Support A2Billing :

provided by Star2Billing S.L.

Support A2Billing :
It is currently Sat Oct 21, 2017 12:16 pm
Auto Dialer Software


All times are UTC




Post new topic Reply to topic  [ 64 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
 Post subject: Re: Fraud with paypal!!
PostPosted: Sat Sep 25, 2010 5:04 pm 
Offline

Joined: Fri Mar 05, 2010 7:00 am
Posts: 133
Hello,

Same situation, a fraudulent transaction using paypal account, I am lucky because my service is not active yet.services yet.

Is any way to hold posting the first payment for 48 hours in a2billing?

Kind regards,

Al


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sat Sep 25, 2010 9:17 pm 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
acaratt wrote:
Hello,

Same situation, a fraudulent transaction using paypal account, I am lucky because my service is not active yet.services yet.

Is any way to hold posting the first payment for 48 hours in a2billing?

Kind regards,

Al



here is some of the changes we did :

1. before allowing user to activate we removed the payment method until user verify his mobile number after receiving verification code

2. to hold the payment until approval from the actual paypal email owner if the user's email is different from the paypal email that fund was received,

to do so add this in:

and name it :verification.php
Code:
common/lib/epayment/includes:

<?php

/* generic encrypt decrypt */
function vh_genc($str, $key, $eflag=0) {
   $result = "";
   for ($i=0; $i<strlen($str); $i++) {
      $char = substr($str, $i, 1);
      $keychar = substr($key, ($i % strlen($key))-1, 1);
      if ($eflag == 1) {
         $char = chr(ord($char)-ord($keychar));
      } else {
         $char = chr(ord($char)+ord($keychar));
      }
      $result.=$char;
   }
   return $result;
}

/* encrypt */
function vh_encrypt($string, $key) {
   if ($key == "") {
      $key = "h4cK3d";
   }
   $result = vh_genc($string, $key);
   return bin2hex(urlencode(base64_encode($result)));
}

/* decrypt */
function vh_decrypt($string, $key) {
   if ($key == "") {
      $key = "h4cK3d";
   }
   $string = base64_decode(urldecode(pack("H*",$string)));
   $result = vh_genc($string, $key, 1);
   return $result;   
}

/* create verification key */
function vh_createkey() {
   $rkey = "";
   for ($i=0; $i<9; $i++) {
      $d = rand(1,30)%2;
      $rkey .= $d ? chr(rand(65,90)) : chr(rand(48,57));
   }
   return $rkey;
}

/* make verification link code */
function vh_makevcode($vkey,$transdate) {
   $string = $vkey . "^" . $transdate;
   $result = vh_encrypt($string, EPAYMENT_TRANSACTION_KEY);
   return $result;
}

/* extract data from vcode */
function vh_extract_vcode($vcode) {
   $result['key'] = '';
   $result['transdate'] = '';

   $string = vh_decrypt($vcode, EPAYMENT_TRANSACTION_KEY);
   // echo "str: $string";
   $data = explode("^", $string);
   if (is_array($data) && count($data) == 2) {
      $result['key'] = $data[0];
      $result['transdate'] = $data[1];
   }
   return $result;
}

/* send email */
function vh_send_email($vcode, $to_email, $itemid, $amount, $pmethod, $listtemplate ) {
   
   list($mailtype, $from, $fromname, $subject, $messagetext, $messagehtml) = $listtemplate[0];
   
   $vlink= HTTP_SERVER . "/customer/verify_paypal_email.php?vcode=".$vcode;

   $messagetext = str_replace('$itemName', "balance", $messagetext);
   $messagetext = str_replace('$itemID', $itemid, $messagetext);
   $messagetext = str_replace('$itemAmount', $amount." ".strtoupper(BASE_CURRENCY), $messagetext);
   $messagetext = str_replace('$paymentMethod', $pmethod, $messagetext);
   $messagetext = str_replace('$paymentStatus', "Pending", $messagetext);
   $messagetext = str_replace('$verifyLink', $vlink, $messagetext);

   $em_headers  = 'MIME-Version: 1.0' . "\r\n";
   $em_headers .= 'Content-type: text/plain;' . "\r\n";
   $em_headers .= "From: ".$fromname." <".$from.">\n";
   $em_headers .= "Reply-To: ".$from."\n";
   $em_headers .= "Return-Path: ".$from."\n";
   $em_headers .= "X-Priority: 1\n";

   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." -SENDING PAYPAL VERIFICATION EMAIL TO CUSTOMER $to_email sub: $subject, mtext:$messagetext");
   mail($to_email, $subject, $messagetext, $em_headers);   
}

function vh_showfailed($err_msg) {
?>
   <p id="msg">Sorry, Paypal Verification Failed!</p>
<?php   echo "<p id=\"msg\">".$err_msg."</p>";

}

function vh_showsuccess() {
?>
   <p id="msg">Congratulations, you have successfully verify your paypal email!</p>
   <p id="msg">You can <a href="/customer">click here</a> to get back to your account page.</p>

<?php
}
?>


update paypal.php with this:
Code:
<?php
include(dirname(__FILE__).'/../includes/methods/paypal.php');

class paypal {
    var $code, $title, $description, $enabled;

   // class constructorform_action_url
    function paypal() {
      global $order;

      $this->code = 'paypal';
      $this->title = MODULE_PAYMENT_PAYPAL_TEXT_TITLE;
      $this->description = MODULE_PAYMENT_PAYPAL_TEXT_DESCRIPTION;
      $this->sort_order = 1;
      $this->enabled = ((MODULE_PAYMENT_PAYPAL_STATUS == 'True') ? true : false);
      //$this->enabled = true;

      $this->form_action_url = PAYPAL_PAYMENT_URL;
    }

   // class methods
    function update_status() {
      global $order;

      if ( ($this->enabled == true) && ((int)MODULE_PAYMENT_PAYPAL_ZONE > 0) ) {
         $check_flag = false;
         $check_query = tep_db_query("select zone_id from " . TABLE_ZONES_TO_GEO_ZONES . " where geo_zone_id = '" . MODULE_PAYMENT_PAYPAL_ZONE . "' and zone_country_id = '" . $order->billing['country']['id'] . "' order by zone_id");
         while ($check = tep_db_fetch_array($check_query)) {
            if ($check['zone_id'] < 1) {
               $check_flag = true;
               break;
            } elseif ($check['zone_id'] == $order->billing['zone_id']) {
               $check_flag = true;
               break;
            }
         }

         if ($check_flag == false) {
            $this->enabled = false;
         }
      }
    }

    function javascript_validation() {
      return false;
    }

    function selection() {
      return array('id' => $this->code, 'module' => $this->title);
    }

    function pre_confirmation_check() {
      return false;
    }

    function confirmation() {
      return false;
    }

    function process_button($transactionID = 0, $key= "") {
      global $order, $currencies, $currency;

      $my_currency = strtoupper($GLOBALS['A2B']->config['global']['base_currency']);

      if (!in_array($my_currency, array('CAD', 'EUR', 'GBP', 'JPY', 'USD', 'MXN', 'AUD'))) {
         $my_currency = 'USD';
      }
      $currencyObject = new currencies();
      $process_button_string = tep_draw_hidden_field('cmd', '_xclick') .
                        tep_draw_hidden_field('business', MODULE_PAYMENT_PAYPAL_ID) .
                        tep_draw_hidden_field('item_name', STORE_NAME) .
                        tep_draw_hidden_field('rm', '2') .
                        tep_draw_hidden_field('LC', 'US') .
                        tep_draw_hidden_field('country', 'USA') .
                        tep_draw_hidden_field('no_shipping', '1') .
                        tep_draw_hidden_field('PHPSESSID', session_id()) .
                        tep_draw_hidden_field('amount', number_format($order->info['total'], $currencyObject->get_decimal_places($my_currency))) .
                        //tep_draw_hidden_field('shipping', number_format($order->info['shipping_cost'] * $currencyObject->get_value($my_currency), $currencyObject->get_decimal_places($my_currency))) .
                        tep_draw_hidden_field('currency_code', $my_currency) .
                        tep_draw_hidden_field('notify_url', tep_href_link("checkout_process.php?transactionID=".$transactionID."&sess_id=".session_id()."&key=".$key, '', 'SSL')) .
                        tep_draw_hidden_field('return', tep_href_link("userinfo.php", '', 'SSL')) .
                        tep_draw_hidden_field('cancel_return', tep_href_link("userinfo.php", '', 'SSL'));

      return $process_button_string;
    }
    function get_CurrentCurrency()
    {   
        $my_currency = MODULE_PAYMENT_PAYPAL_CURRENCY;
        $base_currency = strtoupper($GLOBALS['A2B']->config['global']['base_currency']);
        if($my_currency =='Selected Currency' && in_array($base_currency,array('CAD', 'EUR', 'GBP', 'JPY', 'USD', 'MXN', 'AUD')) ){
           $my_currency = $base_currency;
        }
        elseif (!in_array($my_currency, array('CAD', 'EUR', 'GBP', 'JPY', 'USD', 'MXN', 'AUD'))) {
         $my_currency = 'USD';
      }
        return $my_currency;
    }
    function before_process() {
      return false;
    }

    function get_OrderStatus()
    {
        if ($_POST['payment_status']=="")
        {
            return -2;
        }
        switch($_POST['payment_status'])
        {
            case "Failed":
                return -2;
            break;
            case "Denied":
                return -1;
            break;
            case "Pending":
                return -0;
            break;
            case "In-Progress":
                return 1;
            break;
            case "Completed":
                return 2;
            break;
            case "Processed":
                return 3;
            break;
            case "Refunded":
                return 4;
            break;
            default:
              return 5;
        }
    }
    function after_process() {
      return false;
    }

    function output_error() {
      return false;
    }

    function keys() {
      return array('MODULE_PAYMENT_PAYPAL_STATUS', 'MODULE_PAYMENT_PAYPAL_ID');
    }
}


update checkout_process.php
with this

Code:

<?php

/* vim: set expandtab tabstop=4 shiftwidth=4 softtabstop=4: */

/**
* This file is part of A2Billing (http://www.a2billing.net/)
*
* A2Billing, Commercial Open Source Telecom Billing platform,   
* powered by Star2billing S.L. <http://www.star2billing.com/>
*
* @copyright   Copyright (C) 2004-2009 - Star2billing S.L.
* @author      Belaid Arezqui <[email protected]>
* @license     http://www.fsf.org/licensing/licenses/agpl-3.0.html
* @package     A2Billing
*
* Software License Agreement (GNU Affero General Public License)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program.  If not, see <http://www.gnu.org/licenses/>.
*
*
**/

$transactionID = "";
$key = "";
$sess_id = "";

include ("./lib/customer.defines.php");

getpost_ifset (array('transactionID', 'sess_id', 'key', 'mc_currency', 'currency', 'md5sig', 'merchant_id', 'mb_amount', 'status', 'mb_currency',
               'transaction_id', 'mc_fee', 'card_number'));

write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."EPAYMENT : transactionID=$transactionID - transactionKey=$key \n -POST Var \n".print_r($_POST, true));

if ($sess_id =="") {
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." ERROR NO SESSION ID PROVIDED IN RETURN URL TO PAYMENT MODULE");
    exit();
}

if($transactionID == "") {   
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." NO TRANSACTION ID PROVIDED IN REQUEST");
    exit();
}


include ("./lib/customer.module.access.php");
include ("./lib/Form/Class.FormHandler.inc.php");
include ("./lib/epayment/classes/payment.php");
include ("./lib/epayment/classes/order.php");
include ("./lib/epayment/classes/currencies.php");
include ("./lib/epayment/includes/general.php");
include ("./lib/epayment/includes/html_output.php");
include ("./lib/epayment/includes/configure.php");
include ("./lib/epayment/includes/loadconfiguration.php");
include ("./lib/support/classes/invoice.php");
include ("./lib/support/classes/invoiceItem.php");
include ("./lib/epayment/includes/verification.php");


$DBHandle_max  = DbConnect();
$paymentTable = new Table();

if (DB_TYPE == "postgres") {
   $NOW_2MIN = " creationdate <= (now() - interval '2 minute') ";
} else {
   $NOW_2MIN = " creationdate <= DATE_SUB(NOW(), INTERVAL 2 MINUTE) ";
}

// Status - New 0 ; Proceed 1 ; In Process 2
$QUERY = "SELECT id, cardid, amount, vat, paymentmethod, cc_owner, cc_number, cc_expires, creationdate, status, cvv, credit_card_type, currency, item_id, item_type " .
       " FROM cc_epayment_log " .
       " WHERE id = ".$transactionID." AND (status = 0 OR (status = 2 AND $NOW_2MIN))";
$transaction_data = $paymentTable->SQLExec ($DBHandle_max, $QUERY);

$item_id = $transaction_data[0][13];
$item_type = $transaction_data[0][14];

//Update the Transaction Status to 1
$QUERY = "UPDATE cc_epayment_log SET status = 2 WHERE id = ".$transactionID;
write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."- QUERY = $QUERY");
$paymentTable->SQLExec ($DBHandle_max, $QUERY);


if(!is_array($transaction_data) && count($transaction_data) == 0) {
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).
      ' line:'.__LINE__."- transactionID=$transactionID"." ERROR INVALID TRANSACTION ID PROVIDED, TRANSACTION ID =".$transactionID);
   exit();
} else {
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).
      ' line:'.__LINE__."- transactionID=$transactionID"." EPAYMENT RESPONSE: TRANSACTIONID = ".$transactionID.
      " FROM ".$transaction_data[0][4]."; FOR CUSTOMER ID ".$transaction_data[0][1]."; OF AMOUNT ".$transaction_data[0][2]);
}


$security_verify = true;
$transaction_detail = serialize($_POST);

$currencyObject    = new currencies();
$currencies_list    = get_currencies();
switch($transaction_data[0][4])
{
   case "paypal":
      $currCurrency = $mc_currency;
      if($A2B->config['epayment_method']['charge_paypal_fee']==1){
         $currAmount = $transaction_data[0][2] ;
      }else{
         $currAmount = $transaction_data[0][2] - $mc_fee;
      }
      $postvars = array();
      $req = 'cmd=_notify-validate';
      foreach ($_POST as $vkey => $Value) {
         $req .= "&" . $vkey . "=" . urlencode ($Value);
      }
      
      $header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
      $header .= "Content-Type: application/x-www-form-urlencoded\r\n";
      $header .= "Content-Length: " . strlen ($req) . "\r\n\r\n";
      for ($i = 1; $i <=3; $i++) {
         write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-OPENDING HTTP CONNECTION TO ".PAYPAL_VERIFY_URL);
         $fp = fsockopen (PAYPAL_VERIFY_URL, 443, $errno, $errstr, 30);
         if($fp) {   
            break;
         } else {
            write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." -Try#".$i." Failed to open HTTP Connection : ".$errstr.". Error Code: ".$errno);
            sleep(3);
         }
      }      
      if (!$fp) {
         write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-Failed to open HTTP Connection: ".$errstr.". Error Code: ".$errno);
         exit();
      } else {
         fputs ($fp, $header . $req);         
         $flag_ver = 0;
         while (!feof($fp)) {
            $res = fgets ($fp, 1024);
            $gather_res .= $res;
            if (strcmp ($res, "VERIFIED") == 0) {
               write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-PAYPAL Transaction Verification Status: Verified ");
               $flag_ver = 1;
            }            
         }
         if ($flag_ver == 0) {
            write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-PAYPAL Transaction Verification Status: Failed \nreq=$req\n$gather_res");
            $security_verify = false;
         }
      }
      fclose ($fp);   
      break;
      
   case "moneybookers":
      $currAmount = $transaction_data[0][2];
      $sec_string = $merchant_id.$transaction_id.strtoupper(md5(MONEYBOOKERS_SECRETWORD)).$mb_amount.$mb_currency.$status;
      $sig_string = strtoupper(md5($sec_string));
      
      if($sig_string == $md5sig) {
         write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-MoneyBookers Transaction Verification Status: Verified | md5sig =".$md5sig." Reproduced Signature = ".$sig_string." Generated String = ".$sec_string);
      } else {
         write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-MoneyBookers Transaction Verification Status: Failed | md5sig =".$md5sig." Reproduced Signature = ".$sig_string." Generated String = ".$sec_string);
         $security_verify = false;         
      }
      $currCurrency = $currency;
      break;
      
   case "creditcard":
      $currAmount = $transaction_data[0][2];
      $sec_string = $merchant_id.$transaction_id.strtoupper(md5(CREDITCARD_SECRETWORD)).$mb_amount.$mb_currency.$status;
      $sig_string = strtoupper(md5($sec_string));
      
      if($sig_string == $md5sig) {
         write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-CreditCard(mb) Transaction Verification Status: Verified | md5sig =".$md5sig." Reproduced Signature = ".$sig_string." Generated String = ".$sec_string);
      } else {
         write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-CreditCard(mb) Transaction Verification Status: Failed | md5sig =".$md5sig." Reproduced Signature = ".$sig_string." Generated String = ".$sec_string);
         $security_verify = false;         
      }
      $currCurrency = $currency;
      break;
      
   case "authorizenet":
      $currAmount = $transaction_data[0][2];
      $currCurrency = BASE_CURRENCY;
      break;
      
   case "plugnpay":
      
      if (substr($card_number,0,4) != substr($transaction_data[0][6],0,4)) {
         write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."- PlugNPay Error : First 4digits of the card doesn't match with the one stored.");
      }
      
      $currCurrency       = BASE_CURRENCY;
      $currAmount       = $transaction_data[0][2];
      $currAmount_usd      = convert_currency($currencies_list, $currAmount, BASE_CURRENCY, 'USD');
      
      $pnp_post_values = array(
           'publisher-name' => MODULE_PAYMENT_PLUGNPAY_LOGIN,
           'mode'           => 'auth',
           'ipaddress'      => $_SERVER['REMOTE_ADDR'],
           // Metainfo
           'convert'        => 'underscores',
           'easycart'       => '1',
           'shipinfo'       => '1',
           'authtype'       => MODULE_PAYMENT_PLUGNPAY_CCMODE,
           'paymethod'      => MODULE_PAYMENT_PLUGNPAY_PAYMETHOD,
           'dontsndmail'    => MODULE_PAYMENT_PLUGNPAY_DONTSNDMAIL,
           // Card Info
           'card_number'    => $card_number,
          'card-name'      => $transaction_data[0][5],
          'card-amount'    => $currAmount_usd,
          'card-exp'       => $transaction_data[0][7],
          'cc-cvv'         => $transaction_data[0][10]
       );
       write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."- PlugNPay Value Sent : \n\n".print_r($pnp_post_values, true));
      
      // init curl handle
      $pnp_ch = curl_init(PLUGNPAY_PAYMENT_URL);
      curl_setopt($pnp_ch, CURLOPT_RETURNTRANSFER, 1);
      $http_query = http_build_query( $pnp_post_values );
      curl_setopt($pnp_ch, CURLOPT_POSTFIELDS, $http_query);
      #curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);  // Upon problem, uncomment for additional Windows 2003 compatibility
      
      // perform ssl post
      $pnp_result_page = curl_exec($pnp_ch);
      parse_str( $pnp_result_page, $pnp_transaction_array );
      
      write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."- PlugNPay Result : \n\n".print_r($pnp_transaction_array, true));
      write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."- RESULT : ".$pnp_transaction_array['FinalStatus']);
      
      // $pnp_transaction_array['FinalStatus'] = 'badcard';
      //echo "<pre>".print_r ($pnp_transaction_array, true)."</pre>";
      
      $transaction_detail = serialize($pnp_transaction_array);
      break;
      
   case 'iridium':
        $currCurrency           = BASE_CURRENCY;
        $currAmount             = $transaction_data[0][2];
      break;
      
   default:
      write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-NO SUCH EPAYMENT FOUND");
      exit();
}

if(empty($transaction_data[0]['vat']) || !is_numeric($transaction_data[0]['vat']))
   $VAT =0;
else
   $VAT = $transaction_data[0]['vat'];

write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."curr amount $currAmount $currCurrency ".BASE_CURRENCY);
$amount_paid = convert_currency($currencies_list, $currAmount, $currCurrency, BASE_CURRENCY);
$amount_without_vat = $amount_paid / (1+$VAT/100);

//If security verification fails then send an email to administrator as it may be a possible attack on epayment security.
if ($security_verify == false) {
    try {
       //TODO create mail class for agent
       $mail = new Mail('epaymentverify',$id);
    } catch (A2bMailException $e) {
        write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." ERROR NO EMAIL TEMPLATE FOUND");
        exit();
    }
    $mail->replaceInEmail(Mail::$TIME_KEY,date("y-m-d H:i:s"));
    $mail->replaceInEmail(Mail::$PAYMENTGATEWAY_KEY, $transaction_data[0][4]);
    $mail->replaceInEmail(Mail::$ITEM_AMOUNT_KEY, $amount_paid.$currCurrency);
   
   // Add Post information / useful to track down payment transaction without having to log
   $mail->AddToMessage("\n\n\n\n"."-POST Var \n".print_r($_POST, true));
   $mail->send(ADMIN_EMAIL);

   exit;
}

$newkey = securitykey(EPAYMENT_TRANSACTION_KEY, $transaction_data[0][8]."^".$transactionID."^".$transaction_data[0][2]."^".$transaction_data[0][1]."^".$item_id."^".$item_type);
if($newkey == $key) {
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."----------- Transaction Key Verified ------------");
} else {
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."----NEW KEY =".$newkey." OLD KEY= ".$key." ------- Transaction Key Verification Failed:".$transaction_data[0][8]."^".$transactionID."^".$transaction_data[0][2]."^".$transaction_data[0][1]." ------------\n");
   exit();
}
write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." ---------- TRANSACTION INFO ------------\n".print_r($transaction_data,1));
$payment_modules = new payment($transaction_data[0][4]);
// load the before_process function from the payment modules
//$payment_modules->before_process();

$QUERY = "SELECT username, credit, lastname, firstname, address, city, state, country, zipcode, phone, email, fax, lastuse, activated, currency, useralias, uipass " .
       "FROM cc_card WHERE id = '".$transaction_data[0][1]."'";
$resmax = $DBHandle_max -> Execute($QUERY);
if ($resmax) {
   $numrow = $resmax -> RecordCount();
} else {
    write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." ERROR NO SUCH CUSTOMER EXISTS, CUSTOMER ID = ".$transaction_data[0][1]);
    exit(gettext("No Such Customer exists."));
}
$customer_info = $resmax -> fetchRow();
$nowDate = date("Y-m-d H:i:s");

$pmodule = $transaction_data[0][4];

$orderStatus = $payment_modules->get_OrderStatus();

/* Check PayPal email  **********/
$verifyKey = "";
if ($orderStatus == 2) { /* begin check orderStatus */
   if ($transaction_data[0][4] == 'paypal') { /* begin check if paypal */
      if ($_POST['payer_email'] != $customer_info['email']) { /*begin check payer_email*/
         write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." tID=$transactionID DIFFERENT PAYPAL EMAIL DETECTED (".$_POST['payer_email']." != ".$customer_info['email'].")");

         write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." tID=$transactionID Changing orderStatus to Pending = 0");
         $orderStatus = 0;

         /* create verifyKey */
         $verifyKey = vh_createkey();

         /* create vcode for link */
         $vcode = vh_makevcode($verifyKey, $nowDate);

         /* Send verification email */
         $QUERY = "SELECT mailtype, fromemail, fromname, subject, messagetext, messagehtml FROM cc_templatemail WHERE mailtype='paypalverification' ";
         $res = $DBHandle_max->Execute($QUERY);

         $num = 0;

         if ($res) {
            $num = $res->RecordCount();
         }

         //add additional
         write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." ERROR TEMPLATE NOT FOUND!");
         if (!$num) {
            //echo "no template found!!\n";
            write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." ERROR TEMPLATE NOT FOUND!");
         } else {
            //echo "template found!!\n";
            write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." TEMPLATE FOUND! $num");

            for($i=0;$i<$num;$i++)
            {
               $listtemplate1[] = $res->fetchRow();
            }

            write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." template \n". print_r($listtemplate1,1));

            /* send email to customer */

            vh_send_email($vcode, $_POST['payer_email'], $customer_info[0], $amount_paid, 'paypal', $listtemplate1);

         }
         


      } /* end check payer_email */
   } /* end check if paypal */
} /* end check orderStatus */
/**********/

if(empty($item_type))
   $transaction_type='balance';
else
   $transaction_type = $item_type;

$Query = "INSERT INTO cc_payments ( customers_id,
                                    customers_name,
                customers_email_address,
                item_name,
                item_id,
                item_quantity,
                payment_method,
                cc_type,
                cc_owner, " .
         " cc_number,
         cc_expires,
         orders_status,
         last_modified,
         date_purchased,
         orders_date_finished,
         orders_amount,
         currency,
         currency_value,
         verification_code) values (" .
         " '".$transaction_data[0][1]."', '".$customer_info[3]." ".$customer_info[2]."', '".$customer_info["email"]."', '$transaction_type', '".
         $customer_info[0]."', 1, '$pmodule', '".$_SESSION["p_cardtype"]."', '".$transaction_data[0][5]."', '".$transaction_data[0][6]."', '".
         $transaction_data[0][7]."',  $orderStatus, '".$nowDate."', '".$nowDate."', '".$nowDate."',  ".$amount_paid.",  '".$currCurrency."', '".
         $currencyObject->get_value($currCurrency)."', '".$verifyKey."' )";
$result = $DBHandle_max -> Execute($Query);


// UPDATE THE CARD CREDIT
$id = 0;
if ($customer_info[0] > 0 && $orderStatus == 2) {
    /* CHECK IF THE CARDNUMBER IS ON THE DATABASE */
    $instance_table_card = new Table("cc_card", "username, id");
    $FG_TABLE_CLAUSE_card = " username='".$customer_info[0]."'";
    $list_tariff_card = $instance_table_card -> Get_list ($DBHandle, $FG_TABLE_CLAUSE_card, null, null, null, null, null, null);
    if ($customer_info[0] == $list_tariff_card[0][0]) {
        $id = $list_tariff_card[0][1];
    }
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." CARD FOUND IN DB ($id)");
} else {
    write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." ERROR CUSTOMER INFO OR ORDERSTATUS ($orderStatus)\n".print_r($_POST, true)."\n");
}

if ($id > 0 ) {
   if (strcasecmp("invoice",$item_type)!=0) {
       $addcredit = $transaction_data[0][2];
      $instance_table = new Table("cc_card", "username, id");
      $param_update .= " credit = credit+'".$amount_without_vat."'";
      $FG_EDITION_CLAUSE = " id='$id'";
      $instance_table -> Update_table ($DBHandle, $param_update, $FG_EDITION_CLAUSE, $func_table = null);
      write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." Update_table cc_card : $param_update - CLAUSE : $FG_EDITION_CLAUSE");
      
      $table_transaction = new Table();
      $result_agent = $table_transaction -> SQLExec($DBHandle,"SELECT cc_card_group.id_agent FROM cc_card LEFT JOIN cc_card_group ON cc_card_group.id = cc_card.id_group WHERE cc_card.id = $id");
      if (is_array($result_agent) && !is_null($result_agent[0]['id_agent']) && $result_agent[0]['id_agent']>0 ) {
         $id_agent =  $result_agent[0]['id_agent'];
         $id_agent_insert = "'$id_agent'";
      } else {
         $id_agent = null;
         $id_agent_insert = "NULL";
      }
      
      $field_insert = "date, credit, card_id, description,agent_id";
      $value_insert = "'$nowDate', '".$amount_without_vat."', '$id', '".$transaction_data[0][4]."',$id_agent_insert";
      $instance_sub_table = new Table("cc_logrefill", $field_insert);
      $id_logrefill = $instance_sub_table -> Add_table ($DBHandle, $value_insert, null, null, 'id');
      write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." Add_table cc_logrefill : $field_insert - VALUES $value_insert");
      
      $field_insert = "date, payment, card_id, id_logrefill, description,agent_id";
      $value_insert = "'$nowDate', '".$amount_paid."', '$id', '$id_logrefill', '".$transaction_data[0][4]."',$id_agent_insert ";
      $instance_sub_table = new Table("cc_logpayment", $field_insert);
      $id_payment = $instance_sub_table -> Add_table ($DBHandle, $value_insert, null, null,"id");
      write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." Add_table cc_logpayment : $field_insert - VALUES $value_insert");
      
      //ADD an INVOICE
      $reference = generate_invoice_reference();
      $field_insert = "date, id_card, title ,reference, description,status,paid_status";
      $date = $nowDate;
      $card_id = $id;
      $title = gettext("CUSTOMER REFILL");
      $description = gettext("Invoice for refill");
      $value_insert = " '$date' , '$card_id', '$title','$reference','$description',1,1 ";
      $instance_table = new Table("cc_invoice", $field_insert);
      $id_invoice = $instance_table -> Add_table ($DBHandle, $value_insert, null, null,"id");
      //load vat of this card
      if (!empty($id_invoice)&& is_numeric($id_invoice)) {
         $amount = $amount_without_vat;
         $description = gettext("Refill ONLINE")." : ".$transaction_data[0][4];
         $field_insert = "date, id_invoice ,price,vat, description";
         $instance_table = new Table("cc_invoice_item", $field_insert);
         $value_insert = " '$date' , '$id_invoice', '$amount','$VAT','$description' ";
         $instance_table -> Add_table ($DBHandle, $value_insert, null, null,"id");
      }
       //link payment to this invoice
      $table_payment_invoice = new Table("cc_invoice_payment", "*");
      $fields = " id_invoice , id_payment";
      $values = " $id_invoice, $id_payment   ";
      $table_payment_invoice->Add_table($DBHandle, $values, $fields);
      //END INVOICE

      // Agent commision
      // test if this card have a agent      
      if (!empty($id_agent)) {

         //test if the agent exist and get its commission
         $agent_table = new Table("cc_agent", "commission");
         $agent_clause = "id = ".$id_agent;
         $result_agent= $agent_table -> Get_list($DBHandle,$agent_clause);
         if(is_array($result_agent) && is_numeric($result_agent[0]['commission']) && $result_agent[0]['commission']>0) {

            $field_insert = "id_payment, id_card, amount,description,id_agent,commission_percent,commission_type";
            $commission = ceil(($amount_without_vat * ($result_agent[0]['commission'])/100)*100)/100;
            $commission_percent = $result_agent[0]['commission'];

            $description_commission = gettext("AUTOMATICALY GENERATED COMMISSION!");
            $description_commission.= "\nID CARD : ".$id;
            $description_commission.= "\nID PAYMENT : ".$id_payment;
            $description_commission.= "\nPAYMENT AMOUNT: ".$amount_without_vat;
            $description_commission.= "\nCOMMISSION APPLIED: ".$commission_percent;

            $value_insert = "'".$id_payment."', '$id', '$commission','$description_commission','$id_agent','$commission_percent','0'";
            $commission_table = new Table("cc_agent_commission", $field_insert);
            $id_commission = $commission_table -> Add_table ($DBHandle, $value_insert, null, null,"id");
            write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." Add_table cc_agent_commission : $field_insert - VALUES $value_insert");

            $table_agent = new Table('cc_agent');
            $param_update_agent = "com_balance = com_balance + '".$commission."'";
            $clause_update_agent = " id='".$id_agent."'";
            $table_agent -> Update_table ($DBHandle, $param_update_agent, $clause_update_agent, $func_table = null);
            write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." Update_table cc_agent : $param_update_agent - CLAUSE : $clause_update_agent");
         }
         
      }
   } else {
      if($item_id>0) {
         $invoice_table = new Table('cc_invoice','reference');
         $invoice_clause = "id = ".$item_id;
         $result_invoice = $invoice_table->Get_list($DBHandle,$invoice_clause);
         
         if (is_array($result_invoice) && sizeof($result_invoice)==1) {
            $reference =$result_invoice[0][0];
            
            $field_insert = "date, payment, card_id, description";
            $value_insert = "'$nowDate', '".$amount_paid."', '$id', '(".$transaction_data[0][4].") ".gettext('Invoice Payment Ref: ')."$reference '";
            $instance_sub_table = new Table("cc_logpayment", $field_insert);
            $id_payment = $instance_sub_table -> Add_table ($DBHandle, $value_insert, null, null,"id");
            write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." Add_table cc_logpayment : $field_insert - VALUES $value_insert");

            //update invoice to paid
            $invoice = new Invoice($item_id);
            $invoice -> addPayment($id_payment);
            $invoice -> changeStatus(1);
            $items = $invoice -> loadItems();
            foreach ($items as $item) {
               if ($item -> getExtType() == 'DID') {
                  $QUERY = "UPDATE cc_did_use set month_payed = month_payed+1 , reminded = 0 WHERE id_did = '" . $item -> getExtId() .
                         "' AND activated = 1 AND ( releasedate IS NULL OR releasedate < '1984-01-01 00:00:00') ";
                  $instance_table->SQLExec($DBHandle, $QUERY, 0);
               }
               if ($item -> getExtType() == 'SUBSCR') {
                  //Load subscription
                        write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."- Type SUBSCR");
                  $table_subsc = new Table('cc_card_subscription','paid_status');
                  $subscr_clause = "id = ".$item -> getExtId();
                  $result_subscr = $table_subsc -> Get_list($DBHandle,$subscr_clause);
                  if(is_array($result_subscr)){
                     $subscription = $result_subscr[0];
                            write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."- cc_card_subscription paid_status : ".$subscription['paid_status']);
                     if($subscription['paid_status']==3){
                        $billdaybefor_anniversery = $A2B->config['global']['subscription_bill_days_before_anniversary'];
                        $unix_startdate = time();
                        $startdate = date("Y-m-d",$unix_startdate);
                        $day_startdate = date("j",$unix_startdate);
                        $month_startdate = date("m",$unix_startdate);
                        $year_startdate= date("Y",$unix_startdate);
                        $lastday_of_startdate_month = lastDayOfMonth($month_startdate,$year_startdate,"j");

                        $next_bill_date = strtotime("01-$month_startdate-$year_startdate + 1 month");
                        $lastday_of_next_month= lastDayOfMonth(date("m",$next_bill_date),date("Y",$next_bill_date),"j");

                        if ($day_startdate > $lastday_of_next_month) {
                           $next_limite_pay_date = date ("$lastday_of_next_month-m-Y" ,$next_bill_date);
                        } else {
                        $next_limite_pay_date = date ("$day_startdate-m-Y" ,$next_bill_date);
                        }

                        $next_bill_date = date("Y-m-d",strtotime("$next_limite_pay_date - $billdaybefor_anniversery day")) ;
                        $QUERY = "UPDATE cc_card SET status=1 WHERE id=$id";
                                $result = $instance_table->SQLExec($DBHandle, $QUERY, 0);
                        write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."- QUERY : $QUERY - RESULT : $result");
                               
                        $QUERY = "UPDATE cc_card_subscription SET paid_status = 2, startdate = '$startdate' ,limit_pay_date = '$next_limite_pay_date',    next_billing_date ='$next_bill_date' WHERE id=" . $item -> getExtId();
                                write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."- QUERY : $QUERY");
                        $instance_table->SQLExec($DBHandle, $QUERY, 0);
                     }else{
                                $QUERY = "UPDATE cc_card SET status=1 WHERE id=$id";
                                $result = $instance_table->SQLExec($DBHandle, $QUERY, 0);
                        write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."- QUERY : $QUERY - RESULT : $result");

                                $QUERY = "UPDATE cc_card_subscription SET paid_status = 2 WHERE id=". $item -> getExtId();
                                write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."- QUERY : $QUERY");
                        $instance_table->SQLExec($DBHandle, $QUERY, 0);
                     }
                  }
               }
            }
         }
      }
   }
}

$_SESSION["p_amount"] = null;
$_SESSION["p_cardexp"] = null;
$_SESSION["p_cardno"] = null;
$_SESSION["p_cardtype"] = null;
$_SESSION["p_module"] = null;
$_SESSION["p_module"] = null;

//Update the Transaction Status to 1
$QUERY = "UPDATE cc_epayment_log SET status = 1, transaction_detail ='".addslashes($transaction_detail)."' WHERE id = ".$transactionID;
write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."- QUERY = $QUERY");
$paymentTable->SQLExec ($DBHandle_max, $QUERY);


switch ($orderStatus)
{
   case -2:
      $statusmessage = "Failed";
      break;
   case -1:
      $statusmessage = "Denied";
      break;
   case 0:
      $statusmessage = "Pending";
      break;
   case 1:
      $statusmessage = "In-Progress";
      break;
   case 2:
      $statusmessage = "Successful";
      break;
}

if ( ($orderStatus != 2) && ($transaction_data[0][4]=='plugnpay')) {
   $url_forward = "checkout_payment.php?payment_error=plugnpay&error=The+payment+couldnt+be+proceed+correctly";
   if(!empty($item_id) && !empty($item_type)) $url_forward .= "&item_id=".$item_id."&item_type=".$item_type;
   Header ("Location: $url_forward");
   die();
}

if ( ($orderStatus == 0) && ($transaction_data[0][4]=='iridium')) {
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." EPAYMENT ORDER STATUS  = ".$statusmessage);
    die();
}

write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." EPAYMENT ORDER STATUS  = ".$statusmessage);

// CHECK IF THE EMAIL ADDRESS IS CORRECT
if (eregi("^[a-z]+[a-z0-9_-]*(([.]{1})|([a-z0-9_-]*))[a-z0-9_-]+[@]{1}[a-z0-9_-]+[.](([a-z]{2,3})|([a-z]{3}[.]{1}[a-z]{2}))$", $customer_info["email"])) {
   // FIND THE TEMPLATE APPROPRIATE
   
    try {
        $mail = new Mail(Mail::$TYPE_PAYMENT,$id);
        write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-SENDING EMAIL TO CUSTOMER ".$customer_info["email"]);
        $mail->replaceInEmail(Mail::$ITEM_AMOUNT_KEY,$amount_paid);
        $mail->replaceInEmail(Mail::$ITEM_ID_KEY,$id_logrefill);
        $mail->replaceInEmail(Mail::$ITEM_NAME_KEY,'balance');
        $mail->replaceInEmail(Mail::$PAYMENT_METHOD_KEY,$pmodule);
        $mail->replaceInEmail(Mail::$PAYMENT_STATUS_KEY,$statusmessage);
        $mail->send($customer_info["email"]);
       
        write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-SENDING EMAIL TO CUSTOMER ".$customer_info["email"]);
        write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"."- MAILTO:".$customer_info["email"]."-Sub=".$mail->getTitle()." , mtext=".$mail->getMessage());
       
        // Add Post information / useful to track down payment transaction without having to log
      $mail->AddToMessage("\n\n\n\n"."-POST Var \n".print_r($_POST, true));
        $mail->setTitle("COPY FOR ADMIN : ".$mail->getTitle());
        $mail->send(ADMIN_EMAIL);
       
    } catch (A2bMailException $e) {
        write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." ERROR NO EMAIL TEMPLATE FOUND");
    }
   
} else {
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." Customer : no email info !!!");
}


// load the after_process function from the payment modules
$payment_modules->after_process();
write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." EPAYMENT ORDER STATUS ID = ".$orderStatus." ".$statusmessage);
write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__."-transactionID=$transactionID"." ----EPAYMENT TRANSACTION END----");


if ($transaction_data[0][4]=='plugnpay') {
   Header ("Location: userinfo.php");
   die;
}
   



add this row into cc_mailtemplate

Code:
mailtype: paypalverificati
subject: PURCHASE VERIFICATION


mail:

Thank you for your purchase at xxxx,

Please be careful,
PLEASE IGNORE THIS EMAIL IF YOU DID NOT PURCHASE ANY CREDIT FROM xxxx USING YOUR PAYPAL ACCOUNT.

Your purchase of xxxx credit is Pending because your registered email is different than your paypal email. In some case, it may happen because someone may have steal your paypal account and made the purchase.

Item Name  $itemName
Item ID  $itemID
Amount  $itemAmount
Payment Method  $paymentMethod
Status  $paymentStatus

If you really made payment from PayPal for your xxxx account above, please click this link:
$verifyLink

By clicking the link above, you verify that you have made XXXXXX credit purchase using your PayPal account.

Kind regards,
xxxx
http://www.xxxx.com


Last edited by hellbound on Mon Nov 08, 2010 3:01 am, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Sep 26, 2010 4:34 am 
Offline

Joined: Fri Mar 05, 2010 7:00 am
Posts: 133
Hello,

Thank you for share your experience with this issue.

First,

Quote:
1. before allowing user to activate we removed the payment method until user verify his mobile number after receiving verification code


Would you please clarify on this. I read the code nut I did not followed how to verify mobile number.

Second,
Quote:
to do so add this in:


Where do i add the verification.php file?

Kind regards,

Al


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Tue Sep 28, 2010 10:42 am 
Offline

Joined: Mon Jul 19, 2010 4:56 pm
Posts: 52
Hi all.

Has anyone tried this script?

Is it being considered for the next update?

Regards,

Rob


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Tue Sep 28, 2010 11:25 am 
Offline

Joined: Sun Mar 12, 2006 2:49 pm
Posts: 954
Location: Barcelona
Hi,

This will be a nice addition.

If you are willing to make this available into A2Billing,
we will need you to provide a proper patch that work with the Trunk
and then open a ticket on track.

Yours,
/Areski


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Wed Sep 29, 2010 2:22 pm 
Offline

Joined: Wed Sep 17, 2008 9:11 pm
Posts: 9
Hi Hellbound,

thank you ! You did a nice job. :)
However, I think you forgot to describe the file "verify_paypal_email.php".
Please post it.

Regards,
Dao


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Wed Sep 29, 2010 9:38 pm 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
sorry,

here is the part:

verify_paypal_email.php
Code:
<?php

include("./lib/customer.defines.php");
include("./lib/epayment/includes/verification.php");

getpost_ifset(array('vcode'));

$error_message = "";

write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." ============ PAYPAL EMAIL VERIFICATION process ============== ");

$continue_proc = false;
$verifystatus = false;

if (!isset($vcode)) {
   /* no validation code found */
   $continue_proc = false;
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." ERROR: vcode NOT FOUND ");
} else {
   $continue_proc = true;
}

if ($continue_proc == true) {
   /* check vcode */
   $transdata = vh_extract_vcode($vcode);
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." vcode = $vcode");

   if ($transdata['key'] != "") {
      $continue_proc = true;
   } else {
      write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." ERROR NO VERIFICATION KEY");
      $continue_proc = false;
   }
}

include ("./lib/Form/Class.FormHandler.inc.php");
include ("./lib/epayment/classes/payment.php");
include ("./lib/epayment/classes/order.php");
include ("./lib/epayment/classes/currencies.php");
include ("./lib/epayment/includes/general.php");
include ("./lib/epayment/includes/html_output.php");
include ("./lib/epayment/includes/configure.php");
include ("./lib/epayment/includes/loadconfiguration.php");

$DBHandle_max = DbConnect();

if ($continue_proc == true) {
   /* check the transaction */
   $QUERY = "SELECT id, customers_id, orders_amount, orders_status, date_purchased FROM cc_payments WHERE verification_code = '".$transdata['key']."' AND date_purchased = '".$transdata['transdate']."'";

   $tb_payments = new Table("cc_payments");

   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." QUERY: ". $QUERY);
   $list_payments = $tb_payments->SQLExec($DBHandle_max, $QUERY);
   if (!is_array($list_payments)) {
      $continue_proc = false;
      write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." ERROR PAYMENT NOT FOUND \n". print_r($transdata,1));
   }

   if ($continue_proc == true && count($list_payments) == 0) {
      $continue_proc = false;
      write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." ERROR PAYMENT NOT FOUND \n". print_r($transdata,1));
   } elseif ($continue_proc == true && count($list_payments) > 0) {
      write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." payment found \n". print_r($list_payments,1));
   }
}

/* check transaction status */

if ($continue_proc == true && $list_payments[0]['orders_status'] != 0) {
   /* status is not pending ... maybe user have clicked before */
   $error_message = "You may have already verify this transaction.";
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." STATUS ERROR: not Pending");
   $continue_proc = false;
}

/* check user */
if ($continue_proc == true) {
   $tb_card = new Table("cc_card");

   $QUERY = "SELECT * FROM cc_card WHERE id='".$list_payments[0]['customers_id']."'";
   $list_card = $tb_card->SQLExec($DBHandle_max,$QUERY);

   if (!is_array($list_card)) {
      write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." ERROR CARD NOT FOUND :".$FG_TB_CLAUSE);
      $continue_proc = false;
   } else {
      write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." CARD DATA FOUND \n".print_r($list_card,1));
   }
}

/* add credit */
if ($continue_proc == true) {
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." adding credit: ".$list_payments[0]['orders_amount']);
   $amount_paid = $list_payments[0]['orders_amount'];
   $id = $list_payments[0]['customers_id'];

   /* update credit on cc_card */
   $card_table = new Table("cc_card");
   $QUERY = "UPDATE `cc_card` SET `credit`=`credit`+'".$amount_paid."' WHERE `id`='".$id."'";
   $db_creditupdate = $card_table->SQLExec($DBHandle_max, $QUERY, 1);
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." QUERY: ".$QUERY);

   /* update cc_payments: change status to 2 */
   $payment_table = new Table("cc_payments");
   $QUERY = "UPDATE `cc_payments` SET `orders_status`='2' WHERE `id`='".$list_payments[0]['id']."'";
   $db_paymentupdate = $payment_table->SQLExec($DBHandle_max, $QUERY, 1);
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." QUERY: ".$QUERY);

   /* insert logrefill */
   $logrefill_table = new Table("cc_logrefill");
   $QUERY = "INSERT INTO `cc_logrefill` (date, credit, card_id, refill_by) VALUES ('".$list_payments[0]['date_purchased']."','".$amount_paid."','".$id."','paypal')";
   $db_logrefilladd = $logrefill_table->SQLExec($DBHandle_max, $QUERY, 1);
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." QUERY: ".$QUERY);

   /* insert logpayment */
   $logpayment_table = new Table("cc_logpayment");
   $QUERY = "INSERT INTO `cc_logpayment` (date, payment, card_id) VALUES ('".$list_payments[0]['date_purchased']."', '".$amount_paid."', '".$id."')";
   $db_logpaymentadd = $logpayment_table->SQLExec($DBHandle_max, $QUERY, 1);
   write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." QUERY: ".$QUERY);
   $verifystatus = true;

}
/*---- end add credit -----*/


include ("./lib/customer.smarty.php");

// #### HEADER SECTION
$smarty->display('main_empty.tpl');

/* if failed */
if ($verifystatus == false) {
   vh_showfailed($error_message);
} else {
   /* if success */
   vh_showsuccess();
}

// #### FOOTER SECTION
$smarty->display('footer.tpl');
write_log(LOGFILE_EPAYMENT, basename(__FILE__).' line:'.__LINE__." =============== PAYPAL EMAIL VERIFICATION end ==================");
?>


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Wed Sep 29, 2010 9:44 pm 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
acaratt wrote:
Hello,

Where do i add the verification.php file?



Code:
common/lib/epayment/includes


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Fri Oct 01, 2010 12:49 pm 
Offline

Joined: Wed Sep 17, 2008 9:11 pm
Posts: 9
Thank you hellbound ! :P
You are the best ! :mrgreen2:


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Sun Oct 03, 2010 5:27 am 
Offline

Joined: Fri Mar 05, 2010 7:00 am
Posts: 133
Thx hellbound,

I appreciate all your help.


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Mon Nov 08, 2010 2:54 am 
Offline

Joined: Sun Aug 17, 2008 1:52 pm
Posts: 93
we were bumped with hack again
this time pure account hacking for someone else

they tried to call 25240213193 and 2314699802 and 447031844934

we should add to this black list


Last edited by hellbound on Sun Nov 14, 2010 6:22 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Thu Nov 11, 2010 12:31 pm 
Offline

Joined: Fri Feb 27, 2009 5:43 pm
Posts: 33
Location: Germany, Berlin
Another status update.

First of all: Very nice solution to activate paypal accounts via cell phone...

As i told you in my last post, we now use a very simple database and activation mechanismen just for the paypal account which are not matching the registered email address.
In these cases we simply send an activation link to the paypal mail-address to verify the email. customers which are using their paypal email address as a2b email address (and have them already verified during the signup process) kann pay directly.

I just want to tell you, that after 6 month of using these method we had NO further fraud with paypal and the acceptance of this method is great.

Finally we are happy with using paypal as payment method. :up:

But I'm sure the one with checking the identity via cellphone is good too (i guess it's more secure, but produces SMS costs)


cu


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Tue Nov 16, 2010 2:13 pm 
Offline

Joined: Mon Jul 19, 2010 4:56 pm
Posts: 52
May I ask how you accomplished this task and if you would be willing to share the details of the method?


Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Tue Nov 16, 2010 2:35 pm 
Offline

Joined: Fri Feb 27, 2009 5:43 pm
Posts: 33
Location: Germany, Berlin
Yes. As i described in my post above in this thread it's very easy.

The problem is, that my code is very "quick and dirty", so i guess very useless to share.

The steps are as follows:
1.
Create a another table in the a2b database or create a new DB with a table (i made a db named "palpal_secdb" and a table like "whiteaccounts") My table has 7 columns: id(auto), account (paypal emailaddress), cardid (the one of a2b), datastamp (the date), verification (in that i store the alphanumeric code to verify the account), active (is the account active or not), blocked (to give me the possibillity to block accounts)

2.
I used the normal "Paypal Basis" method with the NVP API and php curl which is described here: https://www.paypal.com/de_DE/html/Integ ... _home.html (unfortunately in german - i was not able to find the english version quickly, but i'm sure there is one)
The good thing with that is: a buyer comes back to your site before actually confirming the payment.
In the return-page i have a code like:
Code:
$_SESSION['token']=$_REQUEST['token'];
$_SESSION['payer_id'] = $_REQUEST['PayerID'];

$_SESSION['paymentAmount']=$_REQUEST['paymentAmount'];
$_SESSION['currCodeType']=$_REQUEST['currencyCodeType'];
$_SESSION['paymentType']=$_REQUEST['paymentType'];

$resArray=$_SESSION['reshash'];

$paypalaccount = $resArray['EMAIL'];

        include("lib/epayment/includes/paypal/sqlsecdb.php");
        $connection=mysql_connect($mysqlhost, $mysqluser, $mysqlpwd) or die ("Es konnte keine Verbindung zu MySQL aufgebaut werden!");

        $sql = "SELECT id,account,cardid,active,blocked FROM whiteaccounts WHERE account = '".$paypalaccount."' AND cardid= '".$_GET[cardid]."' AND active = '1'";
        $select=mysql_db_query($mysqldb,$sql);

        $dbcheckcount = 0;
        while($array = mysql_fetch_array($select)) {
                        $result_id[$dbcheckcount] = $array['id'];
                        $result_account[$dbcheckcount] = $array['account'];
                        $result_cardid[$dbcheckcount] = $array['cardid'];
                        $result_active[$dbcheckcount] = $array['active'];
                        $result_blocked[$dbcheckcount] = (int)$array['blocked'];
                        $dbcheckcount++;
                }


if ( $result_blocked[0] == 1 OR $result_blocked[1] == 1  ) {
TEXT FOR BLOCKED ACCOUNTS
} elseif ( $paypalaccount == $_GET[custemail] OR $dbcheckcount >= 1) {
TEXT FOR GOOD ACCOUNTS

if ( $paypalaccount == $_GET[custemail] AND $dbcheckcount < 1) {

$sql = "INSERT INTO whiteaccounts (id, account, cardid, datestamp, verification, active, blocked ) VALUES ('', '".$paypalaccount."', '".$_GET[cardid]."', '".date('Y-m-d', $datum)."', 'a2b', '1', '0' )";
                        $do=mysql_db_query($mysqldb,$sql);


}

} else {
TEXT IF ACCOUNT DO NOT EQUALS A2B REGISTERED EMAIL WITH FORM:
<form action="paypal_accountcheck.php" method="post">
        <input type="hidden" name="account" value="'.$paypalaccount.'">
        <input type="hidden" name="cardid" value="'.$_GET[cardid].'">
<input type="submit" class="form_input_button" value="PAYPAL-ACCOUNT FREISCHALTEN"></form>



The paypal_accountcheck.php is then like:
Code:
function random($name_laenge) {
        $zeichen = "abcedfghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRTSUVWXYZ0123456789";
        $name_neu = "";

        mt_srand ((double) microtime() * 1000000);
        for ($i = 0; $i < $name_laenge; $i++ ) {
                $name_neu .= $zeichen{mt_rand (0,strlen($zeichen))};
        }
        return $name_neu;
}

$code = random("30");



$paypalaccount = $_POST[account];
$cardid = $_POST[cardid];

$datum = time();


$url = "https://account.khuluma.net/paypal_accountconfirm.php";
$urlparam = "?cardid=".$cardid."&account=".urlencode($paypalaccount)."&verification=".$code;

$urlde = $url.$urlparam."&language=german";
$urlen = $url.$urlparam."&language=english";

$subject = "Freischaltung Ihres PAYPAL-Kontos / Verification of your PAYPAL-Account";


$body = "TEXT FOR THE EMAIL WITH VARIABLES (VERIFICATION CODE)"
if (isset($paypalaccount) AND isset($cardid)) {



        include("lib/epayment/includes/paypal/sqlsecdb.php");
        $connection=mysql_connect($mysqlhost, $mysqluser, $mysqlpwd) or die ("Es konnte keine Verbindung zu MySQL aufgebaut werden!");



        $sql = "SELECT id,account,cardid,verification,active FROM whiteaccounts WHERE account = '".$paypalaccount."'";
        $select=mysql_db_query($mysqldb,$sql);

        $count = 0;
        while($array = mysql_fetch_array($select)) {
                        $result_id[$count] = $array[id];
                        $result_account[$count] = $array[account];
                        $result_cardid[$count] = $array[cardid];
                        $result_verification[$count] = $array[verification];
                        $result_active[$count] = $array[active];
                        $count++;
                }
                $count--;



        if ($count >= 0 AND $result_active[$count] == 0) {
// Wenn Account bereits in der DB aber noch nicht aktiv

                        $sql = "UPDATE whiteaccounts SET cardid='".$cardid."', datestamp='".date('Y-m-d', $datum)."', verification='".$code."' WHERE id = '".$result_id[$count]."' ";
                        $do=mysql_db_query($mysqldb,$sql);

                        mail($paypalaccount, $subject, $body, "from: CallingHome / CallingEarth <[email protected]>\nContent-Type: text/html; charset=utf-8\r\nContent-Transfer-Encoding: 8bit\r\nX-Priority: 3\n");
                       echo "<h2>VERIFICATION PROCESS: Activation Link already sent.</h2>";
    } elseif ($count >= 0 AND $result_active[$count] == 1) {
echo "<h2>VERIFICATION-ERROR: Account already registered and active</h2>";
       } else {
// Falls Account noch nicht in der DB!
                        $sql = "INSERT INTO whiteaccounts (id, account, cardid, datestamp, verification, active, blocked ) VALUES ('', '".$paypalaccount."', '".$cardid."', '".date('Y-m-d', $datum)."', '".$code."', '0', '0' )";
                        $do=mysql_db_query($mysqldb,$sql);

                        mail($paypalaccount, $subject, $body, "from: CallingHome / CallingEarth <[email protected]>\nContent-Type: text/html; charset=utf-8\r\nContent-Transfer-Encoding: 8bit\r\nX-Priority: 3\n");
                   echo "<h2>VERIFICATION PROCESS: Activation-Link sent</h2>";
} else {
        echo "<h2>ERROR</h2>";

        echo "FEHLER: Übergabe falsch!!!";

}



Top
 Profile  
 
 Post subject: Re: Fraud with paypal!!
PostPosted: Wed Apr 27, 2011 2:13 pm 
Offline

Joined: Mon Jul 19, 2010 4:56 pm
Posts: 52
areski wrote:
Hi,

This will be a nice addition.

If you are willing to make this available into A2Billing,
we will need you to provide a proper patch that work with the Trunk
and then open a ticket on track.

Yours,
/Areski


Was this patch ever incorporated into A2Billing?

If not, will it work with 1.9.3?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 64 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Hosted Voice Broadcast


All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group