close ad
Install the LAtest Updates to Work with CC 2017 and CC 2018
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Ecart 5 - Paypal Standard - Clearing the Cart on Success

Thread began 5/12/2014 4:51 pm by Meic Delwedd | Last modified 5/13/2014 11:24 am by Meic Delwedd | 503 views | 4 replies |

Meic Delwedd

Ecart 5 - Paypal Standard - Clearing the Cart on Success

Hi,

I have setup a cart using Ecart 5 and PayPal standard payments.

I have got the IPN working and updating my cart by passing the order_id in the "custom" field and then using this to update my orders.

On the checkout_success.php page, I have included the code outlined on http://www.webassist.com/forums/posts.php?id=20025, which works a treat. (My cart is a basic one at the moment - I'm not worried abut users logging in and storing their details at present).

My issue is that once a customer makes a payment, if they choose not to return to the checkout_success.php file by typing the URL of my shopping cart into a browser, their cart is still populated. What is worse is that now they can add extra items to their order, and because a payment has been made for that order id, they could add items to their order, press "checkout", and the system thinks they have items that they haven't paid for.

What I am after is if there is a way to clear the cart if an order_id is set in the session on load of the cart, will this work?

Or, I can set some validation on the checkout button (or confirm.php page), where the system checks the status based on the order id and maybe throws and exception or clears the session at that point to prevent anyone manipulating this flaw.

Or, I could use the mc_gross field recieved from the IPN, store this in the DB, and then flag up a possible security issue in the administration system, but this seems a bit messy to me.

I've been looking at the forums, and can't find any similar issue on the forums, hopefully this an easy fix.

Thanks,

Aled

Sign in to reply to this post

Jason ByrnesWebAssist

paypal should automatically return them to the success page.

on the confirm page, the form that sends the details to paypal has a variable for the return URL, make sure that this is set to the site address for the success page so that paypal will automatically load the success page after the payment is complete.

Sign in to reply to this post

Meic Delwedd

Hi Jason,

Thanks for your reply. I think I've got this fixed now.

I was submitting the return URL as a hidden field. The issue I had was that after making a payment through PayPal, the user can still type the URL of your cart (e.g. http://example.com/cart.php) in the address bar, or press back before being transferred to the checkout_success.php page. This is easier on PayPal as they can give a user notifying "You will be redirected in 10 Seconds", in which time they can just type the URL easily.

By doing this, a payment could be processed for one item, this would then, in time, notify my system via the IPN that the order id's status is complete. By just going direct to the cart page and not killing the session, the user can return to the cart, add more items to an order, press checkout, and without even going to PayPal, they can increase their order and make it look like they have paid for many more items than they actually have (although I'd recommend all clients check their orders and check it against their PayPal transactions), which was a bit of a security flaw for me.

What I did was (using Data Assist's Clear Session Values) create the following snippet. This checked if the session had a order id set, if so, it would clear all session variables.

@session_start();
if (isset($_SESSION['shop_OrderID']) && !empty($_SESSION['shop_OrderID'])){
// WA_ClearSession
$clearAll = TRUE;
$clearThese = explode(",","");
if($clearAll){
foreach ($_SESSION as $key => $value){
unset($_SESSION[$key]);
}
}
else{
foreach($clearThese as $value){
unset($_SESSION[$value]);
}
}
}

Is this correct? I've tested it a few times, and it appears to work fine.

Also, if you pass the notify_url as a hidden field on your confirm page, you can set the URL you wish the IPN notification to be sent to, rather than configure it manually in your PayPal account. (took me a while to spot that one).

Thanks,

Aled

Sign in to reply to this post

Jason ByrnesWebAssist

That code to clear the session looks like it should work, I would probably put it on the cart display page.

Sign in to reply to this post

Meic Delwedd

Thanks Jason - I've put it on the cart display page as mentioned. I think I may put it on the address page as well, as someone could modify delivery details of an order if they go directly to that page.

Although doing this might impact the "Modify Information" feature on the confirm page.

Will test it tonight, but don't think it's THAT huge a problem.

Thanks again,

Aled

Sign in to reply to this post

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...