CODEWITHSUNDEEP
paypalcoldfusionpaypal-ipncoldfusion-9
Martin Joiner
Martin Joiner

Reputation: 3657

FORM.payment_date is reserved name bug in Coldfusion causing PayPal IPN INVALID verification in CF9

Run the following experiments on your ColdFusion server/development environment:

1) Create the following, basic HTML form that submits to itself using the post method:

<form method="post">
    DATE: <input type="text" name="date" value="gfsgfdgfsd"><br>
    MARTIN: <input type="text" name="martin" value="beardy"><br>
    PAYMENT: <input type="text" name="payment" value="50 POUNDS"><br>
    PAYMENT_DATE: <input type="text" name="payment_date" value="06:05:13 Apr 09, 2014 PDT"><br>
    XEVI: <input type="text" name="xevi" value="cool"><br>
    <input type="submit" value="submit"><br>
</form>

<cfdump var="#FORM#" />

Now access the page and hit the Submit button. Notice you get the error Form entries are incomplete or invalid. Now remove the ' POUNDS' from the end of the PAYMENT field so the value only contains numeric values. Re-submit the form and notice the error goes away.

2) Now study the CF Dump of the FORM structure. Notice how PAYMENT_DATE is missing from the comma separated list under the FIELDNAMES element! Clearly it exists because it's visible as the penultimate element in the dump. So why is it not listed?

Note: This strange bug wasted 4 hours of my life while trying to integrate the PayPal IPN (Instant Payment Notification) notification verification/validation stage which requires you to post everything back to the PayPal server with the arguments in the same order they were when submitted to you. Because payment_date was missing is was returning as INVALID. I fixed it with a dirty hack that looks for mc_gross while looping over fieldnames and inserts payment_date manually. Eerrgh, I feel unclean!

Experiment 1 proves that FORM.PAYMENT is a reserved value that must be numeric.

Experiment 2 proves that FORM.PAYMENT_DATE is a reserved value that gets ignored when FORM.FIELDNAMES is populated.

Why?

Upvotes: 3

Views: 204

Answers (1)

ntunney
ntunney

Reputation: 96

In the form scope in ColdFusion anything ending in _date is reserved as per http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec173d0-7ffe.html for validation purposes.

I cannot replicate the issue you are having with 'payment' being an integer. As soon as I change the payment_date field to paymentdate it submits just fine.

Upvotes: 8

Related Questions