Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SECPay module modification needed


Guest

Recommended Posts

Posted

Hi

 

Secpay payment module help needed please.

 

1. Firstly we received the following from SECPay about possible fraud.

 

Dear Merchant

 

We have noticed a recent increase in the number of merchants being targeted by fraudsters who are exploiting some merchants’ interface with SECPay to verify stolen or generated card numbers.

We therefore strongly recommend all merchants who use a payment page hosted by SECPay (SECPage or SECCard) to implement a digest in your website’s communication with SECPay if you do not already do so.

Please refer to the integration guide section 9 for details on how to implement this relatively straightforward change.

http://www.secpay.com/docs/SECCardIntegrationGuide.pdf

By implementing a digest you will be protected against this increasingly common method of fraud.

For any further queries regarding this, please contact the Technical support team on 08701 904 146 or email [email protected]

Kind regards

Technical Support

 

 

2. Following this I looked on the contributions section and found the contribution for a SECPay module that implemented the digest key, I forwarded this to SECPay support to see if it was suitable and received the following message:-

 

 

 

OSCommerce currently only uses the digest on callback to check that the transaction has come from us. To complete the loop and ensure that we check that transactions only originate from your site needs quite a bit of recoding of the secpay payment module.

 

Form the transaction ID, this is mostly in the Contributions module

 

$trans_id = STORE_NAME . date('Ymdhis');

$trans_id = preg_replace('/[^[:alnum:]]/', '_', $trans_id);

 

Format the amount, borrowed from the amount field

 

$amount = number_format($order->info['total'] *

$currencies->get_value($sec_currency),

 

$currencies->currencies[$sec_currency]['decimal_places'], '.', '');

 

Set $remote_password to your merchant's remote password. With the

contributions module you should be able to use

MODULE_PAYMENT_SECPAY_REMOTE_PASSWORD as well.

 

$digest = MD5($trans_id . $amount . $remote_password);

 

Then to send it, within $process_button_string

 

tep_draw_hidden_field('digest', $digest) .

 

 

 

This is fine but I don’t know what to do as my PHP programming skills are virtually non existent.

 

For anyones information I have added the code for the SECPay module that had been contributed by Graham Bell on 8th Feb 2004. This enables you to add your SECPay digest key but does not do the whole job according to SECPay.

 

<?php

/*

$Id: secpay.php,v 1.31 2003/01/29 19:57:15 hpdl Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

 

Notes:-

Module uses 'secpay' as the default Digest Key. This must be changed to a

valid digest key before going live.

 

The Digest key is implemented as database resident (Configuration table) but may be

hard coded if required. See notes in the before_process function.

 

cb_flds in the hidden 'Options' form field uses the Session Id as default but any other

field or combination of fields may be used.

 

For details of the digest key and md_flds refer to the SECpay implementation manual

at http://www.secpay.com/tech.html or their User Manual at http://www.secpay.com/sc_api.html

 

*/

 

class secpay {

var $code, $title, $description, $enabled;

 

// class constructor

function secpay() {

global $order;

 

$this->code = 'secpay';

$this->title = MODULE_PAYMENT_SECPAY_TEXT_TITLE;

$this->description = MODULE_PAYMENT_SECPAY_TEXT_DESCRIPTION;

$this->sort_order = MODULE_PAYMENT_SECPAY_SORT_ORDER;

$this->enabled = ((MODULE_PAYMENT_SECPAY_STATUS == 'True') ? true : false);

 

if ((int)MODULE_PAYMENT_SECPAY_ORDER_STATUS_ID > 0) {

$this->order_status = MODULE_PAYMENT_SECPAY_ORDER_STATUS_ID;

}

 

if (is_object($order)) $this->update_status();

 

$this->form_action_url = 'https://www.secpay.com/java-bin/ValCard';

}

 

// class methods

function update_status() {

global $order;

 

if ( ($this->enabled == true) && ((int)MODULE_PAYMENT_SECPAY_ZONE > 0) ) {

$check_flag = false;

$check_query = tep_db_query("select zone_id from " . TABLE_ZONES_TO_GEO_ZONES . " where geo_zone_id = '" . MODULE_PAYMENT_SECPAY_ZONE . "' and zone_country_id = '" . $order->billing['country']['id'] . "' order by zone_id");

while ($check = tep_db_fetch_array($check_query)) {

if ($check['zone_id'] < 1) {

$check_flag = true;

break;

} elseif ($check['zone_id'] == $order->billing['zone_id']) {

$check_flag = true;

break;

}

}

 

if ($check_flag == false) {

$this->enabled = false;

}

}

}

 

function javascript_validation() {

return false;

}

 

function selection() {

return array('id' => $this->code,

'module' => $this->title);

}

 

function pre_confirmation_check() {

return false;

}

 

function confirmation() {

return false;

}

 

function process_button() {

global $order, $currencies, $currency;

 

switch (MODULE_PAYMENT_SECPAY_CURRENCY) {

case 'Default Currency':

$sec_currency = DEFAULT_CURRENCY;

break;

case 'Any Currency':

default:

$sec_currency = $currency;

break;

}

 

switch (MODULE_PAYMENT_SECPAY_TEST_STATUS) {

case 'Always Fail':

$test_status = 'false';

break;

case 'Production':

$test_status = 'live';

break;

case 'Always Successful':

default:

$test_status = 'true';

break;

}

 

$process_button_string = tep_draw_hidden_field('merchant', MODULE_PAYMENT_SECPAY_MERCHANT_ID) .

tep_draw_hidden_field('trans_id', STORE_NAME . date('Ymdhis')) .

tep_draw_hidden_field('amount', number_format($order->info['total'] * $currencies->get_value($sec_currency), $currencies->currencies[$sec_currency]['decimal_places'], '.', '')) .

tep_draw_hidden_field('bill_name', $order->billing['firstname'] . ' ' . $order->billing['lastname']) .

tep_draw_hidden_field('bill_addr_1', $order->billing['street_address']) .

tep_draw_hidden_field('bill_addr_2', $order->billing['suburb']) .

tep_draw_hidden_field('bill_city', $order->billing['city']) .

tep_draw_hidden_field('bill_state', $order->billing['state']) .

tep_draw_hidden_field('bill_post_code', $order->billing['postcode']) .

tep_draw_hidden_field('bill_country', $order->billing['country']['title']) .

tep_draw_hidden_field('bill_tel', $order->customer['telephone']) .

tep_draw_hidden_field('bill_email', $order->customer['email_address']) .

tep_draw_hidden_field('ship_name', $order->delivery['firstname'] . ' ' . $order->delivery['lastname']) .

tep_draw_hidden_field('ship_addr_1', $order->delivery['street_address']) .

tep_draw_hidden_field('ship_addr_2', $order->delivery['suburb']) .

tep_draw_hidden_field('ship_city', $order->delivery['city']) .

tep_draw_hidden_field('ship_state', $order->delivery['state']) .

tep_draw_hidden_field('ship_post_code', $order->delivery['postcode']) .

tep_draw_hidden_field('ship_country', $order->delivery['country']['title']) .

tep_draw_hidden_field('currency', $sec_currency) .

tep_draw_hidden_field('callback', tep_href_link(FILENAME_CHECKOUT_PROCESS, '', 'SSL', false) . ';' . tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'payment_error=' . $this->code, 'SSL', false)) .

tep_draw_hidden_field(tep_session_name(), tep_session_id()) .

// cb_flds uses the Session Id as default but any other field or combination of fields may be used

tep_draw_hidden_field('options', 'test_status=' . $test_status . ',dups=false,cb_flds=' . tep_session_name());

 

return $process_button_string;

}

 

function before_process() {

global $HTTP_GET_VARS;

 

if ($HTTP_GET_VARS['code'] == 'A' && !empty($HTTP_GET_VARS['auth_code']) && empty($HTTP_GET_VARS['resp_code']) && !empty($HTTP_GET_VARS['osCsid'])) {

// Hard code Digest Key here if required.

// $DIGEST_PASSWORD = "secpay" ;

list($REQUEST_URI, $CHECK_SUM) = split("hash=", $_SERVER['REQUEST_URI']) ;

if ($HTTP_GET_VARS['hash'] != MD5($REQUEST_URI.MODULE_PAYMENT_SECPAY_READERS_DIGEST)) {

tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, tep_session_name() . '=' . $HTTP_GET_VARS[tep_session_name()] . '&payment_error=' . $this->code, 'SSL', false, false));

}

 

 

}

}

 

function after_process() {

return false;

}

 

function get_error() {

global $HTTP_GET_VARS;

 

if ($HTTP_GET_VARS['code'] == "N") {

$error = "TRANSACTION WAS NOT AUTHORISED. PLEASE TRY ANOTHER CARD.";

}

elseif ($HTTP_GET_VARS['code'] == "C") {

$error = "There was a communications problem in contacing the bank, please try again.";

}

else {

$error = MODULE_PAYMENT_SECPAY_TEXT_ERROR_MESSAGE;

}

 

return array('title' => MODULE_PAYMENT_SECPAY_TEXT_ERROR,

'error' => $error);

}

 

function check() {

if (!isset($this->_check)) {

$check_query = tep_db_query("select configuration_value from " . TABLE_CONFIGURATION . " where configuration_key = 'MODULE_PAYMENT_SECPAY_STATUS'");

$this->_check = tep_db_num_rows($check_query);

}

return $this->_check;

}

 

function install() {

tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Enable SECpay Module', 'MODULE_PAYMENT_SECPAY_STATUS', 'True', 'Do you want to accept SECPay payments?', '6', '1', 'tep_cfg_select_option(array(\'True\', \'False\'), ', now())");

tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Merchant ID', 'MODULE_PAYMENT_SECPAY_MERCHANT_ID', 'secpay', 'Merchant ID to use for the SECPay service', '6', '2', now())");

tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Transaction Currency', 'MODULE_PAYMENT_SECPAY_CURRENCY', 'Any Currency', 'The currency to use for credit card transactions', '6', '3', 'tep_cfg_select_option(array(\'Any Currency\', \'Default Currency\'), ', now())");

tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Transaction Mode', 'MODULE_PAYMENT_SECPAY_TEST_STATUS', 'Always Successful', 'Transaction mode to use for the SECPay service', '6', '4', 'tep_cfg_select_option(array(\'Always Successful\', \'Always Fail\', \'Production\'), ', now())");

tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Sort order of display.', 'MODULE_PAYMENT_SECPAY_SORT_ORDER', '0', 'Sort order of display. Lowest is displayed first.', '6', '0', now())");

tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, use_function, set_function, date_added) values ('Payment Zone', 'MODULE_PAYMENT_SECPAY_ZONE', '0', 'If a zone is selected, only enable this payment method for that zone.', '6', '2', 'tep_get_zone_class_title', 'tep_cfg_pull_down_zone_classes(', now())");

tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, use_function, date_added) values ('Set Order Status', 'MODULE_PAYMENT_SECPAY_ORDER_STATUS_ID', '0', 'Set the status of orders made with this payment module to this value', '6', '0', 'tep_cfg_pull_down_order_statuses(', 'tep_get_order_status_name', now())");

tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Readers Digest', 'MODULE_PAYMENT_SECPAY_READERS_DIGEST', 'secpay', 'Digest Key', '6', '0', now())");

}

 

function remove() {

tep_db_query("delete from " . TABLE_CONFIGURATION . " where configuration_key in ('" . implode("', '", $this->keys()) . "')");

}

 

function keys() {

return array('MODULE_PAYMENT_SECPAY_STATUS', 'MODULE_PAYMENT_SECPAY_MERCHANT_ID', 'MODULE_PAYMENT_SECPAY_CURRENCY', 'MODULE_PAYMENT_SECPAY_TEST_STATUS', 'MODULE_PAYMENT_SECPAY_ZONE', 'MODULE_PAYMENT_SECPAY_ORDER_STATUS_ID', 'MODULE_PAYMENT_SECPAY_SORT_ORDER', 'MODULE_PAYMENT_SECPAY_READERS_DIGEST');

}

}

?>

I finally received the following from SECPay after I had emailed them as to how the system worked:-

 

There are two passwords involved in digest/hash authentication.

 

The Remote Password is used in generating the digest that you submit to us with the transactions.

 

The Digest Key is used in generating the hash that we return in the callback.

 

Both can be set through our merchant area under Remote Passwords (select the required password from the password type drop-down list).

 

None of the contributed SECPay modules for osCommerce support digest checking from you to us so you will need to modify the module yourself in line with our advice, or seek assistance from someone experienced in PHP.

 

So can anybody help me with this.

 

Thanks

 

Mark

  • 2 months later...
Posted
...So can anybody help me with this...

If this is still an issue for you then feel free to email me - I have a version of the secpay module (and a few other supporting files) that fully implement the authentication and fixes a few other issues with the secpay transaction such as it sometimes failing to return to the osc site correctly (leaving you with a blank page), adding some error pages, and fixing some bugs that exist in the official contribution. I'm afraid I'm not allowed to post the contribution up to this site because the licence for some of the code is not GPL and that goes against the contribution policy.

 

regards

 

Rich.

Posted
If this is still an issue for you then feel free to email me - I have a version of the secpay module (and a few other supporting files) that fully implement the authentication and fixes a few other issues with the secpay transaction such as it sometimes failing to return to the osc site correctly (leaving you with a blank page), adding some error pages, and fixing some bugs that exist in the official contribution. I'm afraid I'm not allowed to post the contribution up to this site because the licence for some of the code is not GPL and that goes against the contribution policy.

 

regards

 

Rich.

 

Hi Rich

 

I'd be very grateful for a copy of your version of the Secpay module.

 

Regards

 

Stuart

Posted

I've now had a couple of requests for this and can I just say to anyone else out there that is interested, can you please EMAIL me. Do NOT PM me - I don't often login to this site and so if you PM me, it could be some time before I notice!

 

Oh, and just for the record, I am going to look at the 3D authentication thingie very soon and make the necessary changes; I don't think there's much to it.

 

Rich

  • 4 months later...
Posted

I've had ongoing problems with my SECpay checkout which SECpay themselves have ben unable to help me with. I've replaced the secpay.php module at their suggestion and also checked all the settings but still the checkout takes well over one minute to return to my success page and during this time displays a really naff screen which says "Transaction complete" this must be a secpay screen but they just keep telling me that when they test it everything works fine for them. This is #345 in the idiots guide to help desk excuses.

I've just spent another full day trying to solve this and am begining to think that maybe protx is the answer. Anyone any comments/experience...Help would be great but I think unless CMOTD sends me the updated secpay file nothing else I or SECpay do is likely to help

  • 2 weeks later...
Posted

Still no solution to this problem.

SECPay now tell me that they do not see what I describe as the interim screen because they have been testing with Firefox. They do experience the same delay with the callback of one minute plus. If there are known problems with SECPay.php and with the absence of CMOTD from these boards, has anyone else had a similar problem? SECPay also suggested removing the java redirect from the SECPay payment module, placed after the user name in the form username-jredir but when I do this I hget the following error:

 

Template : http://www.mysite.com/checkout_process.php...meoutException: Read timed out

 

Please contact merchant [email protected] and ask them to correct their callback.

 

This transaction succeeded and the reference was 'mysite200711040XXXXX' regardless of the failure to contact the merchant your order was successful

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...