPN contribution has been updated to allow configuration with the Auto-Return feature (configurable via the admin for the osC side of it all - you still have to have it enabled in your PayPal account profile), when the customer is returned to site the order is not generated, but the customer is redirected to the checkout_proces.php page, it is in fact the IPN which generates the order. At this time there are more refinements that could and probably should be made, but as said IPN is the preferred PayPal methodology.

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

That's correct. Auto-Return shouldn't be relied upon in this situation because it doesn't provide any proof of payment.

 

We're hoping to work with Greg and others to make sure that the PayPal functionality included with the core OSC distribution works well. IPN is *very* easy to implement and a very reliable way for PayPal to transmit payment information to OSC.

Patrick Breitenbach

Link to comment
Share on other sites

I don't understand how that can be, only because I did LIVE purchases from my store using another PayPal account...the payment showed up in PayPal AND in the admin order section. And this was after the auto-return was completed. Of course I had to refund the other testing party, but sure seemed like a real paid transaction to me (this was tested about 3x's before I set it live).

 

Also, I have implented a code I found from this forum to the paypal.php to show the transaction within the PayPal notification. All that came through properly also.

 

When I used the PayPal_Shopping_Cart_IPN the first time, it seemed I got tons of emails...very confusing and didn't like that at all. At one point, it actually recorded 2 separate orders when I only processed 1. And since I get a copy of what the customer receives, they would have thought they double ordered. So I immediately removed that before my phone started ringing off the wall! If I did something incorrectly, I would appreciate knowing what that would be so that I can trouble shoot it.

 

Thanks.

Edited by only2empires
Link to comment
Share on other sites

Hi Cathy,

 

As said the auto-return might be sutiable for your needs.

 

What is supposed to be happening is the development of a more thorough (or in Patricks words reliable) PayPal checkout process.

 

As Patrick said, the auto-return is not a proof of payment. Whereas a verfied IPN signifies that an authentic transaction has occurred and can prevent fake transactions from being processed, this is could be important for a number of reasons, one example might be downloads.

 

Another current benefit of an IPN is that you seem to get alot more information about the customer than what you see in your PayPal profile account. I just looked at mine at saw that I only see the customers name and shipping address. That shipping address was provided by the osC website. Whereas with the IPN information you can compare the information that the customer provided PayPal with the information that they provided you.

 

There is alot of potential in using PayPal's IPN.

 

In regard to your experience with the PayPal_Shopping_Cart_IPN contribution, my first question is what version were you using, admittedly in the early stages it was not really suitable for production use, however version 1.5 and onwards (currently v1.5a) is what could be conisdered stable - other storeowners do use it.

And it is with feedback that the contribution continues to be developed.

Edited by gregbaboolal

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

I don't understand how that can be, only because I did LIVE purchases from my store using another PayPal account...the payment showed up in PayPal AND in the admin order section. And this was after the auto-return was completed.

 

Cathy, If you have a URL I can show you what they mean by taking advantage of the security exploit that exists. I will place a test order on your site using Paypal and you will get the order in your admin just as if I had paid..but actually will not have paid you one cent through Paypal. This is fine if you are careful to check all of your orders against your Paypal account, but if not it is possible that you could ship orders that were never paid for.

 

On a side note it would be really nice if someone would take care of this exploit in OSC since I believe it can be taken advantage of in more than just the Paypal module(s)!

Link to comment
Share on other sites

Hi Cathy,

 

I hope you honor Justins purchase :)

 

With v1.6, and using the auto-return feature, it also needs to be configured/selected in the admin section, otherwise 2 orders will appear.

 

the best way is to have it configured for them to click the continue button, even if they don't you will still get the order.

 

The contrib is still a little bit loose, and it up to you as to how strict you want to be, to be extremely strict further scripting is required, I didn't do it 1) because mimizing on change and 2) everybody might have their own idea. Thus JB would still be able to spoof the system but you will get an email, and as said can adapt the script to totally prevent this from happening.

 

But if you configure/select the auto-return you should be ok - there is no guarantee, see the recent support thread as to an inclination why.

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

So what you're saying is, in the admin eliminate the Extra emails so that I only get 1? Or where is this adjusted in the admin should I need to go back to IPN.

 

Yes, I will honor Justins order HAHA Would I be required to give a refund? Choose something nice!!! You might like it!

Link to comment
Share on other sites

Hi Cathy,

 

When the paypal-contribution is installed have a look at the fields shown (there a few), you need to enter you primary paypal email addr and buisiness ID (probably the same the primary).

 

At the bottom there is another email addr field where to sen the debig info to. Maybe set this to another email account addr other than the primary, so that you don't feel like you are being bombarded.

 

The reason why the best method is to have the customer click the continue button is because if they do they will bring the IPN information with them which can then be validated etc, otherwise the independent PayPal-osC IPN will generate the order, which ever is first goes through, the other is considered a duplicate and disregarded.

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

If Justin gets through without showing in PayPal as a transaction, then I will attempt the IPN again.

It was a pleasure hacking your site. :D You should have an order in your admin with Paypal as the payment method from me with no money in your Paypal account right about now. It should be the only order with the name "dont Shipthis", lol.

Link to comment
Share on other sites

Yep, I got it. And in that case, since I always check my PayPal before ordering/shipping anything....you would normally get an email noting that payment wasn't received and your order will not ship until payment is received ( should have picked a picnic basket...those are my best sellers :D)

 

Not sure how you did that since I'm not a hacker by nature (just about drives me nuts to get thru php!), but I'll try the IPN again.....just stick around for problems I may have. Last time I read all 37 pages of the contributions support with no luck and lots of emails (which Greg has already let me know how to conquer that part).

 

Now, when I install the IPN again, do I take off the auto-direct that is setup in my PayPal account? or leave it there?

 

Thanks for your help and your advice....I take everything back....IPN IS NEEDED if I can get it working!

Link to comment
Share on other sites

I'd love to know how that auto-forwarding hack is done.. mostly so that I can patch up the security hole :(

 

By the way, does the return URL of the IPN check the rePOST'ed variables to make sure the returned order is valid?

 

Just downloaded this yesterday and haven't had much chance to play around with it yet..

Link to comment
Share on other sites

Ok...I've got the PayPal IPN re-installed and everything works fine. Proper emails (not 10,000 of them, just the 3), admin shows orders and PayPal IPN information. However.....I have a print invoice contribution on that when a customer reaches checkout success they can print their own. With PayPal, once they reach that page....the invoice is all hacked up with error messages and no order number showing on the checkout success page.

 

Now...near the bottom of my checkout_process.php I have this code:

 

// unregister session variables used during checkout

tep_session_unregister('sendto');

tep_session_unregister('billto');

tep_session_unregister('shipping');

tep_session_unregister('payment');

tep_session_unregister('comments');

///begin add print invoice to checkout_success////

tep_session_register('last_order');

$last_order = $insert_id;

$oID = $last_order;

///end add print invoice to checkout_success////

 

tep_redirect(tep_href_link(FILENAME_CHECKOUT_SUCCESS, '', 'NONSSL'));

 

 

Should the print invoice part now be AFTER the final FILENAME_CHECKOUT_SUCCESS???? or won't this work with the PayPal IPN.

 

Thanks for your help! That's the only problem I have after hours of debugging and reading now 40+ pages!!!!

Link to comment
Share on other sites

Hi Cathy,

 

In the contrib unregistering the session now occurs in two places (within the before_process function) in the catalog/includes/modules/payment/paypal.php file.

 

You could either 'try' and just place the print invoice stuff

///begin add print invoice to checkout_success////

tep_session_register('last_order');

$last_order = $insert_id;

$oID = $last_order;

///end add print invoice to checkout_success////

near the top of the checkout_success.php page.

 

Or inline with what you previously showed, put into (under) those 2 places in payment/paypal.php (before the tep_redirect).

 

Just so that you are aware, there is a function in the classes/paypal/cart.php called process_transaction.php which contains 95% of the same code as what is in the checkout_process.php file, so if making any changes to checkout_process.php you should also look to see if a change is required in the cart.php file, in cart.php the session is not unregistered.

 

There is also a bug fix a few pages back that enables the order status to be be correctly updated as specified by you in the admin/paypal section.

 

Please note that if changes in the structure of the code occur in later releases etc, you will first need to provide a bullet proof vest :)

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

On a side note it would be really nice if someone would take care of this exploit in OSC since I believe it can be taken advantage of in more than just the Paypal module(s)!
It's a problem with sites that POST to and from in general. The problem is that there isn't a good general way of checking that your response is coming from the site that is supposed to be sending it. The site is supposed to provide some verification method in the before_process function (for example, you could check the HTTP_REFERRER or look for a special response code), but this would be on a per module basis.

 

The only real fix is to not POST back and forth. It would be better for the gateway to implement some kind of secure connection method where the customer does not have any chance to intervene. When this is done, you know that an authorization is valid, because you made the connection to the gateway and it responded on the same connection. The POST methods use a connection opened from the other end, which is spoofable.

 

It's also worth noting that the system does work. You just can't trust the results of the osCommerce order system. You need to start with the payment and work forward to the order system (ignoring orders without payment) rather than the other way around.

 

Cheers,

Matt

Always back up before making changes.

Link to comment
Share on other sites

Ok...couldn't get the printable invoice to work no way no how. I moved codes as suggested, even moved them to other places.

 

It works...but it doesn't work. For instance, if I placed an order using money order the order ID would be say 222. All is fine. But....when I did the next test using PayPal as the method everything showed fine as the next order 223 EXCEPT for the printable invoice. It would show 222. I could not for the life of me get the printable invoice to pick up the next order number. So, I dumped it. Put a note on checkout success that a details of their transaction is in their email and that would be their receipt for returns or whatever.

 

Now...my IPN works like a charm. Only 3 emails, my copy, the customers copy and the PayPal IPN order notification :D And the best part...even if a customer doesn't click on "Continue" the order still shows up in my admin (both places: IPN and Orders) and my emails.

 

What I had to do to get it working.....

In my PayPal Account:

1) I have IPN as "ON" but without any http link.

2) Turned "OFF" auto-redirect.

 

In Admin Payment module (PayPal):

3) In admin PayPal module, I use the aggregate shopping cart method and it is pulling in all my totals (including tax) from my osc shopping cart.

4) I set Auto-Return for PayPal to "0" for no.

5) Email notifications "1"

6) Test mode "off"

7) Return behavior "2"

 

Added all your fixes that were not showing up at the time I downloaded the PayPal IPN.

 

Now all I can do is hope and pray you tell me....ALL IS CORRECT! Hopefully, I still don't have a security problem....but I'm sure Justin knows how to test that! :D

 

Thanks!

Link to comment
Share on other sites

It's a problem with sites that POST to and from in general.

 

Actually, no it is not as I never even left her site..ie I never was redirected to the Paypal site, never had to login to Paypal, never touched the url address at Paypal, never entered a single thing in at Paypal. It is a security exploit in OSC not the POST method to and from and has zilch to do with Paypal. The same exploit can be taken advantage of in the various online merchant processors ie. your admin will tell you I submitted a credit card through your processor when actually I never even left the site- so if you do not match up your orders against your merchant account transactions before shipment you could be in trouble. The only one I know for sure that cannot be taken advantage of in this way is Authorize.net, probably a few others, but just the fact that most can be taken advantage of is quite scary. I am just glad that I process cards outside of the online portion so do not have to worry about this particular problem, ie I see the customers CC info and hit submit and get the authorization myself. This exploit has been brought to OSCs attention and I believe the response was "it is the store owners responsibility to make sure all orders are legitimate and the payment has been processed." :(

Link to comment
Share on other sites

Hi Cathy,

 

I just re-read the bit of code you were trying to include, and because I now see the $insert_id, put the code in the after_process function of paypal.php and just underneath where the function begins, you should see a global declaration, $insert_id may already be there, if not put it there ($insert_id). It now needs to be in the after proccess because the before_process is called before the orde is created so the order id doesn't exist - if I can recall - not able to look right now.

 

Most of the above of what you said looks right, except that you should be-aware that because you turned off in admin ->modules->payment->paypal it is still possible for someone to spoof the system and generate and order but you will get an email telling you that something was up with the customer_id, first and last name.

You could get around this by actually setting in your osC admin the Auto-Return to On, this way the order is not generated when they return but they will then be redirected to checkout_success.php.

Might seem clumsy but I didn't want to change/disallow the original osC method, i.e it is up to you what to do next in terms of changing the script.

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

Most of the above of what you said looks right, except that you should be-aware that because you turned off in admin ->modules->payment->paypal it is still possible for someone to spoof the system and generate and order

 

So I should put the auto-return for PayPal "ON" in the admin...but leave it off in my PayPal account? or turn them "ON" on both sides.

 

I bookmarked this thread so that I can come back later and try the printable invoice again, but for now I just got so frustrated and got rid of my headache B)

 

Thanks!

Link to comment
Share on other sites

Here's a question:

 

Does the IPN check the IP address posting back to OSC?

 

PayPal has a fixed IP range that their secure servers post from. In the PayPal IPN's I have written for other sites, I ALWAYS check the IP address.

 

Just wondering if this IPN does that too. I'm trying to figure out how to prevent Justin's exploit :(

Link to comment
Share on other sites

I would have to look into this more, not sure what you mean by Justin's exploit.

So far I've been recommending that a configuration in the .htaccess file be made to only allow notify.paypal.com access to ipn.php.

"Any fool can know. The point is to understand." -- Albert Einstein

Link to comment
Share on other sites

We advise against relying on the numbered IP address as it can change. Although notify.paypal.com will remain constant, we still advise against relying on it.

 

When implemented properly, which is not too difficult, there are no known IPN exploits.

Patrick Breitenbach

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...