X-Cart forums

[jherzog]

I need to include the credit cart (CC) authorization code in the email notifications that are sent to the orders department. Can anyone help me or point me in the right direction on how to do this?

Thanks,
Jed

X-Cart Pro 4.2.1

[rogue]

I think the code is in the $cart[details] (among other things).

[jherzog]

I think you are right, it may be $cart['advinfo']. However The $cart variable/info does not seem to be "available" to this email tpl and I am not sure how to change that. The tpl mainly uses the $order variable but that does not include cc auth data.

Any suggestions?

Thanks,
Jed

[jherzog]

Ok, To make this happen I plan on adding a section to skin1/mail/html/order_notification_admin.tpl. But this template would need the variable $order['extra']['advinfo'].

This variable is set in include/func/func.order.php
In the function func_select_order() ~line 119.

It is not available for this template because the area type is not right. Hence it does not satisfy this if() statement:
if (defined('AREA_TYPE') && AREA_TYPE != 'C' && isset($order['extra']['advinfo']))

Any suggestions on what I should do?

I could:
1) directly query the database and and decrypt this information. But doing this type of php in a TPL is not ideal.
2) I could remove or modify this if() statement.

Removing the if statement is easiest but seems, at first, like a security risk. But how sensitive is this data to begin with? I do not store cc numbers and this if() statement does not return cc numbers, only authorization codes. Even if a malicious person figured out a way to access this exemption (which won't be straight forward) I don't think they could do anything harmful with the information.

The data in this variable is something like:
--- Advanced info ---
Reason: Approved: AuthCode: 010101;
PNRef: E19E3A285702 AVS info: International AVS result: N;
AVS result: Street match: Match;
Zip match: No Match CAVV info: No Match

I appreciate any opinions
Jed
xcart 4.2.x

[jherzog]

I could also make an additional query in func_process_order() where the admin notification are trigger ~line 1200

With in the if() statement
if ($config['Email_Note']['eml_order_p_notif_admin'] == 'Y'){

I could add:
$orderForAdvInfo = func_query_first("select *, $o_date from $sql_tbl[orders] where $sql_tbl[orders].orderid='$orderid'");

And pass $orderForAdvInfo['extra']['advinfo']; to the tpl.

I am still modifying the core code but this exception would be limited to when orders are processed and admin notifications are set.

Just another idea

[jherzog]

I ended up implementing my ideas in comment #5 but the code I had in that comment was not exactly right. If anyone cares I have my implementation below. I am still curious your opinions on best practices and security.

in include/func/func.order.php
in function func_process_order() on around line~1200
I changed:

if ($config['Email_Note']['eml_order_p_notif_admin'] == 'Y') {
$to_customer = $config['default_admin_language'];
func_send_mail($config["Company"]["orders_department"], "mail/order_notification_subj.tpl", "mail/order_notification_admin.tpl", $config["Company"]["orders_department"], true, true);
}

TO:

if ($config['Email_Note']['eml_order_p_notif_admin'] == 'Y') {

//query xcart for CC details
$orderForAdvInfo = func_query("SELECT khash, value FROM $sql_tbl[order_extras] WHERE orderid = '$orderid'");
if (!empty($orderForAdvInfo)) {
foreach($orderForAdvInfo as $v)
$orderForAdvInfo[$v["khash"]] = $v["value"];
}
$orderForAdvInfo = text_decrypt($orderForAdvInfo['advinfo']);
$mail_smarty->assign("advOrder", $orderForAdvInfo);

$to_customer = $config['default_admin_language'];
func_send_mail($config["Company"]["orders_department"], "mail/order_notification_subj.tpl", "mail/order_notification_admin.tpl", $config["Company"]["orders_department"], true, true);
}

I then changed
/skin1/mail/order_notification_admin.tpl
and
/skin1/mail/html/order_notification_admin.tpl
from:

{include file="mail/order_invoice.tpl"}

To:

{include file="mail/order_invoice.tpl"}
Authorization Number is {$advOrder}



As far as security, implementing it in this way should only expose that variable while admin notifications are sent. Hence a minimal risk.

Thanks,
Jed

[sabrina montrex]

Hi Jed,
I'm wondering how I can add this Authorization Code in main/orders_list.tpl (Orders History - just below each order line or in an additional column) .
I appreciate your opinion.
Thanks.