Remote Order Form via API problems.

[KuJoe]

Ok, so I finally got my remote order form working although it is not playing nicely with my custom hooks, but that's for another thread.

 

I'm experiencing 2 issues:

 

1) The IP address being registered is that of the domain IP, how can I fix this?

 

2) All orders placed via the remote form are not checked by Maxmind for fraud, what do I need to add to my code in order to have that done?

 

Code:

<?php

$url = "http://www.jweb2.com/client/includes/api.php";
$apiusername = "username";
$apipassword = "password";

if ($_POST["action"]=="submit") {

# Get Values
$domain = trim(htmlentities($_POST["domain"]));
$firstname = trim(htmlentities($_POST["firstname"]));
$lastname = trim(htmlentities($_POST["lastname"]));
$companyname = trim(htmlentities($_POST["companyname"]));
$email = trim(htmlentities($_POST["email"]));
$address1 = trim(htmlentities($_POST["address1"]));
$address2 = trim(htmlentities($_POST["address2"]));
$city = trim(htmlentities($_POST["city"]));
$state = trim(htmlentities($_POST["state"]));
$postcode = trim(htmlentities($_POST["postcode"]));
$country = trim(htmlentities($_POST["country"]));
$phonenumber = trim(htmlentities($_POST["phonenumber"]));
$password = trim(htmlentities($_POST["password"]));
$password2 = trim(htmlentities($_POST["password2"]));
$username = trim(htmlentities($_POST["username"]));
$securityqans = trim(htmlentities($_POST["securityqans"]));
$tosagreement = $_POST["accepttos"];
$domaintype = trim(htmlentities($_POST["domaintype"]));
$paymentmethod = trim(htmlentities($_POST["paymentmethod"]));
$pid = trim(htmlentities($_POST["pid"]));
$billingcycle = trim(htmlentities($_POST["billingcycle"]));
$ipaddress = $HTTP_SERVER_VARS[REMOTE_ADDR];

# Error Checking
if (!$domain) {
$errors[] = "You did not enter a domain name.";
}
if (ereg('[^a-z0-9.-]', $domain)) {
$errors[] = "The domain you entered is not valid.";
}
if (!$firstname) {
$errors[] = "You did not enter your first name.";
}
if (!$lastname) {
$errors[] = "You did not enter your last name.";
}
if (!$email) {
$errors[] = "You did not enter your email address";
} elseif (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,6})$", $email)) {
$errors[] = "The email address you entered is invalid.";
}
if (!$address1) {
$errors[] = "You did not enter the first line of your address.";
}
if (!$city) {
$errors[] = "You did not enter your city.";
}
if (!$state) {
$errors[] = "You did not enter your state.";
}
if (!$postcode) {
$errors[] = "You did not enter your postcode.";
}
if (!$country) {
$errors[] = "You did not enter your country.";
}
if (!$phonenumber) {
$errors[] = "You did not enter your phone number.";
}
if (!$password) {
$errors[] = "You must enter a password";
} elseif ($password!=$password2) {
$errors[] = "The password you entered did not match.";
}
if (!$securityqans) {
$errors[] = "You must provide an answer to your secret question.";
}
if (!$tosagreement) {
$errors[] = "You must agree to the terms of service.";
}
if (!$username) {
$errors[] = "You must enter a Forum Username.";
}

if (!$errors) {

# Submit Order

$postfields = array();
$postfields["username"] = $apiusername;
$postfields["password"] = md5($apipassword);
$postfields["action"] = "addclient";
$postfields["firstname"] = $firstname;
$postfields["lastname"] = $lastname;
$postfields["companyname"] = $companyname;
$postfields["email"] = $email;
$postfields["address1"] = $address1;
$postfields["address2"] = $address2;
$postfields["city"] = $city;
$postfields["state"] = $state;
$postfields["postcode"] = $postcode;
$postfields["country"] = $country;
$postfields["phonenumber"] = $phonenumber;
$postfields["password2"] = $password;
$postfields["securityqid"] = $securityqid;
$postfields["securityqans"] = $securityqans;
$postfields["customfields"] = base64_encode(serialize(array("1"=>$username)));
$postfields["ipaddress"] = $ipaddress;


$query_string = "";
foreach ($postfields AS $k=>$v) {
$query_string .= "$k=".urlencode($v)."&";
}

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 100);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $query_string);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
$data = curl_exec($ch);
if (curl_error($ch)) die("CURL Error: ".curl_error($ch));
curl_close($ch);

$data = explode(";",$data);
foreach ($data AS $temp) {
$temp = explode("=",$temp);
$results[$temp[0]] = $temp[1];
}

if ($results["result"]=="success") {
$clientid = $results["clientid"];
} else {
die("An error occured creating your user account. Please contact support. ({$results['message']})");
}

$postfields = array();
$postfields["username"] = $apiusername;
$postfields["password"] = md5($apipassword);
$postfields["action"] = "addorder";
$postfields["clientid"] = $clientid;
$postfields["pid"] = $pid;
$postfields["domain"] = $domain;
$postfields["domaintype"] = $domaintype;
$postfields["billingcycle"] = $billingcycle;
$postfields["paymentmethod"] = $paymentmethod;
$postfields["ipaddress"] = $ipaddress;

$query_string = "";
foreach ($postfields AS $k=>$v) {
$query_string .= "$k=".urlencode($v)."&";
}

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 100);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $query_string);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
$data = curl_exec($ch);
if (curl_error($ch)) die("CURL Error: ".curl_error($ch));
curl_close($ch);

$data = explode(";",$data);
foreach ($data AS $temp) {
$temp = explode("=",$temp);
$results[$temp[0]] = $temp[1];
}

if ($results["result"]=="success") {
header("Location: http://www.jweb2.com/client/dologin.php?username=$email&password=$password");
exit;
} else {
die("An error occured placing your order. Please contact support. ({$results['message']})");
}

}

}

?><html>
<head>
<title>Order Form</title>
</head>
<body>

<h1>Order Form</h1>

<?php
if ($errors) {
echo "<p>The following errors occured.</p><ul>";
foreach ($errors AS $error) {
echo "<li>$error</li>";
}
echo "</ul>";
}
?>

<form method="post" action="<?php echo $_SERVER["PHP_SELF"] ?>">
<input type="hidden" name="action" value="submit" />
<table>
<tr>
<td>First Name:</td><td><input type="text" name="firstname" size="30" value="<?php echo $firstname ?>" /></td>
<td>Last Name:</td><td><input type="text" name="lastname" size="30" value="<?php echo $lastname ?>" /></td>
</tr>
<tr>
<td>Address 1:</td><td><input type="text" name="address1" value="<?php echo $address1 ?>" size="30" /></td>
<td>Address 2:</td><td><input type="text" name="address2" value="<?php echo $address2 ?>" size="30" /></td>
</tr>
<tr>
<td>Company Name:</td><td><input type="text" name="companyname" value="<?php echo $companyname ?>" size="30" /></td>
<td>E-mail Address:</td><td><input type="text" name="email" value="<?php echo $email ?>" size="30" /></td>
</tr>
<tr>
<td>City:</td><td><input type="text" name="city" size="30" value="<?php echo $city ?>" /></td>
<td>State:</td><td><input type="text" name="state" size="30" value="<?php echo $state ?>" /></td>
</tr>
<tr>
<td>Zip Code:</td><td><input type="text" name="postcode" size="30" value="<?php echo $postcode ?>" /></td>
<td>Country:</td><td><select name="country"><option value="AU">Australia</option><option value="CA">Canada</option><option value="IE">Ireland</option><option value="GB">United Kingdom</option><option value="US" selected="selected">United States</option></select></td>
</tr>
<tr>
<td>Phone Number:</td><td><input type="text" name="phonenumber" size="30" value="<?php echo $phonenumber ?>" /></td>
<td>(Used by our automated anti-fraud system.)</td><td></td>
</tr>
<tr>
<td>Domain Name:</td><td><input type="text" name="domain" size="20" value="<?php echo $domain ?>" />.CXR.CC</td>
<td>(For example.cxr.cc type: <i>example</i>)</td><td></td>
</tr>
<tr>
<td>Forum Username:</td><td><input type="text" size="30" name="username" value=""></td>
<td>(Automatically Generated)</td><td></td>
</tr>
<tr>
<td>Password:</td><td><input type="password" name="password" size="30" /></td>
<td>Confirm Password</td><td><input type="password" name="password2" size="30" /></td>
</tr>
<tr>
<td>Security Question:</td><td><select name="securityqid">
<option value=2>Mother's maiden name?</option>
<option value=3>Name of first pet?</option>
<option value=4>Color of first car?</option>
<option value=5>Favorite color?</option>
</select></td>
<td>Security Answer:</td><td><input type="password" name="securityqans" size="30"></td>
</tr>
<tr>
<td colspan="4">
<input type="hidden" name="domaintype" value="selsubdomain" />
<input type="hidden" name="paymentmethod" value="paypal" />
<input type="hidden" name="pid" value="16" />
<input type="hidden" name="billingcycle" value="free" />
<input type="checkbox" name="accepttos" id="accepttos" />I have read and agree to the <a href="http://www.jweb2.com/tos.php" target="_blank">Terms of Service</a><br />
<strong>Please have your phone available because we use an automated telephone system to verify high-risk orders.</strong><br />
<strong>Your IP Address has been recorded (<?php echo $HTTP_SERVER_VARS[REMOTE_ADDR] ?>).
<p align="center"><input type="submit" value="Submit Order" /></p>
</td>
</tr>
</table>
</form>
</body>
</html>

[dsaunier]

"1) The IP address being registered is that of the domain IP, how can I fix this?"

Are you saying $ipaddress contains the IP of the server where you host this form and not that of the user submitting the form ? What does $_SERVER['REMOTE_ADDR']; give you ?

 

2) As for the API bevavior the way I understand it, it is a direct connection to your system, hence you're supposed to have checked all data and infos in it before storing it, hence I'd say the Maxmind API should be called from this custom PHP section before you submit the order to your own system ?

[jasonBV]

Sounds about right, I wasn't able to find anyway through the API to register the IP address of the order placed or do MaxMind unless I did it in separate code when I did my remote order form. So you're out of luck unless you want to do it yourself, seems the API only handles basic calls as of now.

 

Below is a list of suggestions that I thought would be nice if implemented.

 

Adding a new client:

-API lacks the ability to add the IP address of the user placing the order, all new orders show up as the IP address from the local box placing the order. Would be useful for records and fraud checks (see further below)/

 

Capture payment:

-Currently when placing an order, you have to first save the user's credit card information before running a capture payment using the invoice number. It would be great if there was the ability to also pass the CVV2 code into the payment capture without storing it, for the extra fraud protection.

 

-Would be great to add additional return information on why the card was declined, right now it seems to just give a basic success or error (api states nothing is returned at all, but that doesn't seem to be the case).

 

Fraud mechanism:

-Additional API calls to run a fraud check and append it to the other would also be nice, right now it's completely bypassed when adding a new client/order. Basically it would be great if there was a call to return the available fraud modules then run a fraud check based on the provided module which would return a score report and attach it to the order?

 

General Product Information API:

-When adding new orders, many products have custom fields or configurable options. Right now these have to be hard-coded or pulled from the WHMCS database through queries so the correct IDs can be used when placing an "addorder", there is no way to use the API to pull this information for different packages currently.

 

-Would also be helpful to be able to pull pricing information down, right now everything has to be pulled via sql query.

[kmm2908]

Yes jasonBV, the API is very limited and with very limited support. I have many questions still unanswered on the API over the last 6 months.

 

When the code is not available for reference the API needs to be much more comprehensive than it currently is in WHMCS.

 

Frankly, I've almost given up on WHMCS which is a great pity. I mostly now create my own php coding and just access the WHMCS database tables myself. Not ideal at all as I am working blind most of the time having to guess what WHMCS does when it registers a new order for example. What fields in which tables are updated? More details on this point in this thread: http://forum.whmcs.com/showthread.php?t=27443

 

Come on WHMCS, give us developers some more support please. Sell us a manual even or charge for access to the coding, or just answer our questions please.

 

Very frustrating to have such problems with such a great product.

 

Rant over

[Matt]

Hi,

 

The ability to specify the clients IP address in the AddOrder API call and CVV number in the CapturePayment call have been added for our next release V4.2.

 

What kind of response format are you looking for from a product information call?

 

Matt

[KuJoe]

Thanks for the replies all. I also noticed that the API does not play well with hooks. I have to remove all of my hooks in order for the remote order form to work correctly which means that the order form in WHMCS has to be disabled to prevent users from bypassing the tasks that the hooks should be doing.

[Matt]

That must be due to errors in your hooks coding rather than anything to do with the API. Maybe something your coding is doing with relative includes?

 

Matt