Post by labeshops » Fri Apr 10, 2020 5:16 am

Edit: The solution was 2 fold in case someone else is having a similar problem:
1) adding the line sending paypal the invoice number (see thread below). This prevents duplicate charges, and
2) Removing a call for a rogue file (probably a hacking attempt though cwatch security did NOT catch it which is troubling) (see thread below)

I've used the paypal pro module that comes with v2.2 since 2.2 was released with no issues. Over the past few weeks, credit card payments placed thru it are suddenly being charged multiple times - usually 3-4 times per order.

Each is coming thru with a different paypal transaction ID and it seems like the success page is never being triggered - at least it wasn't when I tested it with my own credit card. Pressing the final confirm order button on my check out pages triggers the normal "Please wait" text message but then just sits back on that page without moving to the success page (paypal and money order payments are working normally and displaying the success page).

This is not happening with every credit card order and not if someone uses a credit card thru the paypal standard checkout, only thru Payments Pro. Out of 25 credit card orders this morning, 3 of them were charged multiple times and all the others were fine.

The only thing Paypal support suggests is sending thru the order number as their invoiceid field, but I haven't figured out how to do that.

I am stumped why this is suddenly happening when I have not made any changes. Is there an updated paypal pro module that would solve this issue? I am not seeing anything in marketplace but thought I would ask here to see if anyone has a suggestion.

I am refunding the duplicate payment immediately but naturally this is a hassle for me and my customers.
Last edited by labeshops on Sun Apr 12, 2020 1:44 am, edited 1 time in total.

Running Opencart v3.0.3.2 with multi-stores and the default template from https://www.labeshops.com which has links to all my stores.


User avatar
Expert Member

Posts

Joined
Thu Aug 04, 2011 4:41 am
Location - Florida, USA

Post by ADD Creative » Fri Apr 10, 2020 8:21 pm

I believe PayPal are saying to add something like.

Code: Select all

$request .= '&INVNUM=' . (int)$order_info['order_id'];
Just below this line.
https://github.com/opencart/opencart/bl ... o.php#L103

Reference here.
https://developer.paypal.com/docs/archi ... yment-nvp/

I think even CUSTREF is wrong and should be CUSTOM. But then the PayPal documentation rarely completely matches the actual APIs.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by labeshops » Fri Apr 10, 2020 11:46 pm

Thank you. I will try that. Couldn't figure out the syntax of what they wanted.

Running Opencart v3.0.3.2 with multi-stores and the default template from https://www.labeshops.com which has links to all my stores.


User avatar
Expert Member

Posts

Joined
Thu Aug 04, 2011 4:41 am
Location - Florida, USA

Post by labeshops » Fri Apr 10, 2020 11:59 pm

Thanks a ton! This is passing the invoice ID and seems to prevent the duplicate charges. For some reason though, my success page is still not being triggered and it is not clearing the cart though I am getting order and payment fine. It used to work fine and works for checkout from paypal standard and money order checkouts, but paypal pro is not triggering it. The only thing paypal support said about it is: "there is no delay on our side but a delay on your cart end in submitting them to us for processing unfortunately." which I do not understand especially since it's worked fine for years.

Is there some way I can force the success page better?

Running Opencart v3.0.3.2 with multi-stores and the default template from https://www.labeshops.com which has links to all my stores.


User avatar
Expert Member

Posts

Joined
Thu Aug 04, 2011 4:41 am
Location - Florida, USA

Post by ADD Creative » Sat Apr 11, 2020 6:50 am

Are you seeing any thing in your OpenCart error log, PHP error log or web browser development console that could be related?

Check your web browser development console network tab that index.php?route=payment/pp_pro/send returns an 200 OK status.

Also check the JavaScript code that redirects to the success page hasn't changed.
https://github.com/opencart/opencart/bl ... pl#L73-L99

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by labeshops » Sat Apr 11, 2020 7:23 am

hmm well, I checked the template file & it is correct, but when I used the developer console to try to go to the /send page, I get a ton of errors and no clue how to fix :(

Code: Select all

Warning: include(pp_check.php): failed to open stream: No such file or directory in /public_html/catalog/controller/payment/pp_pro.php on line 87
Warning: include(pp_check.php): failed to open stream: No such file or directory in /public_html/catalog/controller/payment/pp_pro.php on line 87
Warning: include(): Failed opening 'pp_check.php' for inclusion (include_path='.:/opt/cpanel/ea-php70/root/usr/share/pear') in /public_html/catalog/controller/payment/pp_pro.php on line 87
Notice: Undefined index: cc_type in /public_html/catalog/controller/payment/pp_pro.php on line 98
Notice: Undefined index: cc_number in /public_html/catalog/controller/payment/pp_pro.php on line 99
Notice: Undefined index: cc_start_date_month in /public_html/catalog/controller/payment/pp_pro.php on line 100
Notice: Undefined index: cc_start_date_year in /public_html/catalog/controller/payment/pp_pro.php on line 100
Notice: Undefined index: cc_expire_date_month in /public_html/catalog/controller/payment/pp_pro.php on line 101
Notice: Undefined index: cc_expire_date_year in /public_html/catalog/controller/payment/pp_pro.php on line 101
Notice: Undefined index: cc_cvv2 in /public_html/catalog/controller/payment/pp_pro.php on line 102
Notice: Undefined index: cc_type in /public_html/catalog/controller/payment/pp_pro.php on line 104
Notice: Undefined index: cc_type in /public_html/catalog/controller/payment/pp_pro.php on line 104
{"error":"This transaction cannot be processed. Please enter a valid credit card number and type."}
Last edited by straightlight on Sat Apr 11, 2020 9:00 pm, edited 1 time in total.
Reason: Added code tags.

Running Opencart v3.0.3.2 with multi-stores and the default template from https://www.labeshops.com which has links to all my stores.


User avatar
Expert Member

Posts

Joined
Thu Aug 04, 2011 4:41 am
Location - Florida, USA

Post by ADD Creative » Sat Apr 11, 2020 8:59 pm

You can't just go the the send page, you need to place an order and pay (or use the sandbox). However, the errors posted do show up something. The file pp_check is not part of OpenCart, so it looks like the catalog/controller/payment/pp_pro.php file has been modified to include this. What modifications have been made to your PayPal Pro module? Could these be the cause of the problem?

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by labeshops » Sun Apr 12, 2020 1:33 am

Hmm thanks. I will look into that. No, I do not use any payment mods. Might be the remants of a hack attempt.

Running Opencart v3.0.3.2 with multi-stores and the default template from https://www.labeshops.com which has links to all my stores.


User avatar
Expert Member

Posts

Joined
Thu Aug 04, 2011 4:41 am
Location - Florida, USA

Post by labeshops » Sun Apr 12, 2020 1:41 am

Thanks for the tip! Removing that rogue line solved the issue!

Running Opencart v3.0.3.2 with multi-stores and the default template from https://www.labeshops.com which has links to all my stores.


User avatar
Expert Member

Posts

Joined
Thu Aug 04, 2011 4:41 am
Location - Florida, USA

Post by ADD Creative » Sun Apr 12, 2020 3:03 am

Good hear it solved the issue. If you don't know why the line is there I would check all your files against a clean download of that version of OpenCart. You never know what else has been added.

Also, if that error was enough to cause problems then it means that you have display errors on. This can be a security risk, as it provides very helpful information for attackers. It also causes problems where a minor error or even a warning will break something where it normally wouldn't, as you have just found. You will need to switch of displaying of errors in three places.

1. In your PHP settings. This should be off by default, but there are some poor hosts that leave it on. Set display_errors = off in the php.ini or user.ini.

2. In the OpenCart configuration files. https://github.com/opencart/opencart/bl ... lt.php#L44

3. In the Error Handling section under the Server tab in you OpenCart settings.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by tinabanana » Thu Jul 15, 2021 3:33 am

i know this is an older post but i'm having issues with duplicate transactions in paypal.
not because the user is hitting the button twice (i only get one order in oc) but i think because paypal is just charging it twice.
Will adding this line also work in pp_payflow instead of pro? version 2.0.3.1

$request .= '&INVNUM=' . (int)$order_info['order_id'];

I added it here

$request = 'USER=' . urlencode($this->config->get('pp_payflow_user'));
$request .= '&VENDOR=' . urlencode($this->config->get('pp_payflow_vendor'));
$request .= '&PARTNER=' . urlencode($this->config->get('pp_payflow_partner'));
$request .= '&PWD=' . urlencode($this->config->get('pp_payflow_password'));
$request .= '&TENDER=C';
$request .= '&TRXTYPE=' . $payment_type;
$request .= '&INVNUM=' . (int)$order_info['order_id'];

New member

Posts

Joined
Tue May 05, 2015 10:19 pm

Post by ADD Creative » Thu Jul 15, 2021 5:05 pm

tinabanana wrote:
Thu Jul 15, 2021 3:33 am
i know this is an older post but i'm having issues with duplicate transactions in paypal.
not because the user is hitting the button twice (i only get one order in oc) but i think because paypal is just charging it twice.
Will adding this line also work in pp_payflow instead of pro? version 2.0.3.1

$request .= '&INVNUM=' . (int)$order_info['order_id'];

I added it here

$request = 'USER=' . urlencode($this->config->get('pp_payflow_user'));
$request .= '&VENDOR=' . urlencode($this->config->get('pp_payflow_vendor'));
$request .= '&PARTNER=' . urlencode($this->config->get('pp_payflow_partner'));
$request .= '&PWD=' . urlencode($this->config->get('pp_payflow_password'));
$request .= '&TENDER=C';
$request .= '&TRXTYPE=' . $payment_type;
$request .= '&INVNUM=' . (int)$order_info['order_id'];
It's a different API, so probably not. You might be able to set ORDERID. Check the documentation.
https://developer.paypal.com/docs/payfl ... n%20errors.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by tinabanana » Tue Jul 27, 2021 2:43 am

i checked the documentation about order id and it says this

(Optional) Checks for a duplicate order. If you pass ORDERID in a request and pass it again in the future, the response returns DUPLICATE=2 along with the ORDERID.
Note: Do not use ORDERID to catch duplicate orders processed within seconds of each other. Use ORDERID with Request ID to prevent duplicates as a result of processing or communication errors.

So the duplicate within seconds is what i'm trying to avoid.
I could not find any information about Request ID.

After adding the
$request .= '&INVNUM=' . (int)$order_info['order_id'];

I noticed that my paypal payments now show the opencart order number, so it does seem like its doing something.
Since i added this and fixed a bug that wasn't letting my 'confirm order' button become disabled while processing, all duplicate orders have stopped until this morning.
I got a duplicate this morning from someone with an invalid email, not sure if that had anything to do with letting the duplicate slide in

The sender of this payment doesn't have a PayPal account yet.
invalid_email_supplied@PayPal.com

Any help would be appreciated to get this resolved.

New member

Posts

Joined
Tue May 05, 2015 10:19 pm

Post by ADD Creative » Tue Jul 27, 2021 4:57 am

I think the 'Request ID' is this.
https://developer.paypal.com/docs/payfl ... ow-headers

It's set here.
https://github.com/opencart/opencart/bl ... w.php#L132

Maybe it's too random and mt_rand() would be better changed to a time value with a resolution of seconds or minutes.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by tinabanana » Tue Jul 27, 2021 5:07 am

thanks for taking the time to find that for me.
is it just a matter of adding this line and that will fix the duplicate payments?
curl_setopt($curl, CURLOPT_HTTPHEADER, array('X-VPS-REQUEST-ID: ' . md5($this->session->data['order_id'] . mt_rand())));

New member

Posts

Joined
Tue May 05, 2015 10:19 pm

Post by ADD Creative » Tue Jul 27, 2021 7:40 am

The line should already be there. Maybe try removing ". mt_rand()". If that causes problems with retrying failed payments, replace with something like ". time() / 10", so the ID will be unique every 10 seconds. Change the 10 seconds to suit. However, it's not 100% as the duplicates could be either side of the division.

Other than that store the ID in the session and regenerate on a payment error.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: Bing [Bot] and 10 guests