Thank you, Qphoria, I will give your solution a try.
But more importantly, does anyone know, once I've got an order in limbo like this, what is the appropriate method to nudge it along toward completed status, in a manner which correctly manages my inventory (or returns to inventory if I'm cancelling)?
But more importantly, does anyone know, once I've got an order in limbo like this, what is the appropriate method to nudge it along toward completed status, in a manner which correctly manages my inventory (or returns to inventory if I'm cancelling)?
To get the POST vars sent to you in an email like I have:
(v1.3.2)
1. EDIT: catalog/controller/payment/pp_standard.php
2. FIND:
3. AFTER, ADD (change to your email at the bottom):
(v1.3.2)
1. EDIT: catalog/controller/payment/pp_standard.php
2. FIND:
Code: Select all
fclose($fp);Code: Select all
//IPN CALLBACK DEBUG
$subject = 'IPNDEBUG: Callback Executed. Order Id: ' . $order_id;
$msg = 'Callback Post Vars: ';
foreach ($this->request->post as $key => $value) {
$msg .= '&' . $key . '=' . $value . "\r\n";
}
$msg .= "\r\n\r\n\r\n";
$msg .= "payment_status = " . ((isset($this->request->post['payment_status'])) ? $this->request->post['payment_status'] : 'none');
$msg .= "\r\n\r\n\r\n";
$msg .= "response = " . ($response);
mail('you@mail.com', $subject, $msg);
It would be a VERY bad idea to implement this solution if security is your main concern.
What this fix basically does is check to see if the $response is "VERIFIED" if not then it checks if "payment_status" is set to "Completed". This is the major flaw in the solution, cause it doesn't check that the POST data actually came from PayPal, so in theory I could send the POST vars to your PayPal callback script, the script would ask PayPal for verification and get an "UNVERIFIED" response, however this solution would see that the POST sent from me has "payment_status" as "Completed" and accepts the order, I didn't spend a penny but I got your product!
Don't believe me? Qphoria check your orders, you'll see that I appear to have purchased "Authorize.net (SIM)".
Look closer and you'll see that I never actually sent any payment.
Fortunately you have set your default paypal_order_status to "Pending" otherwise (if "Completed") I would have been able to download your product for free.
Hope this was helpful!
Dav
What this fix basically does is check to see if the $response is "VERIFIED" if not then it checks if "payment_status" is set to "Completed". This is the major flaw in the solution, cause it doesn't check that the POST data actually came from PayPal, so in theory I could send the POST vars to your PayPal callback script, the script would ask PayPal for verification and get an "UNVERIFIED" response, however this solution would see that the POST sent from me has "payment_status" as "Completed" and accepts the order, I didn't spend a penny but I got your product!
Don't believe me? Qphoria check your orders, you'll see that I appear to have purchased "Authorize.net (SIM)".
Look closer and you'll see that I never actually sent any payment.
Fortunately you have set your default paypal_order_status to "Pending" otherwise (if "Completed") I would have been able to download your product for free.
Hope this was helpful!
Dav
how about if i use raw $_POST to the paypal callback. the problem is if there are any special characters in the post from paypal's callback they will get converted to html special char.
make sure you don't have any ' in you store name.
make sure you don't have any ' in you store name.
OpenCart®
Project Owner & Developer.
I think right now you are already converting it on the way out. You already use html_entity_decode on the initial form. Then it sends to paypal and they send back. Then you add html_entity_decode again to the verify step. Perhaps it doesn't need to be there since you already handled it on the first send?
Haven't tested. But maybe change:
to:
assuming that it will already be dealing with encoded entities from the original post submit.
That is what I see other paypal ipn scripts using.
Haven't tested. But maybe change:
Code: Select all
$request .= '&' . $key . '=' . urlencode(stripslashes(html_entity_decode($value, ENT_QUOTES, 'UTF-8')));Code: Select all
$request .= '&' . $key . '=' . urlencode($value);That is what I see other paypal ipn scripts using.
Absolutely not! I'm with Hostgator 
Daniel was gonna look into it, apparently didn't have time yet... I'll pm you with the info Although I've already added all the bits of code and still no joy 
Thinking maybe one of the mods I bought is causing the issue but I can't do without the mods either.
Daniel was gonna look into it, apparently didn't have time yet... I'll pm you with the info Although I've already added all the bits of code and still no joy Thinking maybe one of the mods I bought is causing the issue but I can't do without the mods either.Just to update this.. I've looked at this issue, and I've added dbg code to the callback script. I don't even see the file being created after an order is placed. But if I manually load the page it works. So its like IPN is not even trying to reach the callback... or cant.. but that doesn't make sense.
As this solution is deemed insecure.. Solution 2 adds security back with a fallback to prevent lost orders by setting them to a pending state instead of leaving them incomplete.
I will lock this thread and the conversation will move to the new solution. This new solution should also be changed in the core, as it currently uses the insecure Solution 1.
SOLUTION 2
I will lock this thread and the conversation will move to the new solution. This new solution should also be changed in the core, as it currently uses the insecure Solution 1.
SOLUTION 2
Who is online
Users browsing this forum: No registered users and 184 guests
