authorizenet / sdk-php Goto Github PK

There is a weird issue that was not happening few days/weeks ago.

It keeps looking for phplog file, I've defined (as for the php-samples) my AUTHORIZENET_LOG_FILE but it looks like it's not being used.

Looking at the source or the error, here is where is being defined ANET_LOG_FILE with phplog.

Deleting/changing that line from that file solves the issue.
I've personally deleted that line and defined ANET_LOG_FILE when I set the credentials (instead of AUTHORIZENET_LOG_FILE), it works like a charm.

Line 14 of AuthorizeNetRequest.php

public $VERIFY_PEER = true; // Set to false if getting connection errors.

94 through 98

    if ($this->VERIFY_PEER) {
        curl_setopt($curl_request, CURLOPT_CAINFO, dirname(dirname(__FILE__)) . '/ssl/cert.pem');
    } else {
        curl_setopt($curl_request, CURLOPT_SSL_VERIFYPEER, false);
    }

This is bad advice, bad code, and will result in connection errors turning into MITM exploits via peerjacking. Fix the code and issue a USN.

This was initially reported in 2011 and is apparently still not fixed, http://www.unrest.ca/peerjacking

It appears that there is no functionality for createCustomerProfileFromTransactionRequest, available in the API but not here.

When querying CMI in sandbox mode (and probably also if no customers exist yet), I receive a PHP notice.

$request = new AuthorizeNetCIM;
$response = $request->getCustomerProfileIds();
$customers = $response->getCustomerProfileIds();

A PHP Error was encountered
Severity: Notice
Message: Undefined index: numericString
Filename: lib/AuthorizeNetCIM.php
Line Number: 491

The $this->xml->ids property is empty if there are no customers, and hence it can't access the "numericString" values.

Reported by tdietsche9 http://community.developer.authorize.net/t5/Integration-and-Testing/Card-Present-PHP-SDK-BUG/m-p/40220#M21872

Comparing the new and old AuthorizeNetCP.php files shows that only the
"undefined offset" errors were fixed. The "undefined property" error was NOT fixed.
It doesn't define a class property for _custom_fields (like AuthorizeNetAIM.php does).

I added this code after line 50 and it seems to prevent this php error:

/**
 * Only used if merchant wants to send custom fields.
 */
private $_custom_fields = array();

Also, the "error_message" property is only defined and returned if there IS an error.
It would be better if it always returned a value (empty string if trx is approved, otherwise an error message string). I fixed my script to only obtain the value of this response property if there was an error, not always.

Dear lord, I can be daft sometimes. Delete this post.

I m using Authorize.net SDK 1.8.3.3 , SDK 1.8.3.1 Also have same problem

Issue: LineItems in Transaction Request not adds "quantity" key value pair if quantity is '0'. Which causes error in response.

Line Items Trace:

array (size=2)
  0 => 
    object(AuthorizeNetLineItem)[71]
      public 'itemId' => string '1' (length=1)
      public 'name' => string 'xxxItem1' (length=14)
      public 'description' => string '' (length=0)
      public 'quantity' => string '0' (length=1)
      public 'unitPrice' => string '8.99' (length=4)
      public 'taxable' => string 'false' (length=5)
  1 => 
    object(AuthorizeNetLineItem)[68]
      public 'itemId' => string '2' (length=1)
      public 'name' => string 'xxxxItem2' (length=15)
      public 'description' => string '' (length=0)
      public 'quantity' => string '300' (length=3)
      public 'unitPrice' => string '9.99' (length=4)
      public 'taxable' => string 'false' (length=5)

Transaction Request trace:

 [transaction] => SimpleXMLElement Object
                (
                    [profileTransAuthCapture] => SimpleXMLElement Object
                        (
                            [amount] => 9.95
                            [lineItems] => Array
                                (
                                    [0] => SimpleXMLElement Object
                                        (
                                            [itemId] => 1
                                            [name] => xxxItem1
                                            [unitPrice] => 8.99
                                            [taxable] => false
                                        )

                                    [1] => SimpleXMLElement Object
                                        (
                                            [itemId] => 2
                                            [name] => xxxItem2
                                            [quantity] => 300
                                            [unitPrice] => 9.99
                                            [taxable] => false
                                        )

Response Trace:

<?xml version="1.0" encoding="utf-8"?><ErrorResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd"><messages><resultCode>Error</resultCode><message><code>E00003</code><text>The element 'lineItems' in namespace 'AnetApi/xml/v1/schema/AnetApiSchema.xsd' has invalid child element 'unitPrice' in namespace 'AnetApi/xml/v1/schema/AnetApiSchema.xsd'. List of possible elements expected: 'description, quantity' in namespace 'AnetApi/xml/v1/schema/AnetApiSchema.xsd'.</text></message></messages></ErrorResponse>

Note: Line Item must accept item with quantity as 0 where Line Item cost would be calculated as 0

Composer has unresolved MITM security issues, and is probably unsafe for use in a PCI environment.

Related issue, over two years old now, composer/composer#1074

CIM methods such as the "getPaymentProfile" return XML objects with no simple way to convert them into SDK objects for followup methods such as "updatePaymentProfile"

http://community.developer.authorize.net/t5/Integration-and-Testing/How-to-update-payment-profile-w-PHP/m-p/22603/highlight/false

The SDK places "customerPaymentProfileId" before the payment and billTo elements. This is invalid according to our API.

http://community.developer.authorize.net/t5/Integration-and-Testing/Invalid-child-element-in-PHP-CIM-SDK-when-updating-payment/td-p/24085

The new Akamai transaction URLs that are available now are:

• https://api2.authorize.net/xml/v1/request.api
• https://api2.authorize.net/soap/v1/Service.asmx
• https://secure2.authorize.net/gateway/transact.dll

This documentation is hardly detailed:
https://github.com/AuthorizeNet/sdk-php/blob/master/doc/CIM.markdown

How does one supply the CCV card number when creating a payment profile? How about a billing address?

Also, who does this?

$this->tax = (object)array();

Have you never heard of stdClass?
QV: http://php.net/manual/en/reserved.classes.php

Finally, why a generic object in this case? Too lazy to define an actual object with proper JavaDoc comments? And how about some validation? This SDK needs a lot of work.

Do the certificates need to be updated? I've been unable to connect with ssl the last 2 days (for sandbox). I went to test.authorize.net and downloaded the certs and it appears to be working with the downloaded ones.

If one needs to create a subscription for a credit-card registered to "Jim & Jane Plain", for example, this is problematic; invalid XML will be produced. The escaping should probably extend to every field that could conceivably have an ampersand, which would easily include company, address -- probably even country (though usually it's best to just escape everything for good measure).

For my purposes I only needed the name fields escaped (for now), so I patched my local copy of AuthorizeNetTypes.php, adding a method to AuthorizeNet_Subscription like this:

/**
 * Escape the given string for inclusion in XML.
 */
private function escape($s) {
    return htmlspecialchars($s, ENT_QUOTES | ENT_XML1);
}

Then I escape the values like this:

<firstName>{$this->escape($this->billToFirstName)}</firstName>
<lastName>{$this->escape($this->billToLastName)}</lastName>

Not found on packagist?

I'm running into a this fatal error:

Fatal error: Class 'Symfony\Component\Yaml\Yaml' not found in ...includes\gateways\authorize-sdk-php\vendor\jms\serializer\src\JMS\Serializer\Metadata\Driver\YamlDriver.php on line 35

I've run composer update and am not sure what the issue is...

getSubscriptionStatus reads "Status" with a capital "S", while it should read "status", see sdk-php//lib/AuthorizeNetARB.php

They're both being sent with the response and "Status" was always "active" on my tests, while "status" had the correct value.

If one uses a CIM request to charge a non-existent user, your gateway responds with a well-formed response:

<?xml version="1.0" encoding="utf-8"?><createCustomerProfileTransactionResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd"><messages><resultCode>Error</resultCode><message><code>E00040</code><text>Customer Profile ID or Customer Payment Profile ID not found.</text></message></messages></createCustomerProfileTransactionResponse>

HOWEVER, your code returns an AuthorizeNetAIM_Response object that says there was a connection problem. This problem would apparently be due to the fact that the getTransactionResponse function is trying to parse a non-existent XML element, directResponse:

    public function getTransactionResponse()
    {
        return new AuthorizeNetAIM_Response($this->_getElementContents("directResponse"), ",", "|", array());
    }

See https://github.com/AuthorizeNet/sdk-php/blob/master/lib/AuthorizeNetCIM.php#L459

Your code should be at least intelligent enough to recognize that it has in fact connected the gateway successfully and parse out the appropriate error message. Jeeze.

This project is incredibly inconsistent. For the AuthorizeNetAIM class, properties can be set magically or using the setField() function. On the response properties are accessed directly without getter functions.

On the AuthorizeNet_Subscription() class, properties are set directly without setters. On the AuthorizeNetARB_Response class, there are getter methods for all the properties.

Can you please unify and standardize this across all classes?

If I send this in for a subscription to a production account:

$subscription = new AuthorizeNet_Subscription;
$subscription->name = "Short subscription";
$subscription->intervalLength = "12";
$subscription->intervalUnit = "months";
$subscription->startDate = "2015-11-20";
$subscription->totalOccurrences = "9999";
$subscription->amount = 235;
$subscription->creditCardCardNumber = "5551766170335085";
$subscription->creditCardExpirationDate = "2018-03";
$subscription->creditCardCardCode = "897";
$subscription->billToFirstName = "Happy";
$subscription->billToLastName = "Gilmore";

The CC info is bogus, but it does validate as a proper card number.

This is my response:

AuthorizeNetARB_Response Object
(
    [xml] => SimpleXMLElement Object
        (
            [messages] => SimpleXMLElement Object
                (
                    [resultCode] => Ok
                    [message] => SimpleXMLElement Object
                        (
                            [code] => I00001
                            [text] => Successful.
                        )

                )

            [subscriptionId] => 26519381
        )

    [response] => OkI00001Successful.26519381
    [xpath_xml] => SimpleXMLElement Object
        (
            [messages] => SimpleXMLElement Object
                (
                    [resultCode] => Ok
                    [message] => SimpleXMLElement Object
                        (
                            [code] => I00001
                            [text] => Successful.
                        )

                )

            [subscriptionId] => 26519381
        )

)

From what I've gathered subscriptions are processed in batch at 2am or something, but is there no type of validation done on the information submitted prior to that batch processing?

I use this function ALL THE TIME, I also push everything to my server with git autodeploy webhook that does a composer install (Envoyer.io). I have to SSH into my server every time I deploy to add this function to AuthorizeNetCIM.php

/**
* @param $transId
* @return AuthorizeNetCIM_Response
*/
public function createCustomerProfileFromTransaction($transId)
{
$this->_constructXml("createCustomerProfileFromTransactionRequest");
$this->_xml->addChild("transId", $transId);
return $this->_sendRequest();
}

This is a problem I've encountered with the version 1.8.3.1 SDK using the Authorize.net sandbox server. I'm currently unable to test it on the live server.

This function in the AuthorizeNetCIM_Response class,

public function getValidationResponse()
{
  return new AuthorizeNetAIM_Response($this->_getElementContents("validationDirectResponse"), ",", "|", array());
}

is passing the AuthorizeNetAIM_Response constructor an $encap_char value of "|". However, the Authorize.net server isn't using an encapsulating character, so the AuthorizeNetAIM_Response fields fail to populate. Reverting the $encap_char value back to "", like it was in version 1.1.8, fixes the problem.

The related AuthorizeNetCIM_Response::getValidationResponses() function is still using a value of "" for $encap_char.

I've scoured the internet looking for PHP code examples that use this sdk to create a payment profile (createCustomerPaymentProfile) and have yet to find one that provides more than just customerType, cardNumber, and expirationDate. That's barely a fraction of the perhaps two dozen inputs described on page 24 of the CIM XML guide:
http://www.authorize.net/support/CIM_XML_guide.pdf

Given that this SDK uses irregular nested object structures and doesn't have any javadoc comments to elucidate what they are for (or to even standardize what methods and properties an instance of AuthorizeNetPaymentProfile->payment->creditCard might have), it would be most helpful if your project were to provide an example of how to create a payment profile while supplying this additional information.

Hi,

We are using CIM and are using Auth.net to handle storing all of our CC info.

We are also using the built in logging mechanisms in the SDK to troubleshoot any issues we have.

The problem is that when you make a createCustomerPaymentProfileRequest, one of the fields is the CC number so that is stored in plain text in the log file.

Is there anyway you could update the logging to mask the actual CC number and cvv code so we can continue to use the logging, but also not have access to the sensitive data?

AuthorizeNetResponse is looking for "x_email_address" instead of "x_email".

https://github.com/AuthorizeNet/sdk-php/blob/master/lib/AuthorizeNetAIM.php#L289

should be $bank_acct_name

I received "Important Authorize.Net Networking Change" email today:

http://app.payment.authorize.net/e/es.aspx?s=986383348&e=913189&elq=aeac1910433b4fd7af65680cda3d5e0e

But how do I send AIM transactions to "https://secure2.authorize.net/gateway/transact.dll" URL using the official SDK?

Thanks!

If you provide a log file name in the AUTHORIZENET_LOG_FILE, the log file will dutifully store the XML sent to Authorize.net, including the credit card number and the CVV value. If you're trying to adhere to PCI compliance rules, this is a violation, and a pretty egregious one at that since the data are stored unencrypted in the clear. It also violates the credit card vendors' rules against ever storing the CVV in any way.

My suggestion would be to obfuscate the card number with Xs and reveal only the last four digits of the card number. I would also obfuscate the entire CVV with Xs. A fancy version would make this an optional switch that is on by default, meaning I, the developer, have to set a flag explicitly to store these values in the clear.

Thanks,
Steve

As I understand it, the customerProfileID is something Auth.Net assigns.
But merchantCustomerID is something I assign at creation.

that means if I can only get a customer profile using profileID, I need to store that profileID on my side...

But... HOW can I fetch a profile based on merchantCustomerID instead so that I dont need to do that?

My whole system is not charging, Do you know if there is a know issue with this class?

We've recently run into the requirement of using CIM profiles through transactions. I believe the "old" AIM approach doesn't cover this so that's the primary motivation for my switch to the new model.

I have a few suggestions:

• Utilize constructors with null/default values
  • This lets me know what parameters are required
  • It turns multiple line set calls into a single line constructor
  • The "old model" utilized this on almost all types and it makes the transition much easier as statements become almost 1:1
• Expose internal properties as public, leaving getters and setters for sensitive information
  • payment->creditCard->cardNumber is easier to read than getPayment()->getCreditCard()->getCardNumber()
  • Exposing the internal types allows things like json_encode() to just work. I encode the entire response->xml object, trimming sensitive information for logging purposes (and to replay the conditions of the call).
• HttpClient gives a warning on file_put_contents if you don't have a log file set
  • I'm either required to set it or turn off error reporting and I'd rather do neither of those. I'd rather it just not matter if it couldn't log information I don't care to log.

Overall, I really do prefer this approach once I got through some of the transition. I feel it follows http://developer.authorize.net/api/reference/index.html much more closely. The few tweaks above should make the transition from the old model to the new much easier.

$an = new AuthorizeNetCIM();
$result = $an->getCustomerProfile(xxxxxx);    //xxxxxx is customer profile ID
var_dump($result->getCustomerPaymentProfileIds());

And I discovered there is no numericStrings when I am calling getCustomerProfile(xxxxxx) in the response. So either the response is different or the extraction of ids are wrong! (just for deep digging purpose)

getCustomerPaymentProfileIds is returning null all the time when this customer has multiple payment profile

sdk-php / lib / AuthorizeNetARB.php : Line 171

For an already canceled ARB subscription, and when querying the status of the subscription with getSubscriptionStatus, the element "Status" in the response is 'active' and the element "status" (small 's') is 'canceled'

 ...
  <status>canceled</status>
  <Status>active</Status>
</ARBGetSubscriptionStatusResponse>

See http://community.developer.authorize.net/t5/Community-Feedback/Authorize-NET-PHP-SDK-Bugs/m-p/39459#M237

@Package AuthorizeNet
@subpackage AuthorizeNetSIM

AuthorizeNetSIM.php#41

Need to update $map array with:

'invoice_number' => 'x_invoice_num',
'transaction_type' => 'x_type',
'zip_code' => 'x_zip',
'email_address' => 'x_email',
'ship_to_zip_code' => 'x_ship_to_zip',
'account_number' => 'x_account_number',

I get this error when I try and update the SDK to the latest version (happens on 1.8.5.1)

Problem 1

• Installation request for authorizenet/authorizenet 1.8.5 -> satisfiable by authorizenet/authorizenet[1.8.5].
• authorizenet/authorizenet 1.8.5 requires jms/serializer xsd2php-dev as 0.18.0 -> no matching package found.

Merge was from here: c43a425

PHP 5.3+ (>=5.3.10 recommended)

but goetas/xsd2php requires 5.4+

In tag 1.8.3 the composer.json file indicated a dependency on "jms/serializer": “*”. In subsequent versions, your composer file indicates a dependency on "jms/serializer": "xsd2php-dev as 0.18.0" but it does not seem like that version of serializer package is available?

https://packagist.org/packages/jms/serializer

authorizenet/authorizenet 1.8.5.1 requires jms/serializer xsd2php-dev as 0
.18.0 -> no matching package found.

While it is possible to save transactional data to a log file, this gets unwieldy to leave on for any length of time. Thus, I would like to save the transactional data to my database.

To do this, I need access to the _xml class variable which is protected. Can someone add a public getter method that retrieves the xml sent and the xml received, respectively?

Thanks,
Steve

Hello Team,

I am facing this issue and am not able to fix it. can you guys please suggest me why is it showing error. This code creates Customer profile ID, Payment Profile ID and saving address successfully but when i make transaction it give error. Please help me. Thanks

My Code:

   $customerProfile = new AuthorizeNetCustomer;
   $customerProfile->description = "Description of customer";
   $customerProfile->merchantCustomerId = $user->id;
   $customerProfile->email = $user->email;
   $address = new AuthorizeNetAddress;
   $address->firstName = "john";
   $address->lastName = "Doe";
   $address->phoneNumber = "555-555-5555";
   $customerProfile->shipToList[] = $address;

   $paymentProfile = new AuthorizeNetPaymentProfile;
   $paymentProfile->customerType = "individual";
   $paymentProfile->payment->creditCard->cardNumber = "4111111111111111";
   $paymentProfile->payment->creditCard->expirationDate = "2017-10";
   $customerProfile->paymentProfiles[] = $paymentProfile;

   $request = new AuthorizeNetCIM;
   $response = $request->createCustomerProfile($customerProfile);
   $new_customer_id = $response->xml->customerProfileId;
   $paymentProfileId = $response->xml->customerPaymentProfileIdList->numericString;
   $customerAddressId = $response->xml->customerShippingAddressIdList->numericString;

   $transaction = new AuthorizeNetTransaction;
   $transaction->amount = "9.79";
   $transaction->customerProfileId = $new_customer_id;
   $transaction->customerPaymentProfileId = $paymentProfileId;
   $transaction->customerShippingAddressId = $customerAddressId;

   $transaction->cardCode = "111";
   $response = $request->createCustomerProfileTransaction("AuthCapture", $transaction);
   print_r($response); 

Error -

[code] => E00003
[text] => Name cannot begin with the '0' character, hexadecimal value 0x30. Line 2, position 291.

Currently I can't find any documentation on how to get my authentication working.

I'm sure the functionality is there, but it isn't included in any of the docs.

We are currently testing PHP 7 Support using the current RC5 to try to get ahead of the curve. However when installing the Authorize.net PHP SDK with composer we're stuck:

authorizenet/authorizenet dev-master requires php ~5.3 -> your PHP version (7.0.0RC5) or "config.platform.php" value does not satisfy that requirement.

Could we get the PHP version changed in the composer.json file to something like >=5.3 instead of ~5.3? I'll make the PR is needed, that's no big deal. I don't see anything in the code base that would cause problems unless I've missed something.

@brianmc Please add a develop branch for me to pull my namespacing feature into without affecting the master branch.

Thanks!

Error is following :

swati@swati-pc:/opt/lampp/htdocs/sdk-php-master$ composer update
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

Problem 1
- The requested package authorizenet/authorizenet No version set (parsed as 1.0.0) could not be found.

Potential causes:

• A typo in the package name
• The package is not available in a stable-enough version according to your minimum-stability setting
  see https://groups.google.com/d/topic/composer-dev/_g3ASeIFlrc/discussion for more details.

Read https://getcomposer.org/doc/articles/troubleshooting.md for further common problems.

Just received an email about the new Akamai URLs.

• https://api2.authorize.net/xml/v1/request.api
• https://api2.authorize.net/soap/v1/Service.asmx
• https://secure2.authorize.net/gateway/transact.dll

Should we expect this change in the SDK anytime soon?

It appears to be a new issue while using $authnetcp->authorizeAndCapture().

I did a workaround for this:

if (!$response->transaction_id && $response->card_code_response)
{
$response->transaction_id = $response->card_code_response;
}

The article Production Certificate Upgrades begin May 27 2015 states that the certificate "Baltimore CyberTrust Root" is required, but the currently shipping version of the SDK (1.8.3.3 as of this writing) doesn't appear to include it in cert.pem https://github.com/AuthorizeNet/sdk-php/blob/1.8.3.3/lib/ssl/cert.pem

Shouldn't that certificate be there?

The autoload.php echo's a class not found message when it does not find a class

"
} else {
echo 'Class not loaded: ' . $className;
"

That's OK. However when used with a AJAX within a framework such as Wordpress or Joomla it corrupts the output with class not found messages. This output conflicts with the intended output of the class that instantiates the A.NET class. So, if the php program being called by a jQuery script via $.post and the php returns die(json_encode($output)); the return contains all the echo from the autoload, which are not relevant.

See http://community.developer.authorize.net/t5/Integration-and-Testing/Card-Present-PHP-SDK-BUG/m-p/39632#U39632

PHP's SimpleXML module doesn't have native support for inserting CDATA strings. The SDK instead does a replace for "" which fails in some versions of PHP that use the shorthand "".

http://community.developer.authorize.net/t5/Integration-and-Testing/Can-t-set-x-delim-char-or-x-enca-char-in-PHP-CIM-SDK-when/m-p/22403/highlight/false