On my website I have a shopping cart. The shopping cart is based on midicart (PHP), which is where I started many years ago but I have greatly modified and extended it.
Now, I also support unattended downloads of purchased software, AND I take paypal. This combination required me to do a fully customized integration of paypal into my site so that the download is authorized only after the payment is cleared, which could take days.
Well, that integration was complete a couple of years ago, and it has worked just fine until recently. In the recent past, my hosting company has made some server upgrades and changes that have broken many pieces of my site, and I have had to put a fair amount of time into debugging problems they introduced. Recently, they made a change that broke cURL on their end and took my ecommerce section completely down. After a number of complaints, they made a change (I don't know what) that brought cURL back online. My current issue *probably* isn't a cURL issue, but I am not absolutely positive of that. In fact, I have no idea what is causing this.
Here is what happens.
Midicart uses several HTML frames. One frame is the frame in which the user enters purchase information and selects payment options.
After choosing an item to purchase, the user chooses to checkout, then is presented with a credit card/paypal choice screen. If they select paypal, they are taken to a checkout screen where they fill in their information so my site has it. Then, they click on a button labeled "Proceed to PayPal", which invokes a script called order_transfer_paypal.php via a POST.
This script processes their order, valdating information and so forth, then constructs an appropriate transaction to paypal and, using cURL, posts the transaction to paypal.
PayPal responds with a login screen which is displayed in my shopping cart frames. The user logs into paypal, finds that paypal knows about the transaction they are completing, transfers the funds, logs out of paypal, and automatically finds himself back at my site, with all the communications details handled in the background.
At least, that is how it used to work.
What is happening now is that the paypal screen gets downloaded through cURL and passed to the client browser for display. Then, after a second or two, the client browser by itself sends a GET to the server, requesting order_transfer_paypal.php without apparently being told to do this by anyone. Further, this request is occurring outside of any frames and the entire frame structure vanishes.
Since the script is being reinvoked with a GET, it does not contain any of the information on the transaction and a crack detector in the script promptly bombs the script with the words "crack attempt".
Here is the segment of code in order_transfer_paypal.php that handles the actual transaction:
Code:
if ($purch_validated) {
(do lots of order processing, database, and emailing things)
//now build the paypal transaction
$postfields ="cmd=".urlencode("ext-enter")."&";
$postfields.="redirect_cmd=".urlencode("_xclick")."&";
$postfields.="business=".urlencode($pp_business)."&";
$postfields.="amount=$total&";
$postfields.="currency_code=USD&";
$postfields.="notify_url=".urlencode("$securesite/paypal_notify.php")."&";
$postfields.="return=".urlencode("$securesite/paypal_return.php")."&";
$postfields.="cancel_return=".urlencode("$securesite/paypal_cancel.php")."&";
$postfields.="invoice=".$cart_id." &";
$postfields.="item_name=".urlencode("Payment for Order Number $cart_id");
echo "post is $postfields sent to $pp_gateway\n";
$ch = curl_init();
echo "session is $ch\n";
curl_setopt ($ch, CURLOPT_POST,true);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $postfields);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt ($ch, CURLOPT_URL,$pp_gateway);
curl_setopt ($ch, CURLOPT_FORBID_REUSE, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, false);
echo " executing curl ";
//exit();
$response = curl_exec($ch);
echo "response is $response\n";
//exit();
if (curl_errno($ch)) {
print curl_error($ch);
} else {
curl_close($ch);
}
}
This is the script being executed and re-executed. I cannot see HOW that script could be getting re-executed. I have no clue why the browser is directly requesting it after the POST from the previous form.
The previous php script is named order_paypal.php, and the actual FORM statement in it is this:
Code:
<form onSubmit="return form_validator(this)" action="order_transfer_paypal.php" method="post">
The javascript validator here is just that; makes sure all required fields are filled in.
There is no reference to order_transfer_paypal.php anyplace in the entire shopping cart other than this reference here.
There is no reference to this script in the page downloaded from paypal either.
There are no javascript reload or refresh commands anyplace in the shopping cart. There are no refresh meta tags in the shopping cart.
The one remaining piece of information that might have any validity is an entry in the server error logs:
Code:
[24-Oct-2008 17:34:03] PHP Warning: Zend Optimizer for PHP 5.2.x cannot be found (expected at
'/usr/local/Zend/lib/Optimizer_TS-2.5.10/php-5.2.x/ZendOptimizer.so') - try reinstalling the Zend Optimizer in Unknown on line 0
Does anyone have any idea what could be causing this? Anyone who wants to see it can visit my site at
http://www.softwareforlandlords.com and go to the purchase page.
Pick a product, any product. You will be taken to the shopping cart where there will be a display and a brief description of the product. Click the "buy" button, then choose to check out. Select the paypal option, and put something in all the required fields. Select "proceed to paypal" and watch the fun.