Post by Qphoria » Wed Oct 14, 2009 11:24 pm

EDIT. SEE SOLUTION 2 INSTEAD, AS IT IS MORE SECURE

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by sqwarellc » Tue Oct 20, 2009 6:51 am

Thank you, Qphoria, I will give your solution a try.

But more importantly, does anyone know, once I've got an order in limbo like this, what is the appropriate method to nudge it along toward completed status, in a manner which correctly manages my inventory (or returns to inventory if I'm cancelling)?

Newbie

Posts

Joined
Thu Jul 23, 2009 1:08 am

Post by Qphoria » Wed Oct 21, 2009 9:27 pm

To get the POST vars sent to you in an email like I have:

(v1.3.2)
1. EDIT: catalog/controller/payment/pp_standard.php

2. FIND:

Code: Select all

fclose($fp);
3. AFTER, ADD (change to your email at the bottom):

Code: Select all

//IPN CALLBACK DEBUG
$subject = 'IPNDEBUG: Callback Executed. Order Id: ' . $order_id;
$msg = 'Callback Post Vars: ';
foreach ($this->request->post as $key => $value) {
	$msg .= '&' . $key . '=' . $value . "\r\n";
}
$msg .= "\r\n\r\n\r\n";
$msg .= "payment_status = " . ((isset($this->request->post['payment_status'])) ? $this->request->post['payment_status'] : 'none');
$msg .= "\r\n\r\n\r\n";
$msg .= "response = " . ($response);
mail('you@mail.com', $subject, $msg);

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by tronics » Fri Oct 23, 2009 12:24 am

Great!!

Newbie

Posts

Joined
Wed Jul 15, 2009 5:05 pm

Post by davgothic » Fri Nov 06, 2009 10:42 pm

It would be a VERY bad idea to implement this solution if security is your main concern.

What this fix basically does is check to see if the $response is "VERIFIED" if not then it checks if "payment_status" is set to "Completed". This is the major flaw in the solution, cause it doesn't check that the POST data actually came from PayPal, so in theory I could send the POST vars to your PayPal callback script, the script would ask PayPal for verification and get an "UNVERIFIED" response, however this solution would see that the POST sent from me has "payment_status" as "Completed" and accepts the order, I didn't spend a penny but I got your product!

Don't believe me? Qphoria check your orders, you'll see that I appear to have purchased "Authorize.net (SIM)".

Look closer and you'll see that I never actually sent any payment.

Fortunately you have set your default paypal_order_status to "Pending" otherwise (if "Completed") I would have been able to download your product for free.

Hope this was helpful!
Dav

Newbie

Posts

Joined
Tue Oct 13, 2009 5:04 pm

Post by Qphoria » Fri Nov 06, 2009 11:21 pm

You are correct. Solution 2 is secure
http://forum.opencart.com/viewtopic.php?f=20&t=8341

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by kcllc » Sat Nov 14, 2009 3:07 am

In ppstandard.php there is only one instance of the original code... is that correct?

New member

Posts

Joined
Mon Sep 07, 2009 9:48 pm

Post by Qphoria » Sat Nov 14, 2009 3:14 am

depends on the version. In 1.3.2+ there is curl and fsock so there are 2 instances
This pp_itemized patch might need updates depending on the version used.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by kcllc » Sat Nov 14, 2009 7:34 am

reuploaded original files, added your solution and security edits and still no joy :(

New member

Posts

Joined
Mon Sep 07, 2009 9:48 pm

Post by Daniel » Tue Nov 17, 2009 4:57 am

how about if i use raw $_POST to the paypal callback. the problem is if there are any special characters in the post from paypal's callback they will get converted to html special char.

make sure you don't have any ' in you store name.

OpenCart®
Project Owner & Developer.


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Qphoria » Tue Nov 17, 2009 10:06 am

I think right now you are already converting it on the way out. You already use html_entity_decode on the initial form. Then it sends to paypal and they send back. Then you add html_entity_decode again to the verify step. Perhaps it doesn't need to be there since you already handled it on the first send?

Haven't tested. But maybe change:

Code: Select all

$request .= '&' . $key . '=' . urlencode(stripslashes(html_entity_decode($value, ENT_QUOTES, 'UTF-8')));
to:

Code: Select all

$request .= '&' . $key . '=' . urlencode($value);
assuming that it will already be dealing with encoded entities from the original post submit.

That is what I see other paypal ipn scripts using.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by kcllc » Thu Nov 19, 2009 4:46 pm

All my orders paid with paypal are returning as missing orders as well, despite having applied all the fixes listed. I'm thinking at this point I might just disable paypal as a payment method.

New member

Posts

Joined
Mon Sep 07, 2009 9:48 pm

Post by Qphoria » Wed Nov 25, 2009 8:12 pm

PM me with temp ftp and I'll modify the file with extra debug stuff. The only way you would be getting missed orders is if the callback was not executing at all. Are you on GoDaddy?

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by kcllc » Thu Nov 26, 2009 6:57 am

Absolutely not! I'm with Hostgator :) Daniel was gonna look into it, apparently didn't have time yet... I'll pm you with the info :) Although I've already added all the bits of code and still no joy :( Thinking maybe one of the mods I bought is causing the issue but I can't do without the mods either.

New member

Posts

Joined
Mon Sep 07, 2009 9:48 pm

Post by Qphoria » Wed Dec 02, 2009 10:52 am

Just to update this.. I've looked at this issue, and I've added dbg code to the callback script. I don't even see the file being created after an order is placed. But if I manually load the page it works. So its like IPN is not even trying to reach the callback... or cant.. but that doesn't make sense.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Qphoria » Wed Dec 02, 2009 11:24 am

As this solution is deemed insecure.. Solution 2 adds security back with a fallback to prevent lost orders by setting them to a pending state instead of leaving them incomplete.
I will lock this thread and the conversation will move to the new solution. This new solution should also be changed in the core, as it currently uses the insecure Solution 1.

SOLUTION 2

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am
Who is online

Users browsing this forum: Baidu [Spider] and 57 guests