|
Colin Stearman
|
August 11, 2012 at 10:48 am
I have discovered several problems in the authorize.net SIM processing code. The version I was looking at was 3.1.26. In Authorize.php the existing code looks like this:
public function validateIpn() {
foreach ($_POST as $field => $value) {
$this->ipnData["$field"] = $value;
}
$invoice = intval($this->ipnData['x_invoice_num']);
$pnref = $this->ipnData['x_trans_id'];
$amount = doubleval($this->ipnData['x_amount']);
$result = intval($this->ipnData['x_response_code']);
$respmsg = $this->ipnData['x_response_reason_text'];
$md5source = $this->secret . $this->login . $this->ipnData['x_trans_id'] . $this->ipnData['x_amount'];
$md5 = md5($md5source);
if ($result == '1') {
// Valid IPN transaction.
$this->logResults(true);
return true;
} else if ($result != '1') {
$this->lastError = $respmsg;
$this->logResults(false);
return false;
} else if (strtoupper($md5) != $this->ipnData['x_MD5_Hash']) {
$this->lastError = 'MD5 mismatch';
$this->logResults(false);
return false;
}
}
The testing of $result is wrong. It’s either “1” or it isn’t, so the md5 check is never done. In addition, it is returns false whenever $result is not “1” (ie: not a successful transaction) so the code in authnet_ipn.php where the call is made from, never has a chance to display the cause of the problem properly (it displays (IPN response did not validate) instead, which is not necessarily true.) To fix this problem I have re-written the function as follows:
public function validateIpn() {
foreach ($_POST as $field => $value) {
$this->ipnData["$field"] = $value;
}
$invoice = intval($this->ipnData['x_invoice_num']);
$pnref = $this->ipnData['x_trans_id'];
$amount = doubleval($this->ipnData['x_amount']);
$result = intval($this->ipnData['x_response_code']);
$respmsg = $this->ipnData['x_response_reason_text'];
$md5source = $this->secret . $this->login . $this->ipnData['x_trans_id'] . $this->ipnData['x_amount'];
$md5 = md5($md5source);
if (strtoupper($md5) != $this->ipnData['x_MD5_Hash']) {
$this->lastError = 'MD5 mismatch';
$this->logResults(false);
return false;
}
$this->logResults(true);
return true;
}
This seems to work just fine. Please confirm and add to your next release. As the md5 transaction ID is never getting checked right now, this is a security issue.
Also there is a benign typo in authnet_ipn.php on line 85:
<strong>Error:</strong> (IPN response did not validate) ?>
The ?> doesn’t belong there.
Hope this helps!
-
This topic was modified 11 years, 8 months ago by
 Colin Stearman.
-
This topic was modified 11 years, 8 months ago by
 Seth Shoultes. Reason: Moving to correct forum
|
|
Colin Stearman
|
August 11, 2012 at 11:04 am
On thing I should have noted, if you make the changes I outlined, it is ESSENTIAL that you configure the MD5 Hash in your authorize.net account to match the value you put in the Espresso Payment Settings for the Authorize.net Transaction Key, because now it’s being checked and all transactions will fail if it’s wrong.
If you get an (IPN response did not validate) error it’s not set up right!
|
|
Seth Shoultes
|
August 11, 2012 at 1:09 pm
Thanks Colin. We just re-wrote the gateway system. I will let the developers know.
|
|
Richard Stearman
|
August 11, 2012 at 10:42 pm
I am currently working with gateway developer on this issue and he/I will have some final suggested hack code to the current version soon. I would suggest not implementing my changes above until then as there may be other side effects I was not aware of when I wrote it.
|
|
isavage
|
August 28, 2012 at 8:08 am
I am using the Authorize.net settings with the new release. And, I keep getting this error message: #5 “A valid amount is required.”
It seems it doesn’t recognize the dollar amount as a number. Nothing will process. HELP!
|
|
Sidney Harrell
|
August 28, 2012 at 12:12 pm
Could you fill out the form here: https://eventespresso.com/contact/ and choose “I am sending login information as requested” from the dropdown. Please include ftp login information as well as wp-admin login information, as I may need to put some debugging code into the code installed on your site in order to diagnose the problem. I suspect that the mysql query on line 52 of process_payments.php is returning empty due to a database collation definition mismatch, but it’s hard to say for sure until I can run some tests and get some feedback. Thanks.
|
