Encryption problems with our custom code

[GeorgeM1956]

Upgraded from v1.3.9 to v1.5.1. I"m a little puzzled by this one. First, I'm not that great a programmer but had to take this over from a now defunct web development company. Below is the code to "add" and "view" the shopping cart. View cart works fine. For "add" to cart, the form statement is using encryption however I cannot find in 1.5.1 anyway to turn on encryption. Frankly I don't know why you need to encrypt a quantity value and a product id value, but like I said, I'm not that great a programmer. I can't find the JS function cart_quantity.submit(). Is encryption a plug-in for Zen?

This works fine in 1.3.9 Zen although I cannot find any switch to turn on/off encryption in that version either....?


<div id="shopping_cart"><form action="http://dev.piccexcellence.com/cart/index.php?main_page=product_info&amp;cPath=1&amp;products_id=2&amp;action=add_pr oduct" enctype="multipart/form-data" method="post" name="cart_quantity"><input type="hidden" maxlength="6" name="cart_quantity" size="4" value="1" />
<input type="hidden" name="products_id" value="15" /> <a onmouseover="MM_swapImage('Image25','','/images/tag_add_to_cart1.png',1)" onmouseout="MM_swapImgRestore()" href="javascript:document.cart_quantity.submit()"><img id="Image25" alt="" src="/images/tag_add_to_cart.png" width="82" height="19" name="Image25" border="0" /></a>

<a onmouseover="MM_swapImage('Image26','','/images/tag_view_cart1.png',1)" onmouseout="MM_swapImgRestore()" href="http://dev.piccexcellence.com/cart/index.php?main_page=shopping_cart"><img id="Image26" alt="" src="/images/tag_view_cart.png" width="82" height="19" name="Image26" border="0" /></a></form></div>

[lhungil]

enctype is actually "Encoding Type". This tells the web browser how to format the data entered in a browser when sending the data to the server.

All the javascript call does is emulate a visitor clicking "submit" for the form named "cart_quantity" when the click on the link (html "a" element).

Can you explain in more detail exactly what you are trying to accomplish on 1.5.x (or what problem you are encountering)?

[GeorgeM1956]

Our's is an online training site, with user accounts, class records, class certificates,etc. It doesn't integrate with Zen other than the purchase process. We list products, the customer "adds" to shopping cart which passes off the product id to cart/index.php. Our login process includes an autologin to Zen so the customer is already logged in to Zen. The product should appear in their Zen Shopping Cart waiting for payment processing. This process works fine with 1.3.9. however I get the following error when using 1.5.1 - "Whoops! Sorry, but you are not allowed to perform the action requested. " This message is displayed on what appears to be the product info page, not the shopping cart page. I think it has something to do with the 3 MyPhpAdmin values that appear encrypted. I don't really know what this is but my guess is it's access privileges to the cart database.

The production Zen database is separate from the development database, with different id's and passwords. I think I'm using the production access information for the development database but am not sure how it works...I just realized the part I'm talking about, I left out of the original posted code so here it is again with the missing names and values...

<div id="shopping_cart">

<form action="http://dev.piccexcellence.com/cart/index.php?main_page=product_info&amp;cPath=1&amp;products_id=2&amp;action=add_pr oduct" enctype="multipart/form-data" method="post" name="cart_quantity">

<input type="hidden" name="phpMyAdmin" value="5H2XZVWotZ%2ChqdfD7JnIqkuOmi5" />
<input type="hidden" name="phpMyAdmin" value="5ebc509952e6t1f17bac0" />
<input type="hidden" name="phpMyAdmin" value="5d8c508a98ebt6b307419" />

<input type="hidden" maxlength="6" name="cart_quantity" size="4" value="1" />
<input type="hidden" name="products_id" value="15" /> <a onmouseover="MM_swapImage('Image25','','/images/tag_add_to_cart1.png',1)" onmouseout="MM_swapImgRestore()" href="javascript:document.cart_quantity.submit()"><img id="Image25" alt="" src="/images/tag_add_to_cart.png" width="82" height="19" name="Image25" border="0" /></a>

<a onmouseover="MM_swapImage('Image26','','/images/tag_view_cart1.png',1)" onmouseout="MM_swapImgRestore()" href="http://dev.piccexcellence.com/cart/index.php?main_page=shopping_cart"><img id="Image26" alt="" src="/images/tag_view_cart.png" width="82" height="19" name="Image26" border="0" /></a>

</form>

</div>

Thanks for your help,

George

[lhungil]

Zen Cart 1.5 added security tokens to all of the forms (in part to help mitigate Cross-site request forgery / XSRF). This means you can no longer just "point" an external website form to a form in Zen Cart. This is not the only change to forms in Zen Cart 1.5, a number of other security mechanisms and changes have been added.

You will need to either update your 3rd party form to include the new security mechanisms used by Zen Cart 1.5 (including session / database entries - may just want to load Zen Cart's functions and use them), or you need to recode your 3rd party "add to cart" to directly add the product to the customers "basket" in the Zen Cart database. By default in Zen Cart the users "basket" is where the shopping cart is saved (and is merged back into the shopping cart when a customer logs back into the store).

[GeorgeM1956]

Just ran a little test. I've been focused on the name=phpMyAdmin inputs and being part of the problem. These strings appear in my production products code as well. I removed them from the production version and found that they have no bearing on the Zen cart interface. I can eliminate these phpMyAdmin inputs as red herrings and move on to determining why the 1.5.1 upgrade is not working with my development site (1.3.9 Zen is on the production site).

G.

[GeorgeM1956]

You say, "third party", I'm the "third party", it's our code so guess I'm going to have to figure out what you're talking about after lunch....Due to the nature of our products, online medical training which involves no shipping or tangible products, I'm really not concerned with Cross transfer issues. Unless I can figure out how to add the security levels for 1.5.1 in our code, I'll probably just stick with 1.3.9.

I'd be happy to do these things if I knew where and what they were - include the new security mechanisms used by Zen Cart 1.5 (including session / database entries - may just want to load Zen Cart's functions and use them),

G.

[lhungil]

I'm was using 3rd party to indicate something created by a 3rd party and not part of a stock Zen Cart installation. I guess in this case it would really just be a 2nd party if you are personally writing the code.

Hopefully the following will get you started (I'd highly recommend not staying on Zen Cart 1.3).

For option 1 (edit the 2nd party forms):
Zen Cart sets a random security token and adds it to Zen Cart's PHP session. This security token is then added to each form in Zen Cart. Then when a POST request is received by Zen Cart, the security token is checked.

One can see this in action by looking at the Zen Cart code (I just did a quick search of the source code). The Zen Cart function "zen_draw_form" located in "/includes/functions/html_output.php" is used internally by Zen Cart templates to create the "form HTML element" and include the security token. The security token is initially created in "/includes/functions/sessions.php".

The required POST data may have changed a little in Zen Cart 1.5, so double check what is generated on the Zen Cart product pages.

For option 2 (direct database):
Zen Cart stores customer's "baskets" in the database tables "customers_basket" and "customers_basket_attributes". The "basket" is where the "shopping cart" is stored for logged in Zen Cart users.

If going this route one would need to search the Zen Cart code to see how the database is populated ("/includes/classes/shopping_cart.php" might be a good starting point). The 2nd party code would then need to process the "add to cart" request, populate the logged in customer's basket, log the customer into Zen Cart, and redirect customer to desired Zen Cart page.

[GeorgeM1956]

Thank you. This gives me the direction I need. I like option one, however am more familiar with dealing with option 2. Has anything changed in the checkout process? We populate database records upon successful checkout and a returned code from paypal.

G.