Ecommerce

Zencart Hack – Logout Customer Automatically After X Failed Payment Attempts

by damonp on June 22, 2007

in Ecommerce,PHP,Security

Credit card slamming is the practice of trying hundreds or thousands of card numbers and security code combinations to find the few in the batch that will actually work. I have discussed credit card slamming here and over at the ZenCart forums several times in the past.

The code snippet below can be used in modules/checkout_process.php to automatically log a user out after a set number (6 in the below snippet) of payment attempts.

    // damonp add auto logoff after 6 attempts
if(! isset($_SESSION['payment_attempt']))   $_SESSION['payment_attempt'] = 0;
$_SESSION['payment_attempt']++;

if($_SESSION['payment_attempt'] > 6)    { // change 6 to change how many attempts to allow before logout
    // log attempt or email report  
    // the following information is useful
    // "Host:\t\t".$_SESSION['customers_host_address'].
    // "\nCustomer:\t".$_SESSION['customer_id'].
    // "\nTotal:\t\t".$_SESSION['cart']->total,
    // destroy session to log customer out
    zen_session_destroy();
    // redirect to timeout page or create new page to redirect to
    zen_redirect(zen_href_link(FILENAME_TIME_OUT, '', 'SSL'));
}

Place in between this code near the top of the file:

// if the customer is not logged on, redirect them to the time out page
  if (!$_SESSION['customer_id']) {
    zen_redirect(zen_href_link(FILENAME_TIME_OUT));
  }

INSERT AUTO LOGOUT FUNCTIONALITY HERE

// load selected payment module
  require(DIR_WS_CLASSES . 'payment.php');
  $payment_modules = new payment($_SESSION['payment']);
// load the selected shipping module
  require(DIR_WS_CLASSES . 'shipping.php');

I found six attempts to work well on the sites I implemented on. You do not want to adversely impact normal users but you do want to make it harder on abusers so that they just go away.

BE WARNED

Improper use of this code could prevent anyone from checking out. The two things that will save you when trying this out are:

  1. MAKE A BACKUP
  2. FULLY TEST BEFORE CALLING IT COMPLETE

Popularity: 1%

{ 0 comments }

Zencart Inventory Report Update v0.9.2

by damonp on March 18, 2007

in Ecommerce,Sites,Software

Feedback from users prompted me to add an extra column to the report display… the master category. The master_category_id is listed in the products table and is generally the category the product was originally created in (unless changed later). The report won’t show every category a product is listed in if the product has been linked to multiple categories.

Download ZenCart Inventory Report

Thanks to Ron for the donation to help out with these feature additions.

Popularity: 1%

{ 3 comments }

Combating Card Fraud (or at least slow it down)

15 March 2007

I have a major client whose Authorize.net gateway account gets hit sometimes hundreds of times a day with charge attempts. Most are posted by an automated script from IPs coming out of Indonesia or Eastern Europe in an attempt to find a valid credit card number and security code. Fortunately, it hasn’t cost the client [...]

Read the full article →

ZenCart Inventory Report – Updated

10 March 2007

Thanks to Ron for posting a bug back on the Zencart forums about my Zencart Inventory Report Fixed… download… enjoy.

Read the full article →

ZenCart Manufacturers System Errors

12 January 2007

In ZenCart versions immediately prior to 1.3.6 using many of the public side manufacturers functions may produce this error: Warning: constant(): Couldn’t find constant in  …/includes/init_includes/init_add_crumbs.php on line 45 The error is caused by a missing database column that was added in the official 1.3.6 release. If upgrade is not immediately possible the following SQL [...]

Read the full article →

Interesting Ecommerce Comparison

9 January 2007

The “killingest” assumptions businesses make revolve around how their customers buy. Suppose you and 99 other people go into an electronics store and purchase the exact same item. That’s 100 sales. But you can probably guess those 100 sales didn’t unfold in the exact same way. No properly-trained sales person would ever use the exact [...]

Read the full article →

ZenCart Inventory Report

29 November 2006

Here’s a simple admin report for ZenCart that will generate an inventory report with per product totals and a report total. The report may be paginated or generated over the whole catalog. The report was created by modifying the ZenCart default Products Viewed report. It was created from the ZenCart v1.2x source but has been [...]

Read the full article →

MySQL Database Performance – ZenCart Sales Report

23 October 2006

One of my client’s ZenCart installs was loading the server down so much to generate sales reports with the Sales Report v1 contribution that the public side was noticeably less responsive for the couple of minutes it took to build the report. The site has been running for over three years and contains 9k orders, [...]

Read the full article →

ZenCart Products ID Search

20 October 2006

The ZenCart admin does not allow searching for products by the products_id field. This is the field assigned internally to each product as it is entered by ZenCart itself. Using the Paypal Session Viewer (updated v2 here) to debug recent Paypal issues for a client, only shows the products_id ordered without any additional product information. [...]

Read the full article →

ZenCart Godaddy and cURL

5 October 2006

I recently migrated a customer’s ZenCart site to a hosting account with Godaddy.com. The project went smoothly except for the Authorize.net gateway. Trying to process orders, the site timed out on the final order process page. Godaddy’s support site, some googling and debugging led to this working code to be added to the cURL routine [...]

Read the full article →

← Previous Entries