I'm trying to add hmac verification to our site, using the "php automatic html" method. Everything was working except for product pages with options, and it took quite a while to figure out that spaces in the option names (select element name attributes) were breaking the encryption.
A few comments about this:
1. First, this is not beautiful. There are option names that need spaces. If the option name is "French Toast", leaving "French" off or "Toast" off is wrong, and so is either "FrenchToast" or "French%20Toast." There are a lot of other cases where precision and clarity matter, mine included. I know that you understand.
Perhaps you could come up with some kind of automatic replacement, such that "%20" (or perhaps some specific symbol like "|") is translated to a space at the moment that the item is added to the cart? (There's already some code there that manages the hmac verification, my best guess is that this would be nearly trivial to implement.)
It may be technically possible for end users to write scripts that "fix" it by rendering %20 as spaces in the cart, checkout page, receipt, and e-mail (I haven't looked into it...) but even if so, that's not really how I want to spend my day.
2. Please make this more obvious. The documentation about add-to-cart forms should indicate that product names can't have spaces in them (or at least that if they do, it will break encryption).
The docs about the encryption should point this out clearly as well. It currently says that the PHP/automatic method "makes it trivially easy to add to an existing site." That's not really true if every product with named options needs to have its option names changed, and it's certainly not true if you spend hours debugging the PHP to get to the point of understanding that the fine print about "passing the string to the hashing function with spaces or special characters included in the actual URL" applies in this case.
3. It took me hours to narrow down the issue was. Seriously. How about adding some BIG FAT text to the foxycart.cart_validation.php script that plainly outputs a plain text error when it's not going to produce valid encoded output? (It's output is already invalid-- why not make it invalid but useful?) Or at least adding a note to its debugging output stream? I'm not the only person to come up against this kind of issue. Saving your users frustration is a net win for everyone.