WS Subscription vs sentinel = paypal cant return data

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

ok..got a mail from a client saying that members that buy a subscription weren't added to the database.
it grabs the money but doesnt add the member to the db.

the guy uses WS Subscription and when the author checked it all out to debug the problem.

it was fixed by commenting out the following :

// Invalid user agent
if($nsnst_const['user_agent']=="none" AND !stristr($_SERVER['PHP_SELF'], "backend.php") AND ($nsnst_const['remote_ip'] != $nsnst_const['server_ip'])) {
echo abget_template("abuse_invalid2.tpl");
die();
}

question now is...
how and why is this suddenly happening..
and would this be ok.

montego · Posted: Thu Jun 07, 2007 7:07 am

<bump>

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

thanks for the bump monty....
i hoped for some feedback on this as sentinel was altered by the ws subscription author.

fkelly · Posted: Thu Jun 07, 2007 7:50 am

It is hard for anyone to figure this out for you since we don't know what the ws subscription does or how that software works. I'm working on a paypal application that's based off the blocks from the nukescripts network. The general way the "thing" works is that your application sends data (a request) to Paypal with an item to purchase (or subscribe to) and Paypal lets the user charge it to a credit card or bank account, then it sends data back to your site and to a specific application on your site (something like ps_ipn.php which then has the option to process it. This "IPN" program is probably where the database update is failing but you'd need to look at the code to know why. I have Sentinel installed on my site and the IPN program still works successfully.

In terms of the code change, it would be better if the exception could be limited to the specific Paypal item that Sentinel is "objecting" to. Without putting some echoes in, it's hard to tell. It looks like backend.php is given an exemption from the filter and perhaps the paypal program could be given an exemption too rather than commenting the whole block of code out.

hitwalker · Sells PC To Pay For Divorce Joined: Posts: 5661

agree fkelly, i only know ws subscription by name and thats it..
but im just the advising party in this..
personaly i dont see any harm in excluding the mentioned code but question is..whats next..

kevinkap · Involved Joined: Apr 22, 2006 Posts: 352

What file did he edit that in? I use the same script and it works sometimes and not sometimes.

Raven · Posted: Thu Oct 11, 2007 7:42 pm

No need to modify the file anymore. If you use RN(tm) then set this setting to true in rn_config.php. If you don't use RN(tm) then add this line to config.php.

$bypassNukeSentinelInvalidIPCheck = true;

kevinkap · Involved Joined: Apr 22, 2006 Posts: 352

THANKS Raven

Raven · Posted: Thu Oct 11, 2007 8:57 pm

thewitt · New Member Joined: Dec 16, 2007 Posts: 3

The rn_config change didn't work for me.

I had to disable the Invalid User Agent check, not the Invalid IP Check.

Once I commented out hte Invalid User Agent check, WS Subscription worked just fine.

Just thought you might like to know.

-t

Raven · Posted: Sun Dec 16, 2007 1:41 pm

thewitt1,

Thanks for letting us know of another anomaly. I think you should investigate this further as you are the first one that we know of that has had this issue with a different resolution. Invalid IP checks are more the norm and expected as new IPs are added by the minute/hour/etc. I would not really want people visiting me with an invalid User Agent. That very often means someone is snooping and could be looking for trouble.

gotcha · Regular Joined: Mar 14, 2005 Posts: 91

The problem is, paypal doesn't send a user agent at all, so it is always seen as invalid. Any call to a paypal ipn file will be blocked if mainfile is called(which in turn calls sentinel). My digital shop script runs into this same problem so I have the users make edits to sentinel. Every time sentinel gets updated, the edits have to be made again, which is kind of a pain in the.... I vote for a constant that developers can use to shut it off for paypal IPN's so users aren't tempted to comment it out completely Smile

Raven · Posted: Sun Dec 16, 2007 7:48 pm

I use various customized Paypal IPN scripts and I don't have and never have had any problem. So, it is a dependent on how the IPN script is coded. That having been said, I see no reason not to have a configurable setting of some kind. Rather than tailor it specifically to IPN or any specific script/application it should probably be like the $bypassNukeSentinelInvalidIPCheck setting in RavenNuke(tm).

thewitt · New Member Joined: Dec 16, 2007 Posts: 3

If this were a "switch" configuration variable, then wouldn't it be easy enough for the IPN script file to define the variable and turn off the invalid user test just while it's running? Would that compromise anything else?

-t

Raven · Posted: Sun Dec 16, 2007 8:17 pm

If you do that then every user would have to know that IPN scripts need that switch. That's going about it in the wrong order imo. You don't want to code scripts around NS. NS needs to be the controller. Also, to avoid code injection we not only set the switches in the config files, we also initialize them in mainfile.php.

Some of this is philosophical and can be coded different ways. You can do whatever you want as a user but for the masses we need to take a broader approach.

thewitt · New Member Joined: Dec 16, 2007 Posts: 3

So when your working IPN scripts come back, what is the value of user agent? How is it you get past this check? Does your IPN script include mainfile.php?

-t

Raven · Posted: Mon Dec 17, 2007 11:40 am

T,

As soon as I have a spare minute or to I will look them over and get back to you. I'm kind of tied up at the moment.