Cart Validation Error: code_present

in Help edited June 2012
I'm going insane trying to get the signing of links working. We want to protect from malicious users changing prices and things with their browser's "inspector", etc. For whatever reason, no matter what I try, I keep getting "Cart Validation Error: code_present". Nothing ever adds to the cart.

Here's a very basic example of my PHP code:
<?php
// function to digitally sign our "buy" links -- security !!
function get_verification($var_name, $var_value, $var_code) {
	global $foxycart_api_key;
	$encodingval = htmlspecialchars($var_code) . htmlspecialchars($var_name) . htmlspecialchars($var_value);
	return '||'.hash_hmac('sha256', $encodingval, $foxycart_api_key).($var_value == "--OPEN--" ? "||open" : "");
}

echo '<a class="foxybox" href="https://myclienturl.foxycart.com/cart?
name=Some+Item+Here
&price' . get_verification('price', '19.00', 'blahblah') . '">Add To Cart</a><br><br>';
?>

Any help is appreciated, as we're sorta stonewalled in development until we can ensure this feature is working for us.
Tagged:
Comments
  • sparkwebsparkweb Member, Integration Developer, FoxyShop, Order Desk
    edited June 2012
    You have to do everything in the link, not just some of the values. You also have to pass in a code as well. So this:
    echo '<a class="foxybox" href="https://myclienturl.foxycart.com/cart?name=Some+Item+Here' . get_verification('name', 'Some Item Here', 'blahblah') . '&price=19.00' . get_verification('price', '19.00', 'blahblah') . '&code=blahblah' . get_verification('code', 'blahblah', 'blahblah') . '">Add To Cart</a><br><br>';
    

    So yeah - you have to sign the code field with itself - kind of silly, but there it is.

    EDIT: if you are on version 0.7.0+ you don't need the foxybox classname. It will pick it up automatically because of the beginning of the href attribute.
  • edited June 2012
    Awesome! One last question. Does the code (ie., blahblah) actually matter? Do they all need to be the same? I'm not 100% sure what that is and what it's used for just yet.

    Also, just so I understand, the general rule of thumb is sign with exactly the same text (in PHP) as I have done in the query string, correct? They cannot/should not differ.

    EDIT: Looks like it's working, as long as I keep the code in place. I'm guessing that's the signature to do the hash.
  • sparkwebsparkweb Member, Integration Developer, FoxyShop, Order Desk
    The code is a product code. Ideally it should be different per product - like a database ID or a SKU or something like that. But you are right - it doesn't really matter what it is.

    If you have any funny characters you can do:
    &name=' . urlencode('The funny name') . '
    

    To get it properly URL encoded.
  • Everything seems to be working great. Can't thank you enough for chiming in when you did. Thanks!
  • OK, I've gotten your earlier example working on one of our sites, but there's another, more-complicated site that we actually want to use the full-page signing with output buffer. I've tried including the PHP code around the entire HTML output, as well as tried surrounding the PHP around everything within <body> </body> to no avail.

    https://github.com/FoxyCart/FoxyCart-Cart-Validation--PHP/wiki

    It looks like this hasn't been updated in over two years as well, so maybe it's not working anymore. Basically I'm looking at my links with this method, but nothing appears "hashed" like it did on the other website (which used the other method).

    The docs say this is still an acceptable way to do it, so maybe I'm just missing something important. So, to confirm, I'm getting the "Cart Validation Error: code_present" error while using full-page signing and changing placement of the top/bottom PHP code doesn't seem to actually hash our stuff.
  • Actually, I had sku=XXXXXX instead of code=XXXXXX. Changing this to code seems to have allowed the helper class to actually do its job, and all is resolved. Except this...

    Our client actually wants that to read "SKU: XXXXX" in the cart popup window. Is there any way to use "code" (so the helper class operates), but have it display as "SKU: XXXXXX" in what the user/visitor sees?
  • sparkwebsparkweb Member, Integration Developer, FoxyShop, Order Desk
    Just add another field called SKU with the code in it, then use CSS to hide the "code" field in your cart and checkout. That would be the simplest. It will still show up in the email, but I think it's okay to have Code and SKU next to each other in the email.
  • Great idea. It may be weird, though, to have it show like this in the email receipt:
    CODE: 1234567-0123
    SKU: 1234567-0123
    
  • sparkwebsparkweb Member, Integration Developer, FoxyShop, Order Desk
    Eh, I dunno. I tend to think that it's not that big of a deal. :)

    In version 1.0, you'll be able to customize that to remove the code completely from the email with the twig templating. Just a couple of weeks now.
  • If the client wants to upgrade to a differently-tiered paid plan, then yes. They may forbid me from doing this (yet). :D
  • fc_adamfc_adam FoxyCart Team
    @bdcadvertising,

    You can simply update the language string for 'Code' in that store under 'language' in the FoxyCart administration. It's one of the first ones under 'Cart'.
  • Worked like a charm! Thanks for your help!!
Sign In or Register to comment.