Community Forums

by **Qphoria** » Wed Oct 14, 2009 3:24 pm

EDIT. SEE SOLUTION 2 INSTEAD, AS IT IS MORE SECURE

by **sqwarellc** » Mon Oct 19, 2009 10:51 pm

Thank you, Qphoria, I will give your solution a try.

But more importantly, does anyone know, once I've got an order in limbo like this, what is the appropriate method to nudge it along toward completed status, in a manner which correctly manages my inventory (or returns to inventory if I'm cancelling)?

by **Qphoria** » Wed Oct 21, 2009 1:27 pm

To get the POST vars sent to you in an email like I have:

(v1.3.2)
1. EDIT: catalog/controller/payment/pp_standard.php

2. FIND:

Code: Select all: fclose($fp);

3. AFTER, ADD (change to your email at the bottom):

Code: Select all: //IPN CALLBACK DEBUG $subject = 'IPNDEBUG: Callback Executed. Order Id: ' . $order_id; $msg = 'Callback Post Vars: '; foreach ($this->request->post as $key => $value) { $msg .= '&' . $key . '=' . $value . "\r\n"; } $msg .= "\r\n\r\n\r\n"; $msg .= "payment_status = " . ((isset($this->request->post['payment_status'])) ? $this->request->post['payment_status'] : 'none'); $msg .= "\r\n\r\n\r\n"; $msg .= "response = " . ($response); mail('you@mail.com', $subject, $msg);

by **tronics** » Thu Oct 22, 2009 4:24 pm

Great!!

by **davgothic** » Fri Nov 06, 2009 2:42 pm

It would be a VERY bad idea to implement this solution if security is your main concern.

What this fix basically does is check to see if the $response is "VERIFIED" if not then it checks if "payment_status" is set to "Completed". This is the major flaw in the solution, cause it doesn't check that the POST data actually came from PayPal, so in theory I could send the POST vars to your PayPal callback script, the script would ask PayPal for verification and get an "UNVERIFIED" response, however this solution would see that the POST sent from me has "payment_status" as "Completed" and accepts the order, I didn't spend a penny but I got your product!

Don't believe me? Qphoria check your orders, you'll see that I appear to have purchased "Authorize.net (SIM)".

Look closer and you'll see that I never actually sent any payment.

Fortunately you have set your default paypal_order_status to "Pending" otherwise (if "Completed") I would have been able to download your product for free.

Hope this was helpful!
Dav

by **Qphoria** » Fri Nov 06, 2009 3:21 pm

You are correct. Solution 2 is secure
viewtopic.php?f=20&t=8341

by **kcllc** » Fri Nov 13, 2009 7:07 pm

In ppstandard.php there is only one instance of the original code... is that correct?

by **Qphoria** » Fri Nov 13, 2009 7:14 pm

depends on the version. In 1.3.2+ there is curl and fsock so there are 2 instances
This pp_itemized patch might need updates depending on the version used.

by **kcllc** » Fri Nov 13, 2009 11:34 pm

reuploaded original files, added your solution and security edits and still no joy

by **Daniel** » Mon Nov 16, 2009 8:57 pm

how about if i use raw $_POST to the paypal callback. the problem is if there are any special characters in the post from paypal's callback they will get converted to html special char.

make sure you don't have any ' in you store name.

by **Qphoria** » Tue Nov 17, 2009 2:06 am

I think right now you are already converting it on the way out. You already use html_entity_decode on the initial form. Then it sends to paypal and they send back. Then you add html_entity_decode again to the verify step. Perhaps it doesn't need to be there since you already handled it on the first send?

Haven't tested. But maybe change:

Code: Select all: $request .= '&' . $key . '=' . urlencode(stripslashes(html_entity_decode($value, ENT_QUOTES, 'UTF-8')));

to:

Code: Select all: $request .= '&' . $key . '=' . urlencode($value);

assuming that it will already be dealing with encoded entities from the original post submit.

That is what I see other paypal ipn scripts using.

by **kcllc** » Thu Nov 19, 2009 8:46 am

All my orders paid with paypal are returning as missing orders as well, despite having applied all the fixes listed. I'm thinking at this point I might just disable paypal as a payment method.

by **Qphoria** » Wed Nov 25, 2009 12:12 pm

PM me with temp ftp and I'll modify the file with extra debug stuff. The only way you would be getting missed orders is if the callback was not executing at all. Are you on GoDaddy?

by **kcllc** » Wed Nov 25, 2009 10:57 pm

Absolutely not! I'm with Hostgator

Daniel was gonna look into it, apparently didn't have time yet... I'll pm you with the info

Although I've already added all the bits of code and still no joy

Thinking maybe one of the mods I bought is causing the issue but I can't do without the mods either.

by **Qphoria** » Wed Dec 02, 2009 2:52 am

Just to update this.. I've looked at this issue, and I've added dbg code to the callback script. I don't even see the file being created after an order is placed. But if I manually load the page it works. So its like IPN is not even trying to reach the callback... or cant.. but that doesn't make sense.

by **Qphoria** » Wed Dec 02, 2009 3:24 am

As this solution is deemed insecure.. Solution 2 adds security back with a fallback to prevent lost orders by setting them to a pending state instead of leaving them incomplete.
I will lock this thread and the conversation will move to the new solution. This new solution should also be changed in the core, as it currently uses the insecure Solution 1.

SOLUTION 2