Someone Placed A Fake Order - How?

[Guest Lisade]

I set up CubeCart 3.0.17 over the weekend. Very nice, easy and I love it, however...

Someone just placed an order with the details: Mr Test Test and fake shipping addresses, etc. The order appears to have gone through (I have PayPal IPN as the only payment method). No funds were deposited in my PayPal account, but I did get the order confirmation via email.

How could this have happened?

[Guest robj]

The order report is generated when the user clicks the submit button that redirects them to PayPal.

It's a real order, but the person is fake...

[Guest Lisade]

The order report is generated when the user clicks the submit button that redirects them to PayPal.

It's a real order, but the person is fake...

I see. Is there any way to get CubeCart to wait for the IPN to come back before submitting the order? I thought that was the point of IPN, you see.

Otherwise, I'm going to have to go check the paypal account everytime an order is submitted.

[vokf]

Its easily possible. The order status should be "Pending" which means Payment is Pending.

The store does not know that "Mr Test Test" is a fake name, or the shipping address is fake.

If PayPal IPN is correctly set-up, the status will change to Processing.

Test purchases are rare -but it is fairly common for customers to abandon the cart apon PayPal.

Customising the PayPal payment screen using your store logo and colours really helps (you'll need some cheap SSL image hosting ~$2/year if you have to pay).

You can also contact the customer (you have their details), and offer payment by bank transfer/cheque etc.

I suppose the alternative is for the store to not send any order notifications unless payment is received, but then you will not be able to try to claw back any orders.

Jason

[Guest Lisade]

Customising the PayPal payment screen using your store logo and colours really helps (you'll need some cheap SSL image hosting ~$2/year if you have to pay).

Actually, I've done that with my standard account. No payment required.

You can also contact the customer (you have their details), and offer payment by bank transfer/cheque etc.

I suppose the alternative is for the store to not send any order notifications unless payment is received, but then you will not be able to try to claw back any orders.

I would prefer that, actually. I'm not at all interested in contacting people begging them to buy something. I hope that doesn't sound dismissive, but taking a cheque or transfer would cost me more time and money than it's worth, to be honest.

I'm also considering implementing CubeCart for a customer that sells downloads only (currently using X-cart, which I hate) and I'm worried that it will end up being a nightmare of manual administration, as opposed to never doing more than transferring the money out of the PayPal account once a month.

So, how do I do that?

[Guest robj]

Otherwise, I'm going to have to go check the paypal account everytime an order is submitted.

You should receive a payment confirmation from PayPal when the order is placed.

I receive 2 emails to this effect.

1. Order Confirmation

2. PayPal payment confirmation.

These 2 emails will have the same order number attached making it easy to keep track. You shouldn't need to go into PayPal, except to transfer funds.

[Guest Lisade]

Otherwise, I'm going to have to go check the paypal account everytime an order is submitted.

You should receive a payment confirmation from PayPal when the order is placed.

I receive 2 emails to this effect.

1. Order Confirmation

2. PayPal payment confirmation.

These 2 emails will have the same order number attached making it easy to keep track. You shouldn't need to go into PayPal, except to transfer funds.

So, you're saying there's no way to prevent getting an order notification prior to the payment being made?

And how will this effect the ability to allow customers to download purchases without me having to go into the back end and change status manually?

I ask because I'm considering this for a client - I haven't actually set it up yet and would prefer not to if it's not going to work in the way I require it to.

[Guest robj]

Honestly, someone else will need to answer the virtual products question. I've never used this feature, but I'm under the impression they are automatically given a link to the download.

On the other hand, you can definitely turn off the first email you'll have to mod the php code, but you can do it. I can't seem to find the correct file now, but I'll let you know.

rob

[Guest Lisade]

Honestly, someone else will need to answer the virtual products question. I've never used this feature, but I'm under the impression they are automatically given a link to the download.

On the other hand, you can definitely turn off the first email you'll have to mod the php code, but you can do it. I can't seem to find the correct file now, but I'll let you know.

rob

Thanks. I'll wait for someone else to let me know how to do it. I'm not really that php savvy, so I do need code to cut and paste, to be honest, assuming anyone's done it before.

Just to clarify, I want to be notified about sales by email only after the payment has been made. I don't care about incomplete orders.

[Guest robj]

include\content\gateway.inc.php

is the file in question. If you comment out lines between:

	// notify shop owner of new order

	

	if($basket['mailSent']==0){

down to 

		$send = $mail->send(array($config['masterEmail']), $config['mailMethod']);

	}

this should remove the confirmation order, but then the only email you'll receive is from PayPal at the completion of payment.

Look at This Post. Is this really what you're looking for?

[Guest Lisade]

Thanks Stevie.

I understand your justification as you set about in that pinned pst thing, but I have been using (the admittedly nasty) x-cart for several years now and none of those scenarios have occurred to my knowledge. I get the email notification when payment has been made and I use the information there to generate an invoice that I attach to the package and it's been working fine for me.

Look at This Post. Is this really what you're looking for?

Er, yes. And it appears it's never been resolved. What a shame.

Would be nice if there was an option so we could sort out our fulfillment in the way that works best for us.

[Guest robj]

Don't know, but probably not. It makes much more sense the way it's currently setup.

Alas, I'll build a mod for this. Seems like there's enough people who need it.

[Guest Lisade]

Don't know, but probably not. It makes much more sense the way it's currently setup.

To you perhaps, but as I edited above, I have a good workflow that works for me and I would like to stick with it. With the exception of that one feature, I do like CubeCart better than X-Cart but would prefer it to work in a way that suits me, rather than in a way that suits the person who designed it.

;)

[Guest robj]

I understand completely. I wish CubeCart could do a lot of things that it can't (SEO, reports, web stats, multistore config, etc.). But the way they have this designed IS how most of the community wants it, or they wouldn't have changed it 2 years ago from what you described to the current workflow.

I have experience with 8 or 9 carts. And between osCommerce or ZenCart (which are more robust and feature rich) and CubeCart, I would choose CubeCart. They seem to know what people need in a ecommerce software package and deliver it very well.

There are a hundred official and non-official modifications out there. That's the perks of having a community behind a great cart.

I'll PM you when I'm done with the mod.

rob

[Guest Lisade]

I understand completely. I wish CubeCart could do a lot of things that it can't (SEO, reports, web stats, multistore config, etc.). But the way they have this designed IS how most of the community wants it, or they wouldn't have changed it 2 years ago from what you described to the current workflow.

Do you know if CubeCart 4 allows you to choose at which stage the admin email is sent out?

[Guest robj]

No idea. I just downloaded the trial, and am uploading it now.

[Guest prissanna]

Customising the PayPal payment screen using your store logo and colours really helps (you'll need some cheap SSL image hosting ~$2/year if you have to pay).

Actually, I've done that with my standard account. No payment required.

Can you tell me how you did this?

If PayPal IPN is correctly set-up, the status will change to Processing.

I must not have it set up right then. All of my orders, paid or not, say pending. Any suggestions?

[vokf]

To customise the paypal checkout screen is fairly easy and free.

The payment I mentioned was for SSL image hosting, not PayPal. If you have a SSL certificate on your site, or your hosting company offers a shared SSL services, you won't have to pay extra

Google for SSL image hosting, and you'll find a few companies that offer this.

Its about $2/year and this normally gives you 2 images. If you don't want/need a SSL cert on your site, $2 is cheap enough not to worry.

Log into paypay, click on Profile.

Then click on custom payment pages, then add. Paste the URL of your securely hosted image (https://. ...) and edit any colours to suit.

Click "preview" and ensure the page looks ok. Then set the new scheme as your default.

Jason

[Guest Lisade]

The payment I mentioned was for SSL image hosting, not PayPal. If you have a SSL certificate on your site, or your hosting company offers a shared SSL services, you won't have to pay extra

Why do you suggest SSL image hosting? I just used an image on my server. Just doublechecked by placing an order and it shows the entire page as secure.

[Guest chrisyt]

Same here - never used SSL for image hosting.

There must be a perk/ looks more professional or perhaps Paypal never used to host images from non secure servers and Vokf did not know things have changed?!

Most interested for a reply to this one.

Regards

[vokf]

Interesting...

Things have not changed though. You shouldn't really mix non-ssl and ssl data on a page.

Its not really a perk, the only issue is the browser reporting a security problem. Obviously you don't want this when people are about to hand over their PayPal passwords, or Credit Card details.

Inside PayPal, I've re-pointed my image URL to a non-SSL site.

Firefox 2.0.0.7 reports no problems when previewing

IE6 reports "This page contains both secure and non-secure items" I can't test IE6 at this moment, but I would expect that give the same warning (which is correct and pretty important imo)

Firefox does have a setting under:

tools->options->security->warning messages->settings

"Show a warning dialog when about to view a page with insecure items"

This is *unticked* by default.

I've ticked it now... and after a FF restart, there is still no alert.

The PayPal HTML code uses the image inside a Style section - its not in an <img> tag.

Not too sure if this is a FF bug. I'll try it on another PC later.

Short answer, you DO need SSL image hosting if your visitors are using IE and you don't want the security warning appearing on their screen.

Jason

[Guest robj]

The topic has changes and should really be in a new post.

Moderator, save us.

[vokf]

I've not seen someone complaining about off topic posts for years...

Thanks for bringing those memories back :P

[Guest prissanna]

I've set up my SSL in CubeCart (didn't have it done before I read this post) and now I can't get into my CC admin. My store shows up when I punch in the web addy, but my CC admin says page not found. Any ideas?