hmac problems

dreh23dreh23 Member
in Help edited January 2012
I'm setting up a store for a customer and having difficulties understanding the hmac process.
It seems like I have a mismatch between the hash and the rest.
I trying to construct the link like this

$titlehash = hash_hmac('sha256', $titleraw, $secret); // Hash of the "name" input
$pricehash = hash_hmac('sha256', $priceraw, $secret); // Hash of the "price" input
$codehash = hash_hmac('sha256', $coderaw, $secret); // Hash of the "id" input
$imagehash = hash_hmac('sha256', $imageraw, $secret); //Hash of Image URL
$cathash = hash_hmac('sha256', $catraw, $secret); //Hash of category

$output .='GO »';
Obviously theres something wrong - in the manual it says I have to encode "all" the values like this in the form but I'm using the "link method".
$encodingval = htmlspecialchars($var_code) . htmlspecialchars($var_name) . htmlspecialchars($var_value)
This is probably quite simple but I don't get it. My coding skills are poor.
Can someone give me the hint how I have to setup the sha256 encoding.
Thank you for your time
  • fc_adamfc_adam FoxyCart Team

    For each of your values you're hashing, you also need to provide the code variable for that product and the variable name.

    So for example, if your products code was abc123, and you were hmac-ing the price variable with a value of 20.33 you're hash_hmac should be passing the following as the middle parameter - "abc123price20.33". Notice how all three are combined together? At the moment, you're just passing single values by the looks of it - "$priceraw" - is that just the price, or does that also include the code and the variable name?

    Essentially, you're $Xraw variables should be set like the code you included,
    htmlspecialchars($var_code) . htmlspecialchars($var_name) . htmlspecialchars($var_value)
  • Thank you @fc_adam,

    This string helped me to understand the concept: 'abc123price20.33' (I think :D). I have one last question is there a risk in breaking the system - figuring out the $secret if my ProductIDs just have simple numbers like 1 2 3 4 5 ....
    Meaning is there a chance to break the sha256 code. Is it better to use longer productIDs?

    For Reference I'm posting my code here may it is helpfull for somebody else - But please remember
    this is UGLY. Probably using a function like in the wiki is the way togo. However it works.
    $secret = "myAPI key";

    /*$codeid 'name' $title*/
    $encodingval = htmlspecialchars($codeid) . htmlspecialchars('name') . htmlspecialchars($title);
    $encodingvalname = '||'.hash_hmac('sha256', $encodingval, $secret);

    /*$codeid 'code' $code*/
    $encodingval = htmlspecialchars($codeid) . htmlspecialchars('code') . htmlspecialchars($codeid);
    $encodingvalcode = '||'.hash_hmac('sha256', $encodingval, $secret);

    /*$codeid 'price' $price*/
    $encodingval = htmlspecialchars($codeid) . htmlspecialchars('price') .
    $encodingvalprice = '||'.hash_hmac('sha256', $encodingval, $secret);

    /*$codeid 'category' 'physbooks'*/
    $encodingval = htmlspecialchars($codeid) . htmlspecialchars('category') .
    $encodingvalcat = '||'.hash_hmac('sha256', $encodingval, $secret);

    $output ='';

    $output .=('');
    $output .= ('');
    $output .= ('';
    $output .= ('';
    $output .= '');
    $output .= '';

    return $output;
  • brettbrett FoxyCart Team
    @dreh23, just out of curiosity, is there a reason you're doing it manually rather than using the automatic functionality in the code here?

    You can use that on your entire HTML output and it'll sign it all, automatically. Should be a lot easier.
  • Hello, I figured I would piggyback on this thread. I'm having HMAC issues and I am using the automated system. As a disclaimer I am more a front-end programmer and tend to get a little lost in code like PHP. But I am very confused as how to properly implement this in the forms/links.

    I have been over and over the wiki documentation, I followed the short instructions on Github, uploaded the php file and updated my store files. But I'm getting a 'cart validation error: value_hash_present' for each input it sends. So I guess my questions are - with the automated system - what exactly do I include in my forms? I thought this method would automatically take all inputs and convert them to the secure strings without having to modify the existing code.

    Also, I had a related question. In the wiki you use example code with values including spaces in the names. Then you say to not use any spaces in the values bc that might cause issues. I'm just wondering why there are samples that conflict the warnings?
  • fc_adamfc_adam FoxyCart Team
    Hi Randall,

    Could you post your page that you've included the HMAC script from Github on to a pastie or similar? (

    If you want to keep it private, feel free to whisper it to me.
  • sparkwebsparkweb Member, Integration Developer, FoxyShop, Order Desk
    Hi Randall, if you can share your url (or whisper it to @brett) it will really help the Foxy guys troubleshoot the problem.
  • Hey, sorry about that. I was just about to edit my post and saw you already responded. The site store is this: (it is the "adult humor" page but there isn't really anything offensive)

    Should I still post the source on pastie? Sorry about that lack of info..
  • fc_adamfc_adam FoxyCart Team

    Try renaming your page to be a .php rather than .html and upload the page to your server.
  • Hi Adam, ya know I did actually think of that before.. just tried it and I still get the same error. (it's the same URL, just with .php if you wanted to see it) I feel like I'm missing some key component that I need to add. So when using the automated php system, the only things I need to modify are the secret and URL? (the secret is my api key, right?) and then add those script tags to each store page?

    I don't need to add anything to links/forms like in the individual link system?

    Thanks for helping me out
  • brettbrett FoxyCart Team
    Hi @Randall
    First off, you'll definitely need to use .php and not .html. You should get rid of the .html files, since those are leaking PHP source code, which isn't necessarily a problem with what you have currently but could be a major security issue if were doing other things.

    As far as the code not actually working... I just tested your HTML in the "sample code" section of the admin and it signs fine, and @fc_adam tested it locally as well. So the issue isn't your HTML, which pretty much leaves the settings. Paste into this thread what you have as your URL, and copy/paste your API key again (don't share it here), making sure to eliminate any leading or trailing spaces, and making sure that what the admin shows after you reload the page is indeed what you have in your file.

    Based on the PHP output in your html page though, it looks like you have it right. The only places where there could be a problem are the settings.

    You know, thinking about it, we probably should make it output some debugging info in an HTML comment in the event it doesn't actually sign anything. That perhaps would be helpful in situations like this.
  • OK I deleted the old html files off the server. I recopied and double checked the key which is good, no white spaces, reloaded that admin page and it is the same. Uploaded those pages again, and I'm still getting that validation error.

    I can do without the hmac for now while the store is just starting out, but it would be good to have once traffic grows. Maybe I will strip it out for now.. I really do appreciate all the help on this subject, I'm just not very good at troubleshooting php.
  • brettbrett FoxyCart Team
    Huh. Let's try something new:
    protected static $debug = FALSE;
    Switch that to TRUE and let's test. That should give us a better idea of what's going on.
  • OK that is now updated
  • fc_adamfc_adam FoxyCart Team

    Could you confirm what setting you have for the store URL in the HMAC script?
  • protected static $cart_url = 'https://sweetteegraphics.foxycart.tld/cart';
  • fc_adamfc_adam FoxyCart Team
    Update that to the following:

    protected static $cart_url = '';
  • done
  • fc_adamfc_adam FoxyCart Team

    You can turn of the debug setting that @brett asked you to set, as it's working now :)
  • Awesome! Thank you thank you. Was it the .tld thing? Should I switch that back bc now it has a checkout error, but that was working fine before the hmac fiasco.
  • fc_adamfc_adam FoxyCart Team
    @Randall, that's right, the issue came down to the cart url not being right. We understand where the confusion came from, and we've actually updated the HMAC script on github to not list the .tld, but actually list .com.

    What checkout error are you seeing?
  • The cart loads fine, I'm seeing the correct info and when I click checkout it shows:

    We're sorry, but we can't seem to find your transaction. This could be the result of:

    An empty cart, due to clicking a checkout link without an item your cart.
    An expired session, due to leaving your cart open for too long without activity.
    Attempting to reload a transaction you already completed (which might otherwise result in a duplicate order).
    A misconfiguration in our store.
  • lukeluke FoxyCart Team
    @Randall: can you send us another store link? The one you posted earlier is 404'ing.
  • Sure, although I'm not sure why - that page should be the exact same.. here is a different page:

  • fc_adamfc_adam FoxyCart Team
    edited March 2012

    When I click checkout on the cart modal window, it takes me to your checkout correctly. That's a bit weird if you're not seeing that! We'll look into it and see if anything crops up

    [edit] Could you try clearing your browsers cookies for us please?
  • Yeah that must be it. I tried in another browser and it seemed to work fine. I will clear all cookies and test and test again.

    Thanks so much for all the help, foxycart is awesome! :)
Sign In or Register to comment.