deltrum Posted February 14, 2013 Posted February 14, 2013 (edited) Hi, I have installed the following contribution and all is working okay in respect of communication with the Commweb VPC payment gateway. http://addons.oscommerce.com/info/3968 The problem occurs when the customer is being redirected back to the merchant. Oscommerce does not store the order and the customer is met with the following message: A credit card error has occured. Please verify your submitted details and resubmit. If this problem persists and please contact us. The error message I receive by email is as follows: There was an error when processing a transaction response from the MIGS Payment Gateway Secure Hash was not able to be verified against the Secret Hash, possible tampering with response Details of the Error are as follows MIGS: session_id=f3f13453a0479fbbd67818d8a671bf35 session_name=osCsid vpc_AVSRequestCode=Z vpc_AVSResultCode=Unsupported vpc_AcqAVSRespCode=Unsupported vpc_AcqCSCRespCode=Unsupported vpc_AcqResponseCode=00 vpc_Amount=59500 vpc_AuthorizeId=214470 vpc_BatchNo=20130213 vpc_CSCResultCode=Unsupported vpc_Card=MC vpc_Command=pay vpc_Locale=en_AU vpc_MerchTxnRef=test3AT201302132318301 vpc_Merchant=***************** vpc_Message=Approved vpc_OrderInfo=test3AT20130213231830 vpc_ReceiptNo=304423214470 vpc_TransactionNo=8 The secret hash has been entered correctly but the VPC is not able to authenticate. The merchant ID is currently running in Test Mode. Could this be the problem ????? I really need some help on this one... Thanks Edited February 14, 2013 by deltrum Quote
deltrum Posted February 19, 2013 Author Posted February 19, 2013 Okay, so have started to look at the code myself: This is from the cc_via_migs.php module file: if($verifiedHash == false) { // Notify System Admin of the alteration or forgery by attempting to collect information from // the user, such as their Customer ID, Order ID, IP etc, to double check records CC Merchant Account against // incase the order was infact processed $errorMsg = (defined(MODULE_PAYMENT_MIGS_TEXT_ERROR_DESCRIPTION_SECURE_HASH_NOT_VALID) ? MODULE_PAYMENT_MIGS_TEXT_ERROR_DESCRIPTION_SECURE_HASH_NOT_VALID : "Secure Hash was not able to be verified against the Secret Hash, possible tampering with response"); $this->sendNotifyEmail($errorMsg, $responseArray); // Redirect with a error message such as Tampering has occured with the response and to contact Admin to resolve //tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'payment_error=' . urlencode($errorMsg), 'SSL', true, false)); tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'payment_error=cc_via_migs', 'SSL', true, false)); Quote
deltrum Posted February 19, 2013 Author Posted February 19, 2013 Here is the code prior to the above: // Get the Secure Connection to the VPC and Buffer communication ob_start(); $clientURL = curl_init(); // Initialise the client url variables // REFER to curl_setopt for more options as suits your requirements // such as Verify SSL, Proxy etc curl_setopt ($clientURL, CURLOPT_URL, $vpcURL); curl_setopt ($clientURL, CURLOPT_POST, 1); curl_setopt ($clientURL, CURLOPT_POSTFIELDS, $postRequestData); curl_exec ($clientURL); // Open connection $vpcResponse = ob_get_contents(); // Get result ob_end_clean(); // Finish with the buffer // Check for errors if(strchr($vpcResponse,"<html>")) $errorMessage = $vpcResponse; else if(curl_error($clientURL)) $errorMessage = "CURL ERROR: " . curl_errno($clientURL) . " " . curl_error($clientURL); // Communication Issues should be sent to Administrator, not to screen curl_close($clientURL); // Close the connection $responseKeyVals = split("&", $vpcResponse); foreach ($responseKeyVals as $val) { $param = split("=", $val); $responseArray[urldecode($param[0])] = urldecode($param[1]); } // Send the test information to the notify email if($this->isTestMode()) $this->sendNotifyEmail($errorMessage, $responseArray); if(!empty($errorMessage)) { $this->sendNotifyEmail($errorMessage, $responseArray); $transactionResponse = '1'; } else { // Process the results and determine the transactions status $transactionResponse = $responseArray['vpc_TxnResponseCode']; } } else { // Process the Server hosted requirements // Key Sort the variables and extract any unwanted variables unset($_POST['x']); unset($_POST['y']); // Specify the Access Code $_POST['vpc_AccessCode'] = $this->getAccessCode(); // $_POST['vpc_Amount'] = intval((number_format($order->info['total'])) * 100); // Convert to Cents by Multiplying by 100 $_POST['vpc_Amount'] = intval((round($order->info['total'],2)) * 100); ksort($_POST); // Get the URL and append the variables $vpcURL = $this->getVPCUrl() . "?"; $secureSecret = $this->getSecretHash(); $md5HashData = $secureSecret; foreach($_POST as $key => $value) { if(!empty($value)) { // Eliminate the empty variables $vpcURL .= urlencode($key) . '=' . urlencode($value) . '&'; $md5HashData .= $value; // Append to md5 hash data } } // Calculate the Hash // Handle mayOmmitHash privilege on the Server // Change MODULE_PAYMENT_MIGS_MAY_OMMIT_HASH at top of file to toggle this function if(!defined('MODULE_PAYMENT_MIGS_MAY_OMMIT_HASH') || MODULE_PAYMENT_MIGS_MAY_OMMIT_HASH == false) { if(!empty($secureSecret)) { $vpcURL .= "vpc_SecureHash=" . strtoupper(md5($md5HashData)); } } // Perform the process //die($vpcURL); // Testing Purposes you can uncomment to verify details before submitted header("Location: " . $vpcURL); die(); } } else { // Assume resuming processing from check out process // Verify the secure hash to ensure that the communication wasn't altered or forged $secureHashResponse = $_GET['vpc_SecureHash']; $transactionResponse = $_GET['vpc_TxnResponseCode']; unset($_GET['vpc_SecureHash']); $responseArray = $_GET; if(!empty($secureHashResponse) && $transactionResponse !== '7') { // Create the md5 based off fields and our secret hash $md5HashData = $this->getSecretHash(); ksort($responseArray); // Should arrive in order foreach($responseArray as $key => $value) { if (strlen($value) > 0) { $md5HashData .= $value; } } // Check the SecureHashResponse against our generated md5 hash to verify the key if (strtoupper($secureHashResponse) == strtoupper(md5($md5HashData))) { $verifiedHash = true; //die('Verified Successfully'); } } else { // Notify System Admin of the event that the SecretHash could not be verified as it wasn't present $errorMsg = (defined(MODULE_PAYMENT_MIGS_TEXT_ERROR_DESCRIPTION_SECURE_HASH_NOT_PRESENT) ? MODULE_PAYMENT_MIGS_TEXT_ERROR_DESCRIPTION_SECURE_HASH_NOT_PRESENT : "Secure Hash not present in Response from MIGS Payment Server for Payment"); $this->sendNotifyEmail($errorMsg, $responseArray); // Redirect user with an error message saying that the response from the server was not complete and // that we can not verify your payment. Please contact Admin to resolve //tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'payment_error=' . urlencode($errorMsg), 'SSL', true, false)); tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'payment_error=cc_via_migs', 'SSL', true, false)); Quote
deltrum Posted February 25, 2013 Author Posted February 25, 2013 Really could do with some help on this one... Quote
Bob Terveuren Posted February 26, 2013 Posted February 26, 2013 Hi there's a line in the code // Check the SecureHashResponse against our generated md5 hash to verify the key if (strtoupper($secureHashResponse) == strtoupper(md5($md5HashData))) { $verifiedHash = true; //die('Verified Successfully'); } $verifiedHash is = false so the module throws the error you are getting - this takes place in the before_process() part of the checkout_process.php file so the order is never going to be saved as the customer is then redirected to the payment page. You need to find out why strtoupper($secureHashResponse) == strtoupper(md5($md5HashData) is not working. Your server should be trying to match the string from the payment server by 1) get your 'secret' pass 2) get all the incoming data fields from the payment server, sort them alphabetically, skip any empty fields, add them to the secret pass 3) now Md5 that string and it should equal $secureHashResponse from the payment server Check that the same secret pass in in place at the bank and at your store server - if there is any non-alphanumeric characters in there then change them and try again. if it still does not work you'll need to dig deeper: if(!empty($secureHashResponse) && $transactionResponse !== '7') { // Create the md5 based off fields and our secret hash $md5HashData = $this->getSecretHash(); ksort($responseArray); // Should arrive in order foreach($responseArray as $key => $value) { if (strlen($value) > 0) { $md5HashData .= $value; } } // wee check die('Local hash data ='.$md5HashData.'<br>Local generated='.strtoupper(md5($md5HashData).'<br>Remote value='.strtoupper($secureHashResponse)); //end check // Check the SecureHashResponse against our generated md5 hash to verify the key if (strtoupper($secureHashResponse) == strtoupper(md5($md5HashData))) { $verifiedHash = true; //die('Verified Successfully'); } There's an extra line there that should print out the locally constructed string and the server string - that may chuck up some possibilities Quote
deltrum Posted February 28, 2013 Author Posted February 28, 2013 Hi Bob, Many thanks for your help. When I apply that code, no payment modules show in Admin ? If you can help, it would be much appreciated. Thanks Barry Quote
New 
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.