Spaces in option names

I'm trying to add hmac verification to our site, using the "php automatic html" method. Everything was working except for product pages with options, and it took quite a while to figure out that spaces in the option names (select element name attributes) were breaking the encryption.

A few comments about this:

1. First, this is not beautiful. There are option names that need spaces. If the option name is "French Toast", leaving "French" off or "Toast" off is wrong, and so is either "FrenchToast" or "French%20Toast." There are a lot of other cases where precision and clarity matter, mine included. I know that you understand.

Perhaps you could come up with some kind of automatic replacement, such that "%20" (or perhaps some specific symbol like "|") is translated to a space at the moment that the item is added to the cart? (There's already some code there that manages the hmac verification, my best guess is that this would be nearly trivial to implement.)

It may be technically possible for end users to write scripts that "fix" it by rendering %20 as spaces in the cart, checkout page, receipt, and e-mail (I haven't looked into it...) but even if so, that's not really how I want to spend my day.

2. Please make this more obvious. The documentation about add-to-cart forms should indicate that product names can't have spaces in them (or at least that if they do, it will break encryption).

The docs about the encryption should point this out clearly as well. It currently says that the PHP/automatic method "makes it trivially easy to add to an existing site." That's not really true if every product with named options needs to have its option names changed, and it's certainly not true if you spend hours debugging the PHP to get to the point of understanding that the fine print about "passing the string to the hashing function with spaces or special characters included in the actual URL" applies in this case.

3. It took me hours to narrow down the issue was. Seriously. How about adding some BIG FAT text to the foxycart.cart_validation.php script that plainly outputs a plain text error when it's not going to produce valid encoded output? (It's output is already invalid-- why not make it invalid but useful?) Or at least adding a note to its debugging output stream? I'm not the only person to come up against this kind of issue. Saving your users frustration is a net win for everyone.
Comments
  • fc_adamfc_adam FoxyCart Team
    @oskay,

    I'm sorry to hear you've had a frustrating experience with the form encryption - hopefully we can help get you up and running.

    Thanks for bringing this to our attention. It is certainly a gap in our documentation as it's an aspect that we looked to have missed.

    The particular issue in this case is that PHP will automatically replace the space in the form element name to be an underscore - so while you may have entered a name of "French Toast", when the form is submitted it becomes "French_Toast". This then means that the encoding was based on a name of "French Toast" which won't match "French_Toast".

    As FoxyCart runs on PHP, it should definitely be something we document against. I'll also discuss with the team about handling that within the automatic script as well.

    For now - if you place an underscore instead of a space, that will work with the encryption correct, and FoxyCart will automatically convert that underscore to a space for displaying.
  • oskayoskay Member
    Whoa-- awesome -- Underscore totally works! Tell the world!
  • brettbrett FoxyCart Team
    @oskay, do you happen to have some HTML that you could put on a pastie.org and whisper to me so we can take a look at improving the script to handle this automatically?
  • brettbrett FoxyCart Team
    @oskay, we've updated the Github repo for the PHP link/form signing code:
    https://github.com/FoxyCart/FoxyCart-Cart-Validation--PHP
    Thanks again for bringing this to our attention.
  • oskayoskay Member
    Thanks-- that looks like a very nice improvement. :)
Sign In or Register to comment.