AlertPay Developers Community

 Hi,

I am tryign to overcome a security vulnerability in OsCommerce.  We have various processors enabled including Alertpay (using a contribution to OsCommerce made by somebody else - fairly old and straightforward), and are having to address the vulnerability on a case by case basis for each processor.

This has worked fine for other processors, but there seems to be no POST variables getting sent back to the AlertURL from the payment process. 

This is the basic code for the form process in the OsCommerce contribution:

function process_button() {
      global $order, $currencies;

    
       $process_button_string = tep_draw_hidden_field('ap_merchant', MODULE_PAYMENT_ALERTPAY_ACCOUNT) .
                               tep_draw_hidden_field('ap_amount', number_format(($order->info['total']) * $currencies->currencies['USD']['value'], $currencies->currencies['USD']['decimal_places'])) .
                               tep_draw_hidden_field('ap_currency', 'USD') .
                               tep_draw_hidden_field('ap_purchasetype', 'Item') .
                               tep_draw_hidden_field('ap_itemname', MODULE_PAYMENT_ALERTPAY_PRODUCT_TYPE) .
                               tep_draw_hidden_field('ap_returnurl', tep_href_link(FILENAME_CHECKOUT_PROCESS, '', 'SSL')) .
                               tep_draw_hidden_field('ap_cancelurl', tep_href_link(FILENAME_CHECKOUT_PAYMENT, '', 'SSL'));

      return $process_button_string;
 }

Note that this doesnt get presented to the user as a normal, simple payment button as such. It is integrated into the shopping cart system.

returnurl is set to a standard URL for all payments. And we have theAlertURL on the account set to the same.

I tried turning off IPNin case it is a conflict between AlertURL and return URL being the same page - made no difference.

Can anyone advise pelase? Thanks.

 Hi - any ideas on this at all?  Is it normal for no POST variable data to be sent? It sure doesnt seem like it would be normal ... my guess is I need to include some additional data in the form.

 Thanks

Hi Scapes, 

Please pm me your button code as well as your email address with which you have an account at AlertPay.

- Sadaf 

 Hi Sadaf,

 I sent the details by PM as soon as I got your post 2-3 days ago.  Can you confirm for me please that you received my PM and details?

Thanks,

 Kevin

Hello Kevin,

I did not receive your  PM, please send it again.

- Sadaf

 OK - sent again.  Thanks.

Kevin

 Wondering if you ever figured this out?

I installed this to my oscommerce shop and so far i got points & rewards, choose insurance (contributions) to work.  but i cannot pass the billing details to alertpay.

however... i can pass the customer name to ap_itemname!

This works:

tep_draw_hidden_field('ap_itemname', $order->customer['firstname'] . ' ' . $order->customer['lastname']) .

This does not:

tep_draw_hidden_field('ap_CustFirstName', $order->customer['firstname']) .

I'm a bit confused with this.  none of the customer details (including email) pass anywhere but to the  ap_itemname field.

We never had any problems with Alertpay module working correctly in OsCommerce, but did not try any customizations to it.

My issue was related to the fact that there are methods of creating fake orders in OsCommerce circulated as common knowledge on the web.  So I was adding specific coding to checkout_process to detect factors to identify the fake orders, and then not process the order.

It worked fine in all our other procesors (except Authorize.net which is not susceptible to the *** method in the first place).  But Alertpay was a failure. It seems it acts differently with regard to what it passes to the status(Alert) URL and the return/process URL. For some reason when the two are the same file,there is a conflict of some kind, meanign that POST variables can't be harvested for secondary purposes.  Nobody seems to know why.  The solution to my issue probably won't help your case - it was to set up a new separate file for the AlertURL which wrote some details to a database table about the transaction.  The process URL can then have some additional code aded to it that will lookup the databse table to check if the payment was made.  As it happens, the POST variables are still useless - I could write them to the database from the Alert URL, but the process URL still doesn't have them available, so they can't be used for comparisons.

Hope that helps in some way.

Hi,  My developer is having the same problem with variables not being recived by ipn. Can you advise please?

Hi

Ctbs, this is because you are using the incorrect name for customer's first name field. The correct name is without any caps; ap_custfirstname, please use that and you will not have any problems.

To find info on all the notification fields, please check pages 41-45  of the Merchant Integration Guide (available under Downloads).

CitizenX,  I have responded to your pm that you would need to create your buttons using Advanced Integration to be able to use custome fields (currently you are using Simple Setup). Please let me know if you need any further assistance.

- Sadaf

hi sadaf,

I tried without caps, same result (nothing passes to the customer details form).

I can pass the first & last name to:

tep_draw_hidden_field('ap_itemname', $order->customer['firstname'] . ' ' . $order->customer['lastname']) .

...perfectly.  Everything will send to this field, but I cannot populate the customers name, address or email address at all.

this is what my form looks like:

http://img242.imageshack.us/img242/4613/alertpayig2.jpg

Can you try using this IPN

http://dev.alertpay.com/forums/p/1710/4063.aspx

Then create a txt file as specifed in the script chomoded to 777 and post us the result?

 Hi ctbs,

I figured that yours is not an IPN issue, what you are trying to do is display customer's name on the payprocess. Currenlty we do not have this feature, however, it will be offered in the near future.

 - Sadaf

 oh bummer!  Is there an ETA on it's availability?

 Its in the design phase.

- Sadaf