WorldPay Module version 2.0 - Support thread

[philip_clarke]

Hi Philip,

Thanks for the clarification.

Do you think there is any link between my apparent lack of problems (with visual rendering etc.) due to still using their old servers or is it just co-incidence. I'm a bit worried about making changes that might need several tweaks - I'd rather do the whole thing in one go and get it over with.

Cheers

Dave

The old servers were supposed to be turned off and could be at any time. There was a message about it some time ago, this year we're are on the third location for their servers where the module has had to be altered, so at the moment you are running on a machine that shouldn't be there and could be turned off at any time plus since they appear not to be applying the whitelisting rules to that machine (as you have no rendering problems) I wouldn't be surprised if everything just disappeared one day since they did give a long notice period.

On the plus point, WorldPay didn't break the zen cart that badly, the Romanian Hacker Unu, who recently got into an argument with them, also found that the modifications caused a sql injection vulnerability in one cart (fastcart, never heard of it myself), which is detailed here

http://unu1234567.baywords.com/2009/09/12/fastcart-co-uk-sql-injection/

and that might be the reason why there are legacy machines still out there, yep, use freecart, worldpay upgrades, and allows a hacker to attack your shop and steal the other customer's data, now that is an upgrade policy and a half.

Philip

[philip_clarke]

Anyway I think I'm off now, Wilt's (hello) looking at this thread so I'm probably flagged and I can't see any thing outstanding that suggests that the module isn't working. The script tag's not going to work so css menus are out, and the SSL warnings will vary from computer to computer depedning on what your customers are using so everyone's going to need to buy a certificate. (the other option would be me hosting the stylesheets on my secure server on a per person basis) I wouldn't recommend using a cheap certificate as you'll find that if you pay godaddy then you get a subdomain like your_shop.godaddy.com which can cause further problems and has been dcoumented on other parts of the forum.

The only issue with getting a certificate yourself will be your website hosting company installing it if you are using budget hosting, for which they'll probabbly charge a hefty fee for restarting apache.

bye
Philip.

[Some Bloke]

plus since they appear not to be applying the whitelisting rules to that machine (as you have no rendering problems)
Philip

Sorry, should have mentioned that I do get problems with whitelisting turned on.

The whole thing is quite tentative then. Looks like a lot of blissfully ignorant shop owners could come unstuck fairly soon.

Dave

[philip_clarke]

something worth investigating if you don't want to buy an ssl certificate

Worldpay has the ability to upload files to a custom page for completed sales.This facility used to be hosted on their secure servers. (look for resultX in their knowledglebad). In theory what you could do is use obama_scott's theory of rewriting the template by taking the current template, hard linking in a custom header file where the base href is set to worldpay's servers, then upload your stylesheets and images to their machine even though the callback would be pointing to your shop, the images and stylesheets would be pullled from their server so the SSL errors would go away.

This just theoretical, it couldn't be built into the module for the same reasons as to why that base href could never have been altered because everyone would need different templates. Javascript menus will still not work, but the old worldpay would have been able to do this. You'd need some pretty strong coding skills, but the files that would be needed to be altered are pinpointed in Obama_scotts's posting. SIde boxes would have to be turned off too, because else you'd be needing to upload every image to their servers. So the theory would go. Point base href to rbsworldpay's user customisable zone, upload the css files and the shop logo to their server, make sure the link to get to your shop are hard coded with http in front to make sure that the customer doesn't end up going off to rbsworldpay because of the new base href tag.

The work involves by a professional would be more expensive than buying a certificate alone, but may be worth doing if you fancy a little playing around with the code. ANd if you are buying a certificate make sure to check with your host first because otherwise you may spend the money to find that they then don't install it (plus you'll need a unique ip address anyway).

Ta Ta, toodle pip.

Philip.

[philip_clarke]

Oh and congrats to all the people that spent hours on their phone complaining to rbsworldpay about the base href tag, you did a good job there and the only final credit I can take is being able to explain exactly why it couldn't be removed when technical support finally deigned to talk to me.

Philip

[Some Bloke]

Oops - I've just done some checking this morning and I do get the same problem with Internet explorer! Not Firefox though.

Just a thought - Would it be possible to add a meta refresh/redirect to quickly update/replace the callback page to correct it?

Dave

[Some Bloke]

A small addition to my last post:

I'm out of my depth here really so these ideas are a bit abstract but I'm thinking along these lines.

We are not going to change the choice Internet Explorer gives about secure/insecure items. So, would it be possible to grab the WorldPay callback data from the screwed up page and quickly forward it (post it) to another identical page. This way all the references are from your own site and should display correctly.

If that would work, I was also wondering if the screwed page could be disguised (ie blank or black etc.) so as not to show to the viewer.

The other idea was to quickly refresh (a millisecond or so) to a standard "Thank you" page. Not ideal but a compromise.

Dave

[philip_clarke]

no.

forwarding pages using meta is banned as is javascript and using the php header tag or mod_rewtire to do any kind of 300 series url redirect.

[khalilm]

Just to let everyone know, if you don't already, this is the content of an email that I received from Worldpay this morning. I believe Philip mentioned it previously but just in case:

I am pleased to inform you that "base href" tag had been added to the whitelist. This tag is usable now in both test and live environment.

Khalil

[petelutonuk]

Just to let everyone know, if you don't already, this is the content of an email that I received from Worldpay this morning. I believe Philip mentioned it previously but just in case:

I am pleased to inform you that "base href" tag had been added to the whitelist. This tag is usable now in both test and live environment.

Khalil

Yes it has been enabled for a few weeks but I still don't understand why they have fiddled with the div tag which is what screws up my page.