API: Add Invoice Payment - Invoice Status

[f000]

Hi,

 

I'm using addinvoicepayment API for callbacks from my custom payment gateway.

 

I've got problem with multiple entered payments - there's no way to check if that invoice is already paid, so any malicious user can repeatedly submit callback URL from payment gateway to get credit because callback from the gateway is just plain HTTP request with GET params...

 

One solution would be to add new parameter to the addinvoicepayment API call - something like "ifnotpaid" (mentioned in post http://forum.whmcs.com/showthread.php?t=7472#9) or to add another API function like "Get Invoice Data" or simple "Get Invoice Status".

 

thanks

[Klangaroo]

i requested this a while ago, but eventually i just wrote a few functions that get invoice data for myself with direct database access into WHMCS's MySQL database. ill see if i can paste anything that might help...

 

this function will return an array of all "Unpaid" invoices for a certain user ID. Use it to check that an invoice is "Unpaid" before accepting payment for it.

function whmcs_useridToUnpaidinvoiceidArray($whatUserId)	// returns an array of all unpaid invoice numbers
{
	global $db_host, $db_user, $db_pass, $db_name;
	$conne = mysql_connect($db_host, $db_user, $db_pass) or die ('Error connecting to mysql');

	mysql_select_db($db_name);

	$query  = "SELECT id FROM tblinvoices WHERE userid = '". $whatUserId ."' AND status = 'Unpaid'";
	$result = mysql_query($query);
	$hatten = 0;
	while($row = mysql_fetch_array( $result )) {
		$dome[$hatten] = $row['id'];
		$hatten++;
	}

	mysql_close($conne);

	return($dome);

}

 

using an invoideID number from the previous function, you can use this function to get all the info about a certain invoice: it returns an array.

function whmcs_invoiceidToInvoiceDetailsArray($whatInvoiceId)
{
	global $db_host, $db_user, $db_pass, $db_name;
	$conne = mysql_connect($db_host, $db_user, $db_pass) or die ('Error connecting to mysql');

	mysql_select_db($db_name);

	$query  = "SELECT * FROM tblinvoices WHERE id = '". $whatInvoiceId ."'";
	$result = mysql_query($query);
	$dome = mysql_fetch_array( $result );

	mysql_close($conne);

	return($dome);

}

[Klangaroo]

Hi,

 

I'm using addinvoicepayment API for callbacks from my custom payment gateway.

 

I've got problem with multiple entered payments - there's no way to check if that invoice is already paid, so any malicious user can repeatedly submit callback URL from payment gateway to get credit because callback from the gateway is just plain HTTP request with GET params...

 

One solution would be to add new parameter to the addinvoicepayment API call - something like "ifnotpaid" (mentioned in post http://forum.whmcs.com/showthread.php?t=7472#9) or to add another API function like "Get Invoice Data" or simple "Get Invoice Status".

 

thanks

 

your payment gateway should encode the GET params into a hash to stop people custom making them. does it do that? every time a payment gets taken, record the reciept number that your gateway gives you, if it's already been recorded, just give a message like "We've already processed that payment."

Edited November 11, 2008 by Klangaroo

[f000]

i requested this a while ago, but eventually i just wrote a few functions that get invoice data for myself with direct database access into WHMCS's MySQL database. ill see if i can paste anything that might help...

 

tnx Klangaroo, your solution is fine, but I don't want to use direct access to WHMCS database... I would prefer solution within WHMCS API which is much cleaner way ...

 

your payment gateway should encode the GET params into a hash to stop people custom making them. does it do that? every time a payment gets taken, record the reciept number that your gateway gives you, if it's already been recorded, just give a message like "We've already processed that payment."

 

HTTP request from the gateway is even signed with OpenSSL checksum in special GET param. The problem is that malicious user can capture request URL and resubmit it several times...

Edited November 11, 2008 by f000

[f000]

Anyway, the easiest solution might be the right one:

 

"addinvoicepayment" call has transid param for ID of transaction from payment gateway.

I think this has to be unique... Right response from API should be something like "result=errortransid;message=transid is not unique!"

[Klangaroo]

i never used that transid, let me know if it does what you're after.

 

I use the functions i posted earlier for buidling a customized list of invoices that need paying on my customer website, not for checking if an invoice that is being paid for has already been paid. I just record the gateway payment ID in a database and make sure it's unique every time it's submitted. We accept payments for WHMCS transactions and other service transactions as we're an ISP, so i had to make a global payment reciept database, not one that is internal to WHMCS.

[f000]

i never used that transid, let me know if it does what you're after.

 

I use the functions i posted earlier for buidling a customized list of invoices that need paying on my customer website, not for checking if an invoice that is being paid for has already been paid. I just record the gateway payment ID in a database and make sure it's unique every time it's submitted. We accept payments for WHMCS transactions and other service transactions as we're an ISP, so i had to make a global payment reciept database, not one that is internal to WHMCS.

 

Yes, as you say, payment transaction ID from gateway has to be unique...

 

Unfortunately WHMCS API does not check this so there can be multiple orders with same Trans ID!

 

Is it a bug or a feature?

[Klangaroo]

its a feature i'd say, just for tracking manually by the site owner