Author Topic: Paypal - Upcoming changes affecting VM 1.1.x  (Read 1799 times)

rollmeister

  • Beginner
  • *
  • Posts: 7
  • A beginner
Paypal - Upcoming changes affecting VM 1.1.x
« on: April 18, 2016, 11:33:09 am »
Hi,

A while ago Paypal announced changes to their system in an effort to improve security which are detailed at:-
https://devblog.paypal.com/upcoming-security-changes-notice/

In the context of Virtuemart 1.1.x one change that stands out and will likely affect this version of VM for Joomla is "IPN Verification Postback to HTTPS" found at:-
https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1916&viewlocale=en_US

This change affects the "/administrator/components/com_virtuemart/notify.php" notify url script that Paypal posts back to your website after checkout.

When Virtuemart receives this from Paypal, it in turn sends back using a post operation to Paypal with identical information plus a "cmd=_notify-validate" field value.
The Virtuemart 1.1.x does this Postback operation using plain http when as of September 30, 2016 (maybe even earlier) and you must use https/ssl or tls encryption for the Postback operation.

The code affected is found on line 285 of the above mentioned notify.php script which normally reads:

    $fp = fsockopen ( $hostname, 80, $errno, $errstr, 30);

I believe this needs to be changed to....

    $fp = fsockopen ( "ssl://" . $hostname, 443, $errno, $errstr, 30);


Also the following less important lines of code could be updated...

Original on line 276
    $header = "POST $uri HTTP/1.0\r\n";
Update to...
    $header = "POST $uri HTTP/1.1\r\n";

Original on line 280
    $header.= "Host: ".$hostname.":80\r\n";
Update to...
    $header.= "Host: ".$hostname.":443\r\n";

Original on line 244
            $hostname = 'www.paypal.com';
Update to...
            $hostname = 'ipnpb.paypal.com';


Not adapting to the change would likely mean orders remain at Pending status and you would have to manually check your Paypal account that the money is there and you may receive an "IPN Fatal..." warning from the notify script to your Paypal e-mail address.

The only problem here is if you have an older version of virtuemart 1.1 and update to say 1.1.9 the final release, the notify.php would likely be over written and you would lose the changes.

Some people are simply unwilling to update their Joomla/VM/template etc install and why should you if your e-shop does not have sales volumes to justify it so squeezing a bit more out of VM 1.1 life is what I am doing for willing clients.

I have yet to test my suggestions out.

Feedback and corrections welcome.

bortolani

  • Jr. Member
  • **
  • Posts: 91
Re: Paypal - Upcoming changes affecting VM 1.1.x
« Reply #1 on: September 01, 2016, 15:38:23 pm »
Hi,
did you have a chance to try your patch?
I did and it doesn't seem to work, or at least it is not enough to comply with the new Paypal requirements.
Do you know if there's a way to check why IPN are not processed?

Many Thanks,
Bruno

rollmeister

  • Beginner
  • *
  • Posts: 7
  • A beginner
Re: Paypal - Upcoming changes affecting VM 1.1.x
« Reply #2 on: September 08, 2016, 16:38:58 pm »
Received a couple attempts at contact but did not bother to reply, a matter of making money over giving free advice.

I did neglect to leave out some other information and will see if i can attach as a file the notify.php I adapted for VM 1.1.9 - if you got an older version I will not bother adapting this patched code for it unless you offer me money.

In the vm 1.1.x paypal configuration you get a text area that lets you customise the form submission code that is used to go jump to paypal. I suggest you get a sandbox test going. A regular paypal account can be used to login to the sandbox and add vendor/buy pretend accounts etc.

$url = "https://www.sandbox.paypal.com/cgi-bin/webscr";

then down below there is the notify URL which can be applied either hard coded, which is ok if you are not moving the website to another domain or you need to add the https protocol prefix in the secure URL settings in vm configuration. When Paypal bounces back the transaction information it MUST connect using SSL/HTTPS to your websites notify script. You do not need a valid ssl certificate for this, only that your web server supports ssl with the encryption strength Paypal now requires.

"notify_url" => "https://YOURDOMAIN/administrator/components/com_virtuemart/notify.php"

I did edit the notify.php further making more changes to references to the new urls paypal wants us to use, though the old ones should still be ok.
It does work successfully though a sandbox. that is, after checkout the orders status is updated to "Confirmed".

That should cover all of it.