Plus sign ("+") in user name causes security header failure in Paypal Express Checkou

[Giftbox]

Hi,

I am trying to get Paypal Express Checkout working on my site, www.giftbox.ie. When I try to process a transaction I get the security header error, suggesting that I am using sandbox credentials with live mode or vice vearsa. When I examined the logs I noticed that my user name is being passed to Paypal incorrectly.

I used a plus sign in my original paypal email account used to log in. This is a reasonably standard geeky thing to do (see for example http://www.scoby.ie/using-plus-sign-...iple-addresses ). In this case I used john.smith+paypal######################. This then resulted in paypal creating a user name for my API credentials along the lines of john.smith+paypal_api######################. I then copied this into the zen express checkout module setup screen. Unfortunately when the credentials are being passed to Paypal, zen appears to be stripping out the plus sign and replacing it with a space. This causes the security header failure.

I had a look in the database and the plus sign is correct in the configuration table, so it looks like it is the sending module that strips it out.

Could anyone point me towards the area where the sending is being done? Any indication of where to start looking would be really appreciated.


Thanks,
Colm

BTW - why don't I just change primary email address on the account? I did, but it looks like if you have created credentials once with a particular email account, paypal remebers that user name even if you remove and redo the credentials

[Giftbox]

And so, after a few days of pulling my hair out...

Turns out that the log not showing the plus sign in the user name doesn't really prove anything. The log is being put through urlencode first so that strips off the plus sign anyways. Playing around with the internal logging I was able to establish that unless curl internals is doing it, zen does *not* appear to be stripping the plus sign.

In the meantime, I asked paypal to completely delete/reset my API credentials so that it would no longer be based on the old email address with the plus sign. To my amazement they said this wasn't possible and my only options were to move to another account or fix zen.

At this point panic was setting in big time - I really wanted to take my first sale this weekend. Then last night I had a brainwave. I still had a feeling that the plus sign was the problem even though I had followed the zen code and could see that it definitely wasn't stripping it. So what if I "hid" the plus sign a bit? I changed the plus sign in the user name to the hex format of it (%2B) and, to my delight and no little surprise, it worked So I now have a working paypal express checkout finally.

Hope this helps some poor unfortunate in the future.

Cheers,
Colm