I have implemented Global Pay HPP and it's working fine with normal transactions in sandbox. Now I want to enforce the security for billing address verification and I have updated the my HPP with below line
`
<!-- Begin AVS Field -->
<input type="hidden" name="BILLING_CODE" value="46205|Test">
<!-- End AVS Feild -->
`
As per Testing document here https://developer.authorize.net/hello_world/testing_guide.html
It should fail with ZIP Code: No Match But I am getting the Response as Matched.
Any idea what I am missing?
Related
I am trying to use an HTML number input field to validate a one-time code a user has. The one-time code is a Django model attribute under the user model, with the user object passed into the HTML template. Currently it is set up as such:
<input type="number" name="auth_code" value="" min="{{user.auth_code}}" max="{{user.auth_code}}" onchange="this.setCustomValidity('')" onkeypress="this.setCustomValidity('')" oninput="this.setCustomValidity('')" oninvalid="this.setCustomValidity('This authorization code is incorrect.')" required />
If the user's code is 100000, and I enter 100001, I get the oninvalid message (as expected). However, if I delete a digit (or the whole number), I get a message stating "The value must be user.authcode." Clearly I don't want this value shown.
If I set any message in the onchange or oninput field other than ('') (i.e. ('Enter a code.')), I can't validate any code (correct or incorrect). I run into the "This authorization code is incorrect." message even when validating 100000.
How can I get around this?
I have few checkboxes in my template whos value is the id of database row. I am using AJAX to post these values back and forth.
{% for item in sale_order_items %}
<tr>
<td class="text-center">
<input type="checkbox" name="saleorderitem" value="{{item.id}}">
</td>
</tr>
item.id for instance renders to 1. Now what if the user changes the value from 1 to 2 in browser using "inspect" and submits the form. what can I do at the frontend or django backend to prevent this and check if the user is submitting the same values as intended?
This depends on many different things but to take you back to the basics: When you create a function in order to bulletproof it out of any errors you use type and value checks.
I would think the best approach to this is to add some back-end checks. The form values returned would have to adhere a set of rule such as a value threshold. If the value returned is beyond that threshold then that would mean that something has changed in the HTML.
You add a check if it fails then the back-end would return an error. In collaboration with front-end you refresh the page and return an error message. It might be really terrible UX but an average end user would never change values using their inspector.
The other alternative is to use javascript to detect any kind of HTML/DOM mutations or changes which I would advice against. Having values to be checked against specific criteria (using the back-end) is best as it foolproofs info passed on to your server against any change.
I found a solution, in this scenario django session variable can be used to store data between requests. When I load the form, I set the session variable to the required values, then on form submission, I check the submitted values with the values in session variable. And it works.
At the moment i have htp.print and DBMS_output to show the me the end result of user input. however, htp.print shows the confirmed message on the web browser and my DBMS_output doesn't work for some reason. But what i'm looking for is the confirmation message which will pop up and show to the user. i have tried java script and for some reason that is not working either. below are the syntax.
-- button and input text field
HTP.FORMOPEN ('BANINST1.UAP.P_UNSUSPEND_SEARCH', 'post');
HTP.P ('<input type="text" method="post" name="bannerid" id="bannerid" placeholder="e.g. 000123456" maxlength="9"
autocomplete="off" required>');
HTP.FORMSUBMIT ('', 'Submit', cattributes => 'onclick="confirmMsg()"');
HTP.FORMCLOSE;
-- javascript confirmation message which is not working
htp.p ('<script type="text/javascript">
function confirmMsg() {
var field1 = document.getElementById("bannerid").value;
alert(field1+" has been unsuspended");
}
</script>');
Assuming you are looking for ways to generate log messages from the DB Backend, I see basically 2 ways to achieve this:
(1) Persist your messages to a table inside an autonomous transaction. A complete example can be found here.
(2) If you have access to the DB servers file system, you can also write messages to text files using the UTIL_FILE package.
After i knew how to secure upload image Bypassing forms input fields to upload unwanted files i would like to give another example of from with 2 filed, one of them are hidden.
SQL Table (id,name,jod,number)
CREATE TABLE `users` (
`id` bigint(20) unsigned NOT NULL auto_increment,
`name` varchar(255) default '0',
`job` varchar(255) default NULL,
`number` varchar(255) default NULL
) ENGINE=MyISAM DEFAULT CHARSET=utf8;
Form Code (support member will edit own informations)
<form action="send.php" method="post" name="send" id="send">
<input type="text" name="name" id="name" value="John"/>
<input type="text" name="job" id="job" value="Plumber"/>
<input type=hidden name="number" id="number" value="1234"/>
<input type="Submit" name="Submit" value="Submit"/>
</form>
Later there was an firefox extension that can bypassing different input to the server-side bypassing checking and might case a lot of damage so here it can stop the whole process and makes you able to edit the value of hidden table number to any such as value="1" causing update information for member have that value number 1.
That extension is working as following, It can fake input data before it passed to server side.
PHP Code Send.php
if(isset($_POST['send'])){
$name = mysql_real_escape_string($_POST[name]);
$job = mysql_real_escape_string($_POST[job]);
$number = mysql_real_escape_string($_POST[number]);
$sql= "update users SET name='$name',job='$job' WHERE number='$number'";
mysql_query($sql) or die("query failed: $sql".mysql_error());
echo "Update Done";
} else {
echo "Nothing to update";
}
The question
How then to protect this simple form from such input form ? ~ Thanks
this problems really hurts cause it made my website free to be hacked :)
If the user authorization is not an option in your cause, you could try the following techniques:
Set the hidden field with a hash of the number salted with some other information
Set the hidden field with the number encrypted (possible salt could increase security here also)
Of course it would add extra steps when sending the form HTML and validating the post information, but at least it would be much harder to the attacker fake a valid number on the post. Although it would not save you if the attacker knows the encrypted/hashed number of a different user unless the salted information withing the hidden field is used wisely.
You can't control what data people submit to your server.
You have to check, on the server, to see if the user is authorised to see the information or to make the change they are asking for.
For example:
able to edit the value of hidden table number to any such as value="1" causing update information for member have that value number 1.
The process would be something like:
Is anybody allowed to edit this field? If so, then OK.
Is the request coming from an authenticated user? If not, then return an error message and a login form
Is the request coming from the user with id=1? If so, then OK
If the request coming from a user who has admin permissions? If so, then OK
Return an error message.
If you have a form and any users to edit the values, this problem is going to be there. A better approach is to authenticate the users. Allow only the users who have logged in with an account to make the changes to their respective accounts.
Also, don't use mysql_query or anything like mysql_*, they are insecure and depreciated in php5.
A hidden field cannot be secured. It's 100% impossible to prevent malicious people from editing it.
The best you can possibly do is validate its data.
For the example field, the best you can do is make sure it's actually a number.
But that doesn't help any.
What you need to do is have the OLD data sent as hidden data. ALL of it. Complete with the old id.
Then you validate both the old and new data. Make sure there's no injected sql code in them. Having done this you would have
$name
$job
$id
$old_name
$old_job
all set. Then you can.
select * from users where name="$old_name" and job="$old_job
if you get back a row, then you can
update users set name="$name", job="$job$" where id=$id
Now, even if the user changes the ID, it won't do a thing, because the select will return 0 rows, ad the edit attempt will abort.
Now if someone happens to know all three fields for someone else's entry, they can still change it. The only way around that is force authentication, and have another database tying username/password pairs to IDs.
I have 2 queues and more to come... I want to have those queues externally activated using the external activator.
When I edit the EAService.config to activate queue#1 it works just fine.
When I edit the EAService.config to activate queue#2 it works just fine.
If I put both in the config only the one listed first gets activated.
Both queues are actually getting processed by the same exe... and example of what doesn't work is this...
<NotificationServiceList>
<NotificationService name="my_notif_svc1" id="100" enabled="true">
<Description>my notification service 1</Description>
<ConnectionString>
<Unencrypted>server=my_pc01;database=my_db;Application Name=External Activator;Integrated Security=true;</Unencrypted>
</ConnectionString>
</NotificationService>
<NotificationService name="my_notif_svc2" id="100" enabled="true">
<Description>my notification service 2</Description>
<ConnectionString>
<Unencrypted>server=my_pc01;database=my_db;Application Name=External Activator;Integrated Security=true;</Unencrypted>
</ConnectionString>
</NotificationService>
</NotificationServiceList>
<ApplicationServiceList>
<ApplicationService name="myMessageApp1" enabled="true">
<OnNotification>
<ServerName>my_pc01</ServerName>
<DatabaseName>my_db</DatabaseName>
<SchemaName>dbo</SchemaName>
<QueueName>my_user_queue1</QueueName>
</OnNotification>
<LaunchInfo>
<ImagePath>c:\test\myMessageReceiver.exe</ImagePath>
<CmdLineArgs>whatever cmd-line arguments you need to pass to your receiver application</CmdLineArgs>
<WorkDir>c:\test</WorkDir>
</LaunchInfo>
<Concurrency min="1" max="4" />
</ApplicationService>
<ApplicationService name="myMessageApp2" enabled="true">
<OnNotification>
<ServerName>my_pc01</ServerName>
<DatabaseName>my_db</DatabaseName>
<SchemaName>dbo</SchemaName>
<QueueName>my_user_queue2</QueueName>
</OnNotification>
<LaunchInfo>
<ImagePath>c:\test\myMessageReceiver.exe</ImagePath>
<CmdLineArgs>whatever cmd-line arguments you need to pass to your receiver application</CmdLineArgs>
<WorkDir>c:\test</WorkDir>
</LaunchInfo>
<Concurrency min="1" max="4" />
</ApplicationService>
</ApplicationServiceList>
additionally I don't understand what the id="100" is doing... I tried having same # and different #... ie 100 & 101 but it didn't make a difference. The activator service only works for the first one listed in the "ApplicationServiceList"
help!
I figured out my problem...
From the documentation
Systems can use external activation
for multiple Service Broker
application queues. There is a
many-to-one relationship between
application queues and activation
notification services. There is a
one-to-one relationship between the
Activation Notification service and
the External Activation service.
I was two notification services (my_notif_svc1 & my_notif_svc2) listed above. I switched my event notifications (create event notivation ... ) to utilize the same "TO SERVICE" and now it works.
So you have to utilize one "service" for external activator but you can create multiple Event Notifications for multiple queues which point to that service.
I still think the way I had it set up it should work but this definitely works...
I also ran into this same problem and it would be nice to have an official response from Microsoft as to why and if they will honor multiple notification services listed in SSBEA and not just the first one in the list. In the end we went with the same solution, and here is a helpful snippet to use to dynamically to get the Guid and setup the queue activation event to a SINGLE service (ServiceBrokerNotification.NotificationService).
DECLARE #sbn nvarchar(100) = 'servicebrokernotification'
DECLARE #sbnid nvarchar(60)
SELECT #sbnid = ''''+CAST(service_broker_guid AS nvarchar(60))+'''' FROM sys.databases WHERE name = #sbn
SELECT #sbnid
DECLARE #Str nvarchar(max)
DECLARE #createEventSql nvarchar(max)
Set #Str = 'CREATE EVENT NOTIFICATION NotificationEvent ON QUEUE [TargetQueue]
FOR QUEUE_ACTIVATION TO SERVICE ''NotificationService'' ,' + #sbnid;
Select #Str
EXECUTE (#Str)