Help With Coding Challenge - Observer/Notfiers in admin?

[Dayo]

I am working on a payment module and got it working.

However, I want to store a password as an encrypted string and cannot figure out at which point I can access the DB after the user clicks "Update" in Admin.

After looking at the flow, I noticed that the Update button triggers the "Save" bit of code in Module.php which then saves the users selection in the DB.

I will like to know if there is anywhere I could then take the field I am interested in after this point and run my encryption and resave.

The encryption and SQL needed is not an issue but just where to put the code to do what I want it to do.

I don't want to edit Module.php which is the only place I can think of at present.

It would be great if there was a call to an "after-save" function in module.php that will allow developers to run code they want.

Notwithstanding this, any ideas how to go about this?

Thanks.

[kobra]

You might look at the way Zen Cart does this for the password on account creation

[kuroi]

I see what you're trying to do, but it rather goes against how Zen Cart payment and shipping modules work. As you have right ascertained, the modules.php update function simply calls itself to store the value of each data item entered. There is currently no scope for manipulating that data.

Nor is there anywhere other than modules.php where you could introduce this since the script calls itself to deal with the results, and no other scripts are involved.

So let's take a step back. What makes your payment module different such that it needs to hold the password in encrypted form. Is this a requirement of the payment gateway? And if it's encrypted, how will you use it when connecting to the payment gateway?

[kobra]

Good catch kuroi!!! I had not thought this through enough???

You might review the PCI Compliance rules as if you are using a gateway why on earth would you be storing this information in yourDB or a file?
And check with the gateway as they are supposed to check their user base for compliance...

Not a good Idea to store in any fashion any sensitive data that can be compromised....

If your module does this then all users/host providers must comply with stricter rules regarding PCI compliance

[Dayo]

I see what you're trying to do, but it rather goes against how Zen Cart payment and shipping modules work. As you have right ascertained, the modules.php update function simply calls itself to store the value of each data item entered. There is currently no scope for manipulating that data.

Nor is there anywhere other than modules.php where you could introduce this since the script calls itself to deal with the results, and no other scripts are involved.

I thought as much. It would be nice to have "$result = $module->after_save();" call in module.php just after "$configuration = $db->Execute($configuration_query);" to allow developers to run code on the saved data.

So let's take a step back. What makes your payment module different such that it needs to hold the password in encrypted form. Is this a requirement of the payment gateway? And if it's encrypted, how will you use it when connecting to the payment gateway?

The payment site can send status codes and other data back in encrypted form and the password amongst others is need to decrypt the data. The password can be held in clear but I just think it will be better stored encrypted that's all. Obviously, it will be decrypted before use.

I had wanted to let it post to a script that will then update the orders table and send notifications out etc etc etc. This is particularly useful for downloadable items with bank payments that can take some time etc.

Since there is no scope and I don't want to edit module.php, I will let the payment site send stuff in clear to an email address and users can manually update stuff.

[kuroi]

As background that will hopefully prove helpful ...

Encrytion for a payment module would usually be handled by SSL rather than programming. After all the visitor needs to pass information to your site from their browser and the only programming language available in their browser is javascript, which might be turned off.

Although a payment gateway may issue you with a password (or token) to attach to transactions that you are sending in to them for processing, best practise would mean that this token would not be used for withdrawing funds (they're normally going out the back door directly to your merchant account), so the risk of holding a token in plain is much less than for a normal password.

Finally the encryption used by Zen Cart is one way, i.e. once a password is encrypted, it cannot be decrypted (or at least not without huge computers and a team of cryptographers).

[Dayo]

As background that will hopefully prove helpful ...

Encrytion for a payment module would usually be handled by SSL rather than programming. After all the visitor needs to pass information to your site from their browser and the only programming language available in their browser is javascript, which might be turned off.

Thanks

Some clarification.

The idea was simply to take a value entered into the DB from the module admin and then encrypt it for storage. This would have been done in PHP.

Although a payment gateway may issue you with a password (or token) to attach to transactions that you are sending in to them for processing, best practise would mean that this token would not be used for withdrawing funds (they're normally going out the back door directly to your merchant account), so the risk of holding a token in plain is much less than for a normal password.

This is not for withdrawals but to deal with interactions etc after the fact. For the actual payment by a customer, this is not needed. However, after the transaction, it is possible to use some enhanced features which were what I was looking to do.

For instance, if the client pays by bank transfer, the site will send a status code when it clears, I wanted to make the module able to process these automatically and then update the order status and send out emails etc after it goes through a validation process to confirm the communication is from the payment site.

However, I will not code those in now because I do not want to store passwords in clear and will simply make it so that the payment site communicates with the owners email address and then the owner can manually do the updates.

Finally the encryption used by Zen Cart is one way, i.e. once a password is encrypted, it cannot be decrypted (or at least not without huge computers and a team of cryptographers).

I was not planning to use the inbuilt encryption and have already written the code to do what I need. I think I wrote earlier that the sql and code is not an issue just how to interrupt the flow in the "save" switch in module.php to run it.

That is why I was wishing there was a call back to a function in the module at this point which will allow developers to add and run their own code.

This will not go ahead and the module will be limited to the manual method.

Thanks for your help.

In any case,

[yellow1912]

Check the observer class to see if it helps:
http://www.zen-cart.com/wiki/index.p..._API_Tutorials

[Dayo]

Thanks.

A notifier in module.php would have been exactly what I needed.

As there is none, I'll skip this functionality.

[yellow1912]

Dayo, you can add your own notifier.