Posted by Liliplanet on August 25, 2010 at 10:03am
7 followers
Jump to:
| Project: | Ubercart |
| Version: | 7.x-3.x-dev |
| Component: | Payment |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
Hi,
Since the security upgrade of Ubercart on the 11th of August and the change in notes: (UC 2Checkout doesn't validate the payment notification properly.)
I'm receiving Attempted unverified 2Checkout completion for this order
The payment goes through at 2Checkout.com, but does not in our case, upgrade the role assigned to the payment.
It used to work perfectly before upgrade :)
Please, how can I debug this or has someone perhaps come across this as well?
Look most forward to any reply, and thank you.
Lilian
Comments
#1
Hi Lilian,
I just encountered this same problem for my client and tracked it down just now. The failure happens because the md5 generated key from 2checkout doesn't match the one created in the uc_2checkout file: uc_2checkout.pages.inc
In that file on line 20:
$_POST[merchant_order_id']Should be changed to:
$_POST['order_number']Making this change in uc_2checkout.pages.inc will allow the md5 keys to match and fix the problem!
I'll try to be more official and make a patch or something in the future, but wanted to put this out here in case people are stuck.
-Stephen Ryan
#2
If someone can confirm the fix in #1 works, I can have it committed.
#3
Yes, fix #1 works :) Thank you ..
#4
hey! I'm getting exactly the same problem, and unfortunately your fix didn't work.
That's very interesting, I've even var dumped values and checked 2co docs. it should work, but it doesn't work.
my validation string looks like that now:
$valid = md5(variable_get('uc_2checkout_secret_word', 'tango') . $_POST['sid'] . $_POST['order_number'] . $_POST['total']);
still trying to solve the issue...
#5
I'm facing same issue, tried fix #1 and that did not work, key output is still different from 2CO passback. Also found reports of what seem to be the same issue on ubercart.org at http://www.ubercart.org/forum/support/18439/drupalubercart_not_finalizin...
#6
According to 2CO integration guide the key that it posts for the order uses the following formula: md5 (secret word + vendor number + order number + total)
See full help text here: http://www.2checkout.com/documentation/UsersGuide2/chapter6/md5-hash.html
#7
In demo mode the 2CO hash is formed with the number 1 in place of order number, as in: md5 (secret word + vendor number + 1 + total).
The fix #1 should work according to the 2CO documentation, however I cannot confirm because my store is in demo mode.
The following works for me in 2CO demo mode and applies original fix #1 for regular mode:
<?php//in demo mode 2CO uses 1 as the order number in the hash but still passes a real order number in the variable POST or GET variable
if($_POST['demo'] == 'Y'){
$order_number_passed = 1;
} else{
$order_number_passed = $_POST['order_number'];
}
$valid = md5(variable_get('uc_2checkout_secret_word', 'tango') . $_POST['sid'] . $order_number_passed . $_POST['total']);
?>
#8
subscribe
#9
Hi,
I've upgraded to latest 6.x-2.x-dev as it is required to updated to the latest dev version before starting to migrate to D7.
Again this problem seems to be in place: Attempted unverified 2Checkout completion for this order
I'm not able to patch #1 or #7 as code does not correspond in uc_2checkout.pages.inc
$key = $_POST['key'];
$valid = md5(variable_get('uc_2checkout_secret_word', 'tango') . $_POST['sid'] . $_POST['merchant_order_id'] . $_POST['total']);
if (strtolower($key) != strtolower($valid)) {
uc_order_comment_save($order->order_id, 0, t('Attempted unverified 2Checkout completion for this order.'), 'admin');
return MENU_ACCESS_DENIED;
}
if ($_POST['demo'] == 'Y' xor variable_get('uc_2checkout_demo', TRUE)) {
watchdog('uc_2checkout', 'The 2checkout payment for order <a href="!order_url">@order_id</a> demo flag was set to %flag, but the module is set to %mode mode.',
array('!order_url' => url('admin/store/orders/'. $order->order_id), '@order_id' => $order->order_id, '%flag' => $_POST['demo'] == 'Y' ? 'Y' : 'N', '%mode' => variable_get('uc_2checkout_demo', TRUE) ? 'Y' : 'N'), WATCHDOG_ERROR);
if (!variable_get('uc_2checkout_demo', TRUE)) {
return MENU_ACCESS_DENIED;
Would most appreciate any fix, and thank you :)
#10
The problem still exists because there has been no proposed solution that has been confirmed to work.
The proposed solution in #1 did not work as reported by #4 and #5.
The solution in #7 is the same as #1, except that it adds a conditional for demo mode. It's possible that #4 and #5 failed because they were using demo mode, and that if they try #7 it will work for them, but those individuals have not followed up on this issue so it's impossible to tell.
The procedure described in #1 still applies to the current -dev: Search for the line with the md5 calculation and substitute order_number where it says merchant_order_id.
#11
Hi,
Thank you so much for your suggestion in #10 that is "substitute order_number where it says merchant_order_id"
It creates even more errors .. so tried to go back to ubercart 6.x-2.4 (August 11, 2010) where 2checkout did not have problems, but the update to 6.x-2.4 dev upgraded tables and unfortunately also big time errors .. thus not an option.
Has anyone found a solution as yet please? Would most appreciate a fix :)
#12
Hi,
My income is starting to take a hit here as users are not granted access after credit card payments through 2checkout.com and then asking for refunds (:
Attempted unverified 2Checkout completion for this order
As Ubercart 6.x-2.4 (August 11, 2010) did not have this problem, and the update to 6.x-2.6 upgraded tables, is there a way I can revert to Ubercart 6.x-2.4 please (iow before the upgrade to .dev)
Or perhaps you have found a fix to this serious problem please?
Would most appreciate any suggestions how to revert to 6.x-2.4 or any fix would be immensely appreciated :)
#13
bump sorry, please anyone with a solution?
Hi,
I upgraded my whole site (which was not easy :) to D7 just hoping that this 2checkout.com issue has been resolved in the new version.
Unfortunately still getting Attempted unverified 2Checkout completion for this order
Please has anyone found a fix for Ubercart 7.x-3 and 2Checkout compatibility?
Most appreciate any reply :)
Lilian
#14
Yeah, a solution has been provided by support at 2checkout.com ..
I have dealt with a similar error from Ubercart before.
Please make sure that your secret word is set as tango in your Ubercart configuration and please change line 20 to:
$valid = md5(variable_get('uc_2checkout_secret_word', 'tango') . $_POST['sid'] . $_POST['order_number'] . $_POST['total']);
I know that you did this before but after you upgraded it loaded up the incorrect files again. Also, please note that demo sales will also cause the hash verification to fail as we compute the hash using a "1" for the order number on demo sales so you will want to test using a live sale (under $5.00). Also, I changed your return method to the one that is recommended for UberCart.
Most appreciate everyone's kind help.
#15
...and we're right back to where we were in #10. Please read that post again.
@Liliplanet, your "solution provided by support at 2checkout.com" is exactly what was suggested in #1. But in #11 you said that didn't work - "It creates even more errors" in your words. So are you now saying it *does* work?
There seems to be one additional ingredient in that note from support that has not been mentioned before: "I changed your return method to the one that is recommended for UberCart." I'm guessing this is some setting that needs to be configured on the 2Checkout end? Perhaps you can write a README.txt to document this setting, what it should be, and how to change it? That would be a useful addition to this module and would help others to avoid this problem.
Open source software is developed by the community. That's you. It relies on the *users* (again, you) to report problems AND to develop and test fixes. If you're the only one who cares about the 2Checkout payment method, then it falls on your shoulders to figure out how to fix it - no one else is obligated to do the work for you. You are the beneficiary of an enormous amount of volunteer effort that went into the development of Drupal and Ubercart, so consider this as your share of the community burden.
This thread has a suggested fix which the users (again, you) have said doesn't work. No user has proposed an alternate fix. This issue will remain unresolved until there is a proposed fix that is confirmed to work. You can do your part by documenting exactly what you had to do to fix it, and by clarifying exactly why you first said it worked (#3), then said it didn't work (#11), then said again it did work (#14).
#16
I see this has been committed. Tested.
#17
No fixes have been committed.
#18
#19