Cybersource Developer Community Cybersource Developer Community

vesko · ‎12-23-2010

Hi everyone,

I'm trying to validate a silent post data for a capture issued from the merchant account.

Initially when the transaction was created I send auth_only and in this case the md5 sent to the silent post URL is correct.

But when later I issue Capture from the merchant account the MD5 is not correct. Is there a different formula?

In fact the md5 for the first transaction (auth_only) should be the same as in the second one (prior_auth_capture), as all the values used in the formula for both transactions are the same (md5_setting, api_login, transaction_id, amount) but it is not?!

Thank you

Elaine · ‎12-29-2010

When you process a prior_auth_capture from the Merchant Interface it uses the User Login ID, instead of the API Login ID, to generate the hash value. This is why it's different.

Thank you,

Elaine

View solution in original post

vesko · ‎12-28-2010

Hi,

any ideas why the MD5 hash is different in the two notifications? Because of this the message can not be verified to be coming from Anet...

Any suggestions would be of great help.

vesko · ‎12-28-2010

Here is an example dump of the posted info from Anet to the Silent Post URL:

======== transaction initiated from the site with - auth_only ==============

array (

'x_response_code' => '1',

'x_response_reason_code' => '1',

'x_response_reason_text' => 'This transaction has been approved.',

'x_avs_code' => 'Y',

'x_auth_code' => '47J8P1',

'x_trans_id' => '2156635920',

'x_method' => 'CC',

'x_card_type' => 'Visa',

'x_account_number' => 'XXXX9168',

'x_first_name' => 'test',

'x_last_name' => 'name',

'x_company' => '',

'x_address' => '',

'x_city' => 'test city',

'x_state' => 'Alabama',

'x_zip' => '12345',

'x_country' => 'United States',

'x_phone' => '',

'x_fax' => '',

'x_email' => 'test@test.test',

'x_invoice_num' => '',

'x_description' => '',

'x_type' => 'auth_only',

'x_cust_id' => '',

'x_ship_to_first_name' => '',

'x_ship_to_last_name' => '',

'x_ship_to_company' => '',

'x_ship_to_address' => '',

'x_ship_to_city' => '',

'x_ship_to_state' => '',

'x_ship_to_zip' => '',

'x_ship_to_country' => '',

'x_amount' => '57.90',

'x_tax' => '0.00',

'x_duty' => '0.00',

'x_freight' => '0.00',

'x_tax_exempt' => 'FALSE',

'x_po_num' => '1293554561bd5b3de5daa2c5f',

'x_MD5_Hash' => 'FDDC50F891D1058B09E639AF526A4BF9',

'x_cvv2_resp_code' => 'P',

'x_cavv_response' => '2',

'x_test_request' => 'false',

'x_addresxs' => 'test address',

'submit' => 'Checkout',

)

========== the transaction is captured from the merchant interface =========

array (

'x_response_code' => '1',

'x_response_reason_code' => '1',

'x_response_reason_text' => 'This transaction has been approved.',

'x_avs_code' => 'P',

'x_auth_code' => '47J8P1',

'x_trans_id' => '2156635920',

'x_method' => 'CC',

'x_card_type' => 'Visa',

'x_account_number' => 'XXXX9168',

'x_first_name' => '',

'x_last_name' => '',

'x_company' => '',

'x_address' => '',

'x_city' => '',

'x_state' => '',

'x_zip' => '12345',

'x_country' => '',

'x_phone' => '',

'x_fax' => '',

'x_email' => '',

'x_invoice_num' => '',

'x_description' => '',

'x_type' => 'prior_auth_capture',

'x_cust_id' => '',

'x_ship_to_first_name' => '',

'x_ship_to_last_name' => '',

'x_ship_to_company' => '',

'x_ship_to_address' => '',

'x_ship_to_city' => '',

'x_ship_to_state' => '',

'x_ship_to_zip' => '',

'x_ship_to_country' => '',

'x_amount' => '57.90',

'x_tax' => '0.00',

'x_duty' => '0.00',

'x_freight' => '0.00',

'x_tax_exempt' => 'FALSE',

'x_po_num' => '',

'x_MD5_Hash' => '5F7ADB8BD8031D6CDCBDBD13EC6AAE6E',

'x_cvv2_resp_code' => '',

'x_cavv_response' => '',

'x_test_request' => 'false',

)

=============================

The MD5_Hash generation logic is:

strtoupper(md5($md5_setting . $api_login_id . $transaction_id . $amount))

In both cases all these input variables are the same $md5_settings and $api_login_id obviously dont change, the $transaction_id is the same and $amount is the same (at least as posted back). I simply cant find any reason why the second hash "5F7ADB8BD8031D6CDCBDBD13EC6AAE6E" is different from the first (and correct one) - "FDDC50F891D1058B09E639AF526A4BF9".

It seems Anet uses different md5_ahsh generation logic for actions initiated from the merchant interface. Any clues at what is it?

Elaine · ‎12-29-2010

When you process a prior_auth_capture from the Merchant Interface it uses the User Login ID, instead of the API Login ID, to generate the hash value. This is why it's different.

Thank you,

Elaine

vesko · ‎12-29-2010

Thank you, Elaine.

Just to add it as a reference for the other readers:

The downloadable SDK for PHP does not contain a method/logic to verify these. So in order to verify these sort of transactions one can edit a little the AuthorizeNetSim.php file - the AuthorizeNetSIM class to look like:

//check does it match one OR the other MD5 hash

public function isAuthorizeNet()

{

return count($this->_response_array) && $this->md5_hash && ($this->generateHash() == $this->md5_hash || $this->generateHashMerchant() == $this->md5_hash);

}

public function generateHash() {

$amount = ($this->amount ? $this->amount : "0.00");

return strtoupper(md5($this->md5_setting . $this->api_login_id . $this->transaction_id . $amount));

}

//the new method

public function generateHashMerchant() {

$amount = ($this->amount ? $this->amount : "0.00");

return strtoupper(md5($this->md5_setting . $this->user_login_id . $this->transaction_id . $amount));

}

Of course in the constructor you have to add as a parameter $user_login_id and assign it to $this->user_login_id.

Thank you

Qadeer · ‎01-21-2013

Hi,

I have tried using silent post method with SIM API

And i have given URL in the merchant account as

http://localhost/ServerIntegration/ServerIntegration/TestingValues.php

Where i recieve the values of send by the auth server.

the php file looks like.

<?php
require_once 'include/utils/utils.php';
global $log;

$log->fatal($_POST['x_subscription_id']);

$log->fatal($_POST['x_response_code']);

?>

Nothing is logged in my log file..

And i have tried verifying my code with form submit locally and works fine..

but unable to receive any value from Silent post method.

kindly help..

RaynorC1emen7 · ‎01-21-2013

Relay response required an URL that can be access from the interent.

Relay Response Basics and Troubleshooting

digitech · ‎09-20-2015

No need to Modify the core code:

You can do this in your silient URL code:

$authorizeNetLoginId="YOUR AUTHORIZE.NET LOGIN ID"; // Thsi is that you use to login at authorize.net site.

//if the request is coming directly by Customer action on website ,
// then use the customer's email address to create MD5 hash

if(trim($_POST['x_email']) !="");
$authorizeNetLoginId=$_POST['x_email'];

//Now create your own MD5 hash value

$my_MD5_hash=trim(strtoupper(md5("MY HASH". $authorizeNetLoginId . $_POST['x_trans_id'] . $_POST['x_amount']))) ;

//Now Compare witht he X_MD5_hash you received

if($my_MD5_hash ==$_POST['x_MD5_Hash'])
{

//Validated Request

}else{

/Invalid Request

}

Hope this helps.

Cybersource Developer Community Cybersource Developer Community

Silent Post wrong md5 on capture