modperl_cybercash

This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.



Subject: CyberCash and mod_perl Experiences
From: "Ryan Adams" <radams@vitessi.com>
Date: Sun, 1 Oct 2000 16:47:29 -0400

Hello all,

I'm trying to integrate CyberCash with a shopping system
that we've developed in-house using mod_perl almost
exclusively.  I haven't been particularly impressed with the
way it installs.  We're on a Linux machine and it has a very
NT-centric design, in my opinion.

I have been able to get test scripts to run from the
command-line and through basic mod_cgi execution, but I
can't get consistent results when executing them via
mod_perl ContentHandlers.  In looking through their library
files, they are doing some IPC::Open2 calls to executables
and some other pretty ugly stuff that may or may not be
causing the problems.

Does anyone have experience doing this?  What approach did
you take?  Any good documentation?  I've read all the
CyberCash stuff, but it hasn't given me the kind of answers
I wanted.

===


Subject: Re: CyberCash and mod_perl Experiences
From: Yann Ramin <atrus@atrustrivalie.eu.org>
Date: Sun, 1 Oct 2000 15:06:08 -0700


On Sun, 01 Oct 2000, you (Ryan Adams) might of written:


> I'm trying to integrate CyberCash with a shopping system
> that we've developed in-house using mod_perl almost
> exclusively.  I haven't been particularly impressed with
> the way it installs.  We're on a Linux machine and it has
> a very NT-centric design, in my opinion.

> I have been able to get test scripts to run from the
> command-line and through basic mod_cgi execution, but I
> can't get consistent results when executing them via
> mod_perl ContentHandlers.  In looking through their
> library files, they are doing some IPC::Open2 calls to
> executables and some other pretty ugly stuff that may or
> may not be causing the problems.

> Does anyone have experience doing this?  What approach did
> you take?  Any good documentation?  I've read all the
> CyberCash stuff, but it hasn't given me the kind of
> answers I wanted.

I haven't dealt with CyerCash before, but have some ideas which I read from a 
somewhat useful book I got for free (Phillip and Alex's Guide to Web 
Publishing).

CyberCash is not reliable.  Perfectly valid credit cards fail auth at times, 
and the service has a tendancy to crap out.
What the book suggested to do was to have a backend which goes and queries 
new orders every x minutes and tries to auth them.  They are attempted three 
times, and after that rejected (and credit card numbers yanked from your DB, 
replaced with a CyberCash reference).  That way what the user sees is a 
perfectly working system, not knowing that things are dead behind that.

===

Subject: RE: CyberCash and mod_perl Experiences
From: "Ryan Adams" <radams@vitessi.com>
Date: Sun, 1 Oct 2000 18:26:15 -0400

I was thinking about Phillip's approach, actually, but the
technical details in his ACS system are all in Tcl for
AOLServer.  Also, I'm not really excited about the liability
involved in storing the credit card number in my database.

I decided to jump in and start hacking the CyberCash perl
libraries and they are full of junk.  They don't use "use
strict" and when I put it in all of them, it blew up.  They
don't use scoping in any kind of consistent way and seem to
have fundamental issues with perl syntax (They used $#Foo to
find the size of %Foo - can you do that?  I didn't think so,
and the interpreter didn't seem to either - wanted me to
declare @Foo...)

On a completely unrelated note, my picture is actually in
"P&A's Guide to Web Publishing".  I'm in the section about
the dating game.  I'm the model they used (not the
girl... ;) the guy in the suit.

===

Subject: Re: CyberCash and mod_perl Experiences
From: Vivek Khera <khera@kciLink.com>
Date: Sun, 1 Oct 2000 21:24:31 -0400 (EDT)

YR" == Yann Ramin <atrus@atrustrivalie.eu.org> writes:

YR> CyberCash is not reliable.  Perfectly valid credit cards fail auth
YR> at times, and the service has a tendancy to crap out.  What the
YR> book suggested to do was to have a backend which goes and queries

This has never been my experience with cybercash. We were one of their
first customers, and though things were hard to set up in those dark
days, their latest incarnation of the software is quite trivial to
install and use (once you figure out how to program it).  It involves
three Perl modules (pure perl, even) to be installed.  Then you just
"use" the appropriate one,  and call the right function.

===

Subject: Re: CyberCash and mod_perl Experiences
From: Vivek Khera <khera@kciLink.com>
Date: Mon, 2 Oct 2000 10:23:19 -0400 (EDT)

RA" == Ryan Adams <radams@vitessi.com> writes:

RA> I'm trying to integrate CyberCash with a shopping system that we've
RA> developed in-house using mod_perl almost exclusively.  I haven't been
RA> particularly impressed with the way it installs.  We're on a Linux machine
RA> and it has a very NT-centric design, in my opinion.

I never felt that way.  It consists entirely of installing 3 *.pm
files and a config file if I recall correctly.

RA> I have been able to get test scripts to run from the command-line
RA> and through basic mod_cgi execution, but I can't get consistent
RA> results when executing them via mod_perl ContentHandlers.  In

I used CyberCash from registry scripts without ever having any
problems.  We used the "authcapture" method.  It took a long time to
refine the error checking, but once done it was quite reliable.  We
only ever had failures when the credit card was bad or typed
incorrectly by the user.

RA> looking through their library files, they are doing some
RA> IPC::Open2 calls to executables and some other pretty ugly stuff
RA> that may or may not be causing the problems.

I don't recall them calling external routines, but it has been a
little while since I last checked.


RA> Does anyone have experience doing this?  What approach did you
RA> take?  Any good documentation?  I've read all the CyberCash stuff,
RA> but it hasn't given me the kind of answers I wanted.

No good documentation.  I can send you the snippet of my program that
did the CyberCash call(s) and checked return status.  Heck, I'll just
post it here.  Obviously, you'll have to fill in the details and
change the data structure that holds your order info to be what you
use, not what we use.



# CyberCash config file
my $cychConfigFile = '/path/to/merchant/mck-cgi/conf/merchant_conf';

use CCMckDirectLib3_2 qw(SendCC2_1Server);
use CCMckLib3_2 qw(InitConfig);


    if (&InitConfig($cychConfigFile)) {
      return "Failed to initialize CyberCash config.  Contact administrator!";
    }

    # fix up some values for CyberCash program

    $orderInfo->{card_exp} =~ s|(\d{1,2})/(\d\d)(\d\d)|$1/$3|; # remove century
    $orderInfo->{card_number} =~ s/\D//g; # remove non-digits (blanks)
    
    # now charge credit card
    my %result = &SendCC2_1Server('mauthcapture', 
                                  'Order-ID', "${oidprefix}${orderid}",
                                  'Amount', "usd $orderInfo->{total}",
                                  'Card-Number', $orderInfo->{card_number},
                                  'Card-Name', $orderInfo->{bill_name},
                                  'Card-Address', $orderInfo->{bill_addr1},
                                  'Card-City', $orderInfo->{bill_city},
                                  'Card-State', $orderInfo->{bill_state},
                                  'Card-Zip', $orderInfo->{bill_zip},
                                  'Card-Country', $orderInfo->{bill_country},
                                  'Card-Exp', $orderInfo->{card_exp});
    
    if ($result{"MStatus"} =~ m/^failure/i) {
      # mark order as "failed"  -- ignore error
      $statush->execute('failed',$orderInfo->{card_number},
                        "$result{MErrMsg} ($result{MErrLoc})",$orderid);
      
      if ($result{"MErrLoc"} =~ m/BANK|CCSP/i) {
        return "OID $orderid: Card Declined.";
      } else { # if ($result{"MErrLoc"} =~ /CLIENT|MPMT|CCSRVR|SMPS/i)
        return "OID $orderid ERROR: $result{MErrMsg} ($result{MErrLoc})";
      }
    }
    
    # catch non-successful, non failure-hard errors whatever they may be.
    if ($result{'MStatus'} ne "success") {
      # do not mark as failed, since this is usually transient error
      return "OID $orderid TRY AGAIN: $result{MErrMsg} ($result{MErrLoc})";
    }
    
    # mangle CC number so we don't use it again
    $orderInfo->{card_number} =~ s/^(\d{2})(\d+)(\d{4})$/$1\*$3/;

    $ccstatus = "Auth Code: $result{'auth-code'}";

# if you get this far, you have the money.

===

Subject: Re: CyberCash and mod_perl Experiences
From: Jonathan Leto <jonathan@leto.net>
Date: Mon, 2 Oct 2000 09:31:13 -0500

I have been using version 3.2.0.4, it definately leaves something to be 
desired. Insecure /tmp files, C-ish coding style, no good testing 
facilities, it goes on. One thing to note about the perfectly valid
cards failing randomly: one time for a few months one time of credit
card would fail no matter what ( forgot which ), because they had
a broken gateway. Also, they don't seem to notify of outages or anything
of that nature.  

===

Subject: RE: CyberCash and mod_perl Experiences
From: "Ryan Adams" <radams@vitessi.com>
Date: Mon, 2 Oct 2000 11:28:10 -0400

Thanks for the info and code.  That is essentially what I
was doing as well.  I was just getting a lot of errors.
Looking further into their code, they're misspelling a lot
of their own variable names and have some incorrect regex
syntax.

Lots of "Use of uninitialized value in concatenation...",
"Use of unitialized value in substitution..."  filling up my
httpd error log.

It may be that I'm doing some thing wrong, so I'll start
from scratch and see where I can get.  Some of my
frustration has to do with their goofy installation
locations.  They want me to put the .pm's under a cgi-bin
directory, which I don't have since all my dynamic pages run
from ContentHandlers.  I guess what I really wanted was a
library that installed like most other Perl Modules, that
didn't require outside binaries and other such things.
They're only making an http request to their own server with
a message that has been encrypted using DES3.  It just seems
like that could be done in a much easier way than they seem
to be doing it.  For example, they use Socket to do the
connection, when it seems like LWP would encapsulate it very
well.  Same thing with the external encryption binaries and
the Crypt modules.

And yet, I paid their setup fee, so I feel like I've paid
for their software to work the way I wanted and rewriting it
is effort I shouldn't have to make.  I feel like I'm dealing
with Microsoft.

Thanks everyone for listening to me rant.  I'll keep you
posted on what I come up with.  I'm toying with the idea of
writing an CyberCash module for the Business::OnlinePayment
interface.  Anyone have any idea where to start?

===





the rest of The Pile (a partial mailing list archive)

doom@kzsu.stanford.edu