I am working with a credit card processor script -- provided by the processor -- which takes in various credit card data and merchant account data, fetches a cURL, and parses the return XML for transaction status.
Code:
define("CURL_PROCESSING_URL", "https://ideposit.vbprograms.net/servlet/pg");
$params = "Merchant_User_Name=" . "vitale" .
"&Merchant_Password=" . "test" .
"&Tracking_Number=" . "00001" .
"&Credit_Card_Number=" . "4012888888881" .
"&Credit_Card_Exp_Date=" . "1205" .
"&Charge_Amount=" . "12.00" .
"&AVS_Street=" . "8320" .
"&AVS_Zip_Code=" . "85284" .
"&CV_Security_Code=" . "999" .
"&Credit_Card_Type=" . "MC_CARD_VISA" .
"&CardHolder_Name=" . "test Card Holder";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, CURL_PROCESSING_URL);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$returned = curl_exec($ch);
curl_close($ch);
$p = xml_parser_create();
xml_parse_into_struct($p, $returned, $vals, $index);
xml_parser_free($p);
Questions:
1) Does SSL_VERIFYPEER being set to false make it easier for the server to be spoofed and transaction data to be intercepted?
2) Is the cURL URL and associated POST values stored in server logs or transferred in plain text?
3) Is there a safer way or set of options for carrying this transaction out?
I would think in a production environment, you would want to use default value of CURLOPT_SSL_VERIFYPEER = true. This verifies that the SSL cert is valid. For testing or develpoment environments where perhaps the processor gives you a sandbox to work with that may have a self-signed cert or a cert that is expired or similar, you would probably be OK having this as false.
You are using SSL, so the data will not be sent in plain text. Without knowing what sort of error logging you have in place it is hard to say whether it would be stored on server logs.
cURL is totally fine for doing what you are trying to do assuming that you always use SSL and you are not logging sensitive data.
Related
I am trying to get output of this API using php. It's a Australia Post Freight calculator. I am not sure what is wrong with it, can some one please suggest. It will be really helpful.
// Set your API key: remember to change this to your live API key in production
$apiKey = API_KEY;
// Set the URL for the Domestic Parcel Size service
$urlPrefix = URL_PREFIX;
$parcelTypesURL = 'https://' . $urlPrefix . '/postage/parcel/domestic/size.json';
// Lookup domestic parcel types (different kinds of standard boxes etc)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $parcelTypesURL);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('AUTH-KEY: ' . $apiKey));
$rawBody = curl_exec($ch);
// Check the response: if the body is empty then an error occurred
if(!$rawBody){
die('Error: "' . curl_error($ch) . '" - Code: ' . curl_errno($ch));
}
// All good, lets parse the response into a JSON object
$parcelTypesJSON = json_decode($rawBody);
curl_init() is disabled for security reasons...
This means that the server has disabled that function.
If you have control of the server, then enable curl_init() in the php.ini.
More information here.
If you do not, try using file_get_contents(). more information here
I am trying to connect to the Marketo.com REST API using curl.
I can't get a response from the identity service. I only get an error message
"[curl] 6: Couldn't resolve host 'MY_CLIENT_ENDPOINT.mktorest.com'
,
but I can print the constructed url and paste it into a browser address bar and this will provide the expected response with the access_token element.
I can use curl in php and in a terminal to access my gmail account so curl is able to access an https service.
I have tried sending the parameters in the curl url as a get request and also by declaring them with curl's -F option as a post request
My application uses dchesterton/marketo-rest-api available on github, but I have also tried a simple php curl request just to get the access token.
private function getToken() {
$url = "$this->client_url/identity/oauth/token?grant_type=client_credentials&client_id=$this->client_id&client_secret=$this->client_secret";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
$errors = curl_error($ch);
curl_close($ch);
file_put_contents($this->logDir . 'access_token_response' . date('Y-m-d') . '.txt', $url . "\n" . $response . "\n", FILE_APPEND);
if ($errors) {
file_put_contents($this->logDir . 'access_token_errors' . date('Y-m-d') . '.txt', $errors . "\n", FILE_APPEND);
}
return $response['access_token'];
}
Again, this fails with the same error but produces a perfectly formed url that I can paste into the browser and get a valid response.
I have also tried this using post instead of get as I have for every other test mentioned, and these have been tried on my localhost and on a test server.
Can anyone explain to me why this would fail?
Does Marketo block curl on a per account basis?
I was trying to implement something similar but my code wasn't working. I'm not sure exactly what is failing but I tried your code and it seems to work perfectly after some slight modifications:
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, json_encode($request_data));
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
$response = curl_exec($curl);
$errors = curl_error($curl);
curl_close($curl);
I hope this helps.
I'm trying to make a curl request to my laravel server, in that request I have to check whether the user of my laravel application is logged in or not. I use this code:
$transferAmount = 200;
//set POST variables
$url = URL::route('post-spend-partner');
$fields = array(
'transferAmount' => urlencode($transferAmount),
'cancelUrl' => urlencode(URL::route('get-return-page-example')),
'returnUrl' => urlencode(URL::route('get-return-page-example')),
);
// New Connection
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 0);
curl_setopt($ch, CURLOPT_COOKIESESSION, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
curl_setopt($ch, CURLOPT_URL, $url);
curl_exec($ch);
curl_close($ch);
In the requested url I'm just checking if I'm logged in or not, but it always returns false:
public function postSpendPartner() {
echo "Authenticated? " . (Auth::check() ? 'Yes' : 'No');
}
I know for sure that I'm logged in, if I try the exact same thing with Ajax it completely works!
Does anyone know what I could try, to solve this problem?
Best regards!
Fabrice
Some facts: HTTP is stateless. Session IDs need to be passed to the server in order to continue the session. Session IDs are (most of the time) stored in cookies. Cookies are included in the request.
Using a cookiejar could indeed be one possible solution. The fact that it works using Ajax, and not by re-submitting the request from your server might be because of the session-verification mechanism on the server: Some session implementations lock session IDs to the initial IP address. If the contents of your cookiejar file check out, that might be the culprit.
That aside: re-submitting the request via Curl from your server is a severe codesmell to me. A proper solution would to implement something such as OAuth.
Try sending your cookies as a header with your curl request.
// ...
$cookie_header = "Cookie:";
$headers = [];
foreach($_COOKIE as $key => $val) {
// Do sanitize cookie values
$cookie_header .= " ".$key."=".$value.";";
}
$headers[] = $cookie_header;
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
// ...
You could filter out unnecessary cookie values from $cookie_header.
I'm trying to build a payment form that integrates with Firstdata's api. I need to post an XML string to their server. They also require a client side certificate and http authentication. My CURL set up currently looks like this:
function firstdata_send($config_param, $data) {
$config_default = array(
'test' => FALSE,
);
// settings in $config_param will overwrite settings in $config_default
$config = (object)array_merge($config_default, $config_param);
if($config->test) {
$url = 'https://ws.merchanttest.firstdataglobalgateway.com/fdggwsapi/services/order.wsdl';
}
else {
$url = 'https://ws.firstdataglobalgateway.com/fdggwsapi/services/order.wsdl';
}
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($ch, CURLOPT_USERPWD, "{$config->username}:{$config->password}");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSLCERT, $config->pemfile);
curl_setopt($ch, CURLOPT_SSLKEY, $config->keyfile);
curl_setopt($ch, CURLOPT_SSLKEYPASSWD, $config->keypass);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, TRUE);
curl_setopt($ch, CURLOPT_VERBOSE, TRUE);
$result = curl_exec($ch);
$result .= curl_error($ch);
return $result;
}
Their server responds with HTTP/1.1 401 Unauthorized. But if I comment out the post options:
//curl_setopt($ch, CURLOPT_POST, TRUE);
//curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
I get HTTP/1.1 200 OK. Unless I'm completely misunderstanding whats going on it seems like using post somehow interferes with the auth headers. I don't know what I'm missing.
Solved:
Turns out the ssl certificates the test account had generated were bad. I had to call their tech support and they had to regenerate the certs 3 times before the system would accept them. Sorry for wasting your time. I should have called them first. If anybody is interested the tech support number I called was (888) 477-3611. I think NomikOS was closest to being correct so I'll mark his as the answer and up vote the rest of you. Thanks again.
Form what i see you need a certificate in pem format to use this service ....
A. Download the API https://www.firstdata.com/downloads/customerservice/30006_api_php.zip
B. You would see so many examples
Example Sales Info
include"lphp.php";
$mylphp=new lphp;
$myorder["host"] = "secure.linkpt.net";
$myorder["port"] = "1129";
$myorder["keyfile"] = "./YOURCERT.pem"; # Change this to the name and location of your certificate file
$myorder["configfile"] = "1234567"; # Change this to your store number
$myorder["ordertype"] = "SALE";
$myorder["result"] = "LIVE"; # For a test, set result to GOOD, DECLINE, or DUPLICATE
$myorder["cardnumber"] = "4111-1111-1111-1111";
$myorder["cardexpmonth"] = "01";
$myorder["cardexpyear"] = "05";
$myorder["chargetotal"] = "9.99";
$myorder["addrnum"] = "123"; # Required for AVS. If not provided, transactions will downgrade.
$myorder["zip"] = "12345"; # Required for AVS. If not provided, transactions will downgrade.
// $myorder["debugging"] = "true"; # for development only - not intended for production use
# Send transaction. Use one of two possible methods #
// $result = $mylphp->process($myorder); # use shared library model
$result = $mylphp->curl_process($myorder); # use curl methods
if ($result["r_approved"] != "APPROVED") // transaction failed, print the reason
{
print "Status: $result[r_approved]\n";
print "Error: $result[r_error]\n";
}
else
{ // success
print "Status: $result[r_approved]\n";
print "Code: $result[r_code]\n";
print "OID: $result[r_ordernum]\n\n";
}
Check you access credentials (username, password)
401 Unauthorized
The request requires user authentication. The response MUST include a
WWW-Authenticate header field (section 14.47) containing a challenge
applicable to the requested resource. The client MAY repeat the
request with a suitable Authorization header field (section 14.8). If
the request already included Authorization credentials, then the 401
response indicates that authorization has been refused for those
credentials. If the 401 response contains the same challenge as the
prior response, and the user agent has already attempted
authentication at least once, then the user SHOULD be presented the
entity that was given in the response, since that entity might include
relevant diagnostic information. HTTP access authentication is
explained in "HTTP Authentication: Basic and Digest Access
Authentication" [43].
source: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2
==
OBS: I recommend you this code to check for errors
// check for errors before close
$result = curl_exec($ch);
if ($result === false)
{
echo curl_error($ch);
}
curl_close($ch);
Just checked First Datas API is a SOAP based API...
The url to the wsdl only accepts GET because the wsdl is just the xml instruction set for sending soap calls.
PHP soapclient class
In PHP, I'm using curl to send a delete to the fb graph api - and yet I'm getting the following error;
{"error":{"type":"GraphMethodException","message":"Unsupported delete request."}}
The code I'm using is;
$ch = curl_init("https://graph.facebook.com/" . $status_id . "");
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 120);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $query);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "DELETE");
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_CAINFO, NULL);
curl_setopt($ch, CURLOPT_CAPATH, NULL);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
$result = curl_exec($ch);
echo $result;
$query contains the access token.
Fixed!
You have to prepend the userid to the object ID when deleting:
DELETE https://graph.facebook.com/673509687_104812882909249?access_token={access_token}
where
673509687 is my userID and 104812882909249 is the objectID
For anyone still struggling with this, I found out what my issue was attempting to delete application requests that I had previously created using the PHP SDK, which was resulting in this error.
(#2) Invalid parameter: Body of an error/warning message. Title is: Invalid parameter
The problem was essentially with which access token was being used; user or application.
The specific scenario I was working on was where a user in my application has invited a friend Facebook (using an app request) but then wants to revoke that invite. In this case I want to delete the app request on Facebook that was previously created. However, at this point in time, the logged in user is not the recipient of the app request, but the sender.
Looking at the PHP SDK code, it automatically uses the user access token if it has one, over the application access token. In fact, there doesn't appear to be a way to explicitly get the application token from the SDK.
When attempting to delete the app request using the following...
$facebook->api('/'.$fb_request_id, 'DELETE');
...and letting the PHP SDK choose the user token, I received the (#2) Invalid parameter error message. However, if I manually construct the application access token (where the format is "$app_id|$app_secret" and pass it as an array key in a third parameter...
$facebook->api('/'.$fb_request_id, 'DELETE', array('access_token' => $app_access_token);
..then the call succeeds.
So, essentially you need to use the application access token to delete the app requests if the current user is not the recipient of the app request.
I hope this helps anyone else struggling with the same issue.
I modified your code slightly. (Should echo "true" if done correctly) Here's what is currently working for me.
Also note this does not erase events created via Facebook.That's why your receiving the permissions error. This only erases events created through your application... (application linked to $app_id, $app_secret)
//First authenticate a token
$app_id = "APP ID GOES HERE";
$app_secret = "SECRET APP ID GOES HERE";
$my_url = "WHATEVER THIS PAGES NAME IS GOES HERE";
//I'm not sure but I think REQUEST is still allowed....right? if not change it to GET/POST
$code = $_REQUEST["code"];
if(empty($code)) {
$auth_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url)
. "&scope=create_event";
echo("<script>top.location.href='" . $auth_url . "'</script>");
}
$token_url = "https://graph.facebook.com/oauth/access_token?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret
. "&code=" . $code;
$access_token = file_get_contents($token_url);
//Use TRUE and FALSE not 0 and 1's like you originally had it
//264853420218553 is the event id.
$ch = curl_init("https://graph.facebook.com/264853420218553?" . $access_token . "");
curl_setopt($ch, CURLOPT_VERBOSE, TRUE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_TIMEOUT, 120);
curl_setopt($ch, CURLOPT_POST, TRUE);
//curl_setopt($ch, CURLOPT_POSTFIELDS, $query);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "DELETE");
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, TRUE);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_CAINFO, NULL);
curl_setopt($ch, CURLOPT_CAPATH, NULL);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, FALSE);
$result = curl_exec($ch);
echo $result;?>
The only thing I can think to try is to
1) do a POST request with "method=delete" to see if that works
2) manually look at the produced HTTP request to see if something looks wrong -- then you can isolate the problem
It simply means that the HTTP delete method isn't supported for that specific object.
One option is to use Http POST and add method=delete to the parameter query. Make sure that your application has a publish_stream permission else you can never publish a feed.
Permissions are done by Facebook.
About this answer:
Fixed!
You have to prepend the userid to the object ID when deleting:
DELETE https://graph.facebook.com/673509687_104812882909249?access_token={access_token}
where 673509687 is my userID and 104812882909249 is the objectID
Unfortunately this will only work with a user-accesstoken and not when you try to delete an apprequest on the server (with the app-access-token) using for example the PHP language.
If you have a solution for deleting apprequests using the app-access-token then please describe it. Thanks for your help!