Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1
    Join Date
    Jun 2016
    Location
    Stuart VA
    Posts
    311
    Plugin Contributions
    0

    Default Customer account corruption

    We've had a very troubling instance of two customers' data being combined into a single customer record. Let me say to begin with that even though I'm still a novice with PHP, I've been writing software since the days when you had to manually lock a record to prevent an update being over-written by another user on the network. I know how that is supposed to work, so please don't anyone tell me it can't happen. I would have expected PHP to have sufficient safeguards to prevent it, and if PHP does not, I would think MYSQL does (or in our case, I believe it's MariaDB).

    What happened is that two people set up accounts apparently at just the same time. One of them placed an order. The other one was still thinking about it when she received an email that an order had been placed. It showed her name and address in the billing information, along with her email address and phone number. But the shipping information showed someone else's name and address. She emailed my company demanding to know what was going on. I looked at the order information on our credit card processor's site, and the order was properly charged to the second person, not the one who contacted me. So no fraud was involved. We know the second person did intentionally place an order, because she posted in a Facebook group where some of our orders come from that she had done so. She even named the products she had ordered and those were the ones in the order we received.

    I think it's likely that the account corruption occurred when the credit card processor's system transmitted the second person's order details back to us, and over-wrote part of the first person's account setup. It shouldn't be possible for that to happen, but there is no question that it did.

    I have screen shots of everything and can post them here if that would help. I'll have to disguise each person's name and street address first, but I will if requested. I have straightened things out with the person who contacted me, and I will get hold of the second person via Facebook to get an email address from her, since the account now shows the first person's email address. I told the first person, who did not place an order, that she would need to create a new account.

    There is nothing the Zencart team can do about this occurrence, but you need to know that it happened.

  2. #2
    Join Date
    Jul 2012
    Posts
    14,272
    Plugin Contributions
    17

    Default Re: Customer account corruption

    Were both individuals attempting to purchase the same item?

    If so, how did both of them arrive at the store to begin/make the purchase? E.g. Was a link published to the location and if so did it contain the parameter zenID?
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...
    Upgraded to Zen Cart V1.5.3 from V1.5.1 from V1.5.0 from V1.3.9h

  3. #3
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    8,836
    Plugin Contributions
    69

    Default Re: Customer account corruption

    What payment method was used?

  4. #4
    Join Date
    Jun 2016
    Location
    Stuart VA
    Posts
    311
    Plugin Contributions
    0

    Default Re: Customer account corruption

    No, they were not purchasing the same item. The first person (the one who contacted me) had an item in her shopping cart but it was different from the two items the second person actually ordered. Yes, a link was published to the category the second person's purchase was from, but not to either of the specific items. The link does contain the ZenID for that category.

    I believe the first person also connected to the site from that link, from something she said, but I don't know that for certain. I will find out.

  5. #5
    Join Date
    Jun 2016
    Location
    Stuart VA
    Posts
    311
    Plugin Contributions
    0

    Default Re: Customer account corruption

    Quote Originally Posted by lat9 View Post
    What payment method was used?
    She paid with a credit card, but it was processed through Paypal, who is our credit card processor.

  6. #6
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    8,836
    Plugin Contributions
    69

    Default Re: Customer account corruption

    Quote Originally Posted by HeleneWallis View Post
    She paid with a credit card, but it was processed through Paypal, who is our credit card processor.
    Right, but which version of PayPal: PayPal Payments Standard, PayPal Express Checkout or PayPal Payments Pro?

  7. #7
    Join Date
    Jul 2012
    Posts
    14,272
    Plugin Contributions
    17

    Default Re: Customer account corruption

    Quote Originally Posted by HeleneWallis View Post
    No, they were not purchasing the same item. The first person (the one who contacted me) had an item in her shopping cart but it was different from the two items the second person actually ordered. Yes, a link was published to the category the second person's purchase was from, but not to either of the specific items. The link does contain the ZenID for that category.

    I believe the first person also connected to the site from that link, from something she said, but I don't know that for certain. I will find out.
    Two ways to look at this. Good that so many people trying to get to the store at the same time (indicator of business and interest), not so good that those following the link are sharing the session. It sounds like at the point of purchase "completion" that person 1 (the one notifying) had basically already overwritten session information from person 2 which is what was returned. At the moment not entirely sure why only the customer information was overwritten and not other session data, but it seems (until additional information is gathered) that including the zenID (session identifier) for any/all to click and use contributed to this issue.
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...
    Upgraded to Zen Cart V1.5.3 from V1.5.1 from V1.5.0 from V1.3.9h

  8. #8
    Join Date
    Jun 2016
    Location
    Stuart VA
    Posts
    311
    Plugin Contributions
    0

    Default Re: Customer account corruption

    Quote Originally Posted by lat9 View Post
    Right, but which version of PayPal: PayPal Payments Standard, PayPal Express Checkout or PayPal Payments Pro?
    PayPal Payments Pro.

  9. #9
    Join Date
    Jun 2016
    Location
    Stuart VA
    Posts
    311
    Plugin Contributions
    0

    Default Re: Customer account corruption

    Quote Originally Posted by mc12345678 View Post
    Two ways to look at this. Good that so many people trying to get to the store at the same time (indicator of business and interest), not so good that those following the link are sharing the session. It sounds like at the point of purchase "completion" that person 1 (the one notifying) had basically already overwritten session information from person 2 which is what was returned. At the moment not entirely sure why only the customer information was overwritten and not other session data, but it seems (until additional information is gathered) that including the zenID (session identifier) for any/all to click and use contributed to this issue.
    Yes, that makes sense. I always remove the ZenID when I provide a link for someone, partly because it isn't required in order for the link to work, but also because the presence of all the other characters just makes the link so much longer. But someone else (an admin in the FB group) was the one who provided the link to the website. I'm going to ask her whether she went to the website at the time she provided the link, or if the whole thing has been in her notes for who knows how long. If it's a session ID from some point in the past, that has long since expired, that might have contributed to the problem. This admin is in Australia, though, 14 hours time difference from me, so it will be a while before I hear back from her.

  10. #10
    Join Date
    Jul 2012
    Posts
    14,272
    Plugin Contributions
    17

    Default Re: Customer account corruption

    Note that even if it is/was an expired session, if two or more people access the site with the link having the zenID in it, then they will share the "new" session.

    There has been an additional check added in ZC 1.5.7 towards the end of checkout to inspect the validity of the cart for which the order is being processed against the cart currently in the session. I would think that adding that additional code may have also helped mitigate this occurrence as based on the information provided it seems that the cart contents would have been different and that would have resulted in returning to the shipping page to correct/address the issue. The code addition can be found here:
    https://github.com/zencart/zencart/b...ess.php#L63-73 containing the following code:
    Code:
    // avoid hack attempts during the checkout procedure by checking the internal cartID
    if (isset($_SESSION['cart']->cartID) && $_SESSION['cartID']) {
        if ($_SESSION['cart']->cartID != $_SESSION['cartID']) {
            $payment_modules->clear_payment();
            $order_total_modules->clear_posts();
            unset($_SESSION['payment']);
            unset($_SESSION['shipping']);
            zen_redirect(zen_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL'));
        }
    }
    (please note that if there are # symbols in the code, I apologize but sometimes when I copy and paste from github, such additional symbols are added. They are only visible after posting and usually with the time constraints between making the post and saving an edit, there is not enough time to correct it.
    ZC Installation/Maintenance Support <- Site
    Contribution for contributions welcome...
    Upgraded to Zen Cart V1.5.3 from V1.5.1 from V1.5.0 from V1.3.9h

 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. v150 404 On Add to Cart, Customer Account Setup, Customer Login
    By patyork in forum Installing on a Linux/Unix Server
    Replies: 6
    Last Post: 23 Jul 2014, 01:22 AM
  2. v150 Print CSS only for customer account and account history page?
    By tips007 in forum General Questions
    Replies: 1
    Last Post: 3 Nov 2012, 03:53 AM
  3. Editor Corruption?
    By Wambat in forum General Questions
    Replies: 2
    Last Post: 25 Oct 2010, 01:50 PM
  4. DB backup corruption
    By Justwade in forum General Questions
    Replies: 2
    Last Post: 7 Jul 2006, 08:22 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR