Items appearing in Download Center before payment!

Hi

At the end of last year I built a small e-commerce site for digital downloads (I think with eCart 4).

Although I did extensive testing at the time, I've just discovered that it's possible to download items from the Download Center before making payment.

Fortunately this hasn't been exploited yet. I know this, as the only items in the orderdetails table are the ones I know about (and which have been paid for).

The error is entirely reproducible, using the following route:
1. Go to products page
2. Add items to basket
3. Add/delete more items if you want
4. Click Checkout (takes you to login page)
5. Register & Login
6. Go to shopping basket
7. Click on Checkout
8. View details of order and customer details
9. Go to 'My account' (which has links to shopping basket and download center)
10. Click on Download Center
11. Download unpaid-for products free :-(

For obvious reasons, I'm not going to say where the site is, so I'd be grateful if you would set up a ticket.

(Although I have purchased the upgrade to eCart5, I haven't updated that website yet.)

Thanks!
Alistair

What payment gateway are you using?

Paypal Payments Pro? or PayPal Payments Standard?

Hi Jason

It's PayPal Payments Standard.

Digital downloads is problematic with paypal standard just because of the way it works

here's the flow with payments standard:

the customer click the checkout button on the cart page when they are done shopping.

the fill in the checkout form, this posts to the confirm page.

When the checkout form is posted to the confirm page, the order information is stored in the database. your orders table should have a status column that is being set to 0 or pending or something similar.

Then customer clicks the confirm button and is taken to the paypal server to arrange the transaction details.

When don with paypal, the customer is directed back to your site.

Here's where things get dicey - At this point, the transaction has not been processed. It is in a queue on paypals servers to be processed on a first come first served basis. The actual processing will take place at a later time.

You can set you paypal account to make an IPN post to a page on your site when the transaction actually gets processed. you can use that page to update the database with the transaction status.

see paypal ipn page for more details:
ipn


Once you have the order status being set when the order is stored in the database and updated through the IPN post, you will need to modify the order history recordsets to include a check of the status column in the orders table so that only sucessfull orders will be shown.


From a customer standpoint, Paypal standard is a bad choice when offering digital downloads. Since PayPal standard does not process the transaction in real time, they will be forced to wait on paypal to perform the transaction before they can download.

Paypal Pro, And paypal express checkout will process the transaction in real time and eliminate any waiting inherent in paypal standard.

Thanks, Jason.

I'll have a good look at the IPN stuff and hope I can make some sense of it.

The trouble with PayPal Pro is that the market is so small for the client that he wouldn't be able to justify the extra cost.

Alistair

OK, Paypal express is a free alternative to pro.

Thanks, I'll look into that.

You're welcome.


BTW, I like how you have listed your system specs and extensions versions in your signature. Good idea. It will definitely help us if you have any extension errors in the future.