Reply
Member
Posts: 1
Registered: ‎03-22-2017

How can I definitively ensure I'm not using WebLInk?

[ Edited ]

I know this might sound like a dumb question. But how can I be sure I'm NOT using WebLink?

 

I've been helping a small business maintain their site for the last couple of months.  I have access to all of their code, etc., but not the person who built it all out.  They forwarded me an email saying WebLink is being discontinued and I need to fix the site to use the right API.  All the documentation and code I've read seems to point to the AIM API being implemented properly (transactions are going through fine), but the email explicitly said we were using WebLink.

 

Below is the payment code from their site:

 

	function make_payment()
	{
		if($this->get_total() > 0)
		{
			$default['login'] 							= "API KEY";
			$default['tran_key'] 						= "TRANSACTION KEY";
			$default['email_customer'] 					= "false";
			$default['merchant_email'] 					= "CORRECT EMAIL";
			$default['version'] 						= "3.1";
			$default['customer_ip'] 					= $_SERVER['REMOTE_ADDR'];
			$default['delim_data'] 						= "true";
			$default['delim_char']						= ",";
			$default['encap_char']						= "";
			$default['type']							= "AUTH_CAPTURE";
			$default['relay_response']					= "TRUE";
			$default['test_request']					= FALSE;
			$default['method']							= "CC";
			foreach($default as $key => $val)
			{
				if(!isset($x[$key]) || $x[$key] == "")
				{
					$x[$key] = $val;
				}
			}
			$x['first_name'] 			= $this->billing_info['first_name'];
			$x['last_name'] 			= $this->billing_info['last_name'];
			$x['address']			 	= $this->billing_info['address'];
			$x['city'] 					= $this->billing_info['city'];
			$x['state'] 				= $this->billing_info['state'];
			$x['county'] 				= $this->billing_info['county'];
			$x['zip'] 					= $this->billing_info['zip'];
			$x['country'] 				= $this->billing_info['country'];
			$x['email'] 				= $this->shipping_info['first_name'];
			$x['phone'] 				= $this->shipping_info['phone'];
			$x['card_num'] 				= $this->billing_info['card_number'];
			$x['description']			= "**";
			$x['card_code'] 			= $this->billing_info['card_code'];		
			$x['exp_date'] 				= $this->billing_info['exp_month'] . $this->billing_info['exp_year'];
			$x['amount'] 				= $this->get_total();
			$x['test_request'] 			= "FALSE";
			$set_field[] = "version";
			$set_field[] = "login";
			$set_field[] = "delim_data";
			$set_field[] = "delim_char";
			$set_field[] = "encap_char";
			$set_field[] = "type";
			$set_field[] = "test_request";
			$set_field[] = "method";	
			$set_field[] = "amount";
			$set_field[] = "first_name";
			$set_field[] = "last_name";
			$set_field[] = "card_num";
			$set_field[] = "card_code";
			$set_field[] = "exp_date";
			$set_field[] = "address";
			$set_field[] = "city";
			$set_field[] = "state";
			$set_field[] = "county";
			$set_field[] = "zip";
			$set_field[] = "country";		
			$set_field[] = "email_customer";
			$set_field[] = "email";
			$set_field[] = "phone";
			$set_field[] = "merchant_email";
			$set_field[] = "invoice_num";
			$set_field[] = "description";
			$set_field[] = "customer_ip";
			$set_field[] = "relay_response";
			foreach($set_field as $key => $val)
			{
				//echo $key . " = " . $val . "<br>";
				if(isset($x[$val]))
				{
					if(!isset($params)){$params = "x_{$val}=" . urlencode($x[$val]);}
					else{$params .= "&x_{$val}=" . urlencode($x[$val]);}
				}
			}
			//$curl = curl_init("https://secure.authorize.net/gateway/transact.dll");
			$curl = curl_init("https://secure2.authorize.net/gateway/transact.dll");
			curl_setopt($curl, CURLOPT_HEADER, 0); // set to 0 to eliminate header info from response
			curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); // Returns response data instead of TRUE(1)
			curl_setopt($curl, CURLOPT_POSTFIELDS, $params); // use HTTP POST to send form data	
			curl_setopt ($curl, CURLOPT_SSL_VERIFYHOST, 0);
                        curl_setopt ($curl, CURLOPT_SSL_VERIFYPEER, 0);
			$response = curl_exec($curl); //execute post and get results
			curl_close ($curl);
			$exp = explode(",", $response);
			$response = $exp[0];
			if($response == "1")
			{
				// Success...
				return "1";			
			}
			print_r($exp);
			return $response;
			//return "1";
		}
		else
		{
			return "1";
		}
	}	
}

 

Posts: 2,765
Topics: 57
Kudos: 269
Blog Posts: 67
Registered: ‎12-05-2011

Re: How can I definitively ensure I'm not using WebLInk?

Hello @j_mar

 

Could you please send me a private message with the merchant's gateway id and business name so we can review further?

 

Richard

All Star
Posts: 699
Registered: ‎11-03-2016

Re: How can I definitively ensure I'm not using WebLInk?

Hi @j_mar,

 

At what point in your code are you sending the "tran_key" to our server? It's not being added to the $set_field array in the code you posted, so from what I can tell, you're posting all of the transaction data without the transaction key.

 

What Weblink allowed you to do was put a form in the browser that had an "action" URL of our server. The customer would fill it in and click submit, sending the data right to our server. Our server would then respond with its own receipt page, or the merchant's receipt page using relay response.

 

Since every value in that form would be exposed in the html, we allowed form submissions like this to be done without the transaction key so that merchants wouldn't be exposing their transaction key to users.

 

Even though your post is coming from a server, not a browser, when it hits our side without a transaction key it looks to us like a Weblink transaction. We have to do away with Weblink for the reasons mentioned in that email, so that's why we're notifying everyone who has done a transaction this way in the recent past.

 

In your case, it's probably an easy fix. Unless I'm misreading the code, it's probably as easy as adding a line like this:

$set_field[] = "tran_key";

 

Once you make the change, let us know so we can check how things are showing up on our side. Send us your login ID (to aawright@authorize.net), and we'll check to see if it's still looking like Weblink on our side.

 

For the future, though, I'd like to suggest a couple of upgrade paths for you. Right now, it appears that you're just getting the card details from a form, having the form posted to your server, and constructing a transaction request to send to us. That requires compliance with essentially the most stringent parts of the PCI-DSS standards. If that's something the merchant is comfortable having to do, at least take a look at our new API and our PHP SDK.

 

However, if you want to reduce the level of PCI-DSS compliance required, I'd strongly suggest using our Accept Hosted payment forms, or our Accept.js script. Accept Hosted is a mobile-optimized, responsive payment form that's hosted on our site, freeing you from the parts PCI-DSS requirements that are related to having the card data posted to your server. Accept.js is a script that you can embed within your own payment form to turn the credit card data into to a single use token that can be used by your server instead of the card data.