Re: How do you allow accented characters in a cfinput regex?
OK, I think I tried what you suggested--here is exactly what I did:
Added this to the page: cfprocessingdirective pageencoding=utf-8
Made the cfinput: cfinput type=text name=FName required=yes size=30
validate=regex pattern=[:alpha:] message=Please enter a valid First
Name
This now allows nearly anything in the field, including characters that are not
valid in names, such as $ or slash. It also leaves out the {2,50} length spec.
So it doesn't seem to do what I need.
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352650
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
calling coldfusion page from SSIS package
Hi All - I have the following scenario 1) Coldfusion page is run as a scheduled job 2) After the above script is run, a SSIS package is run. I want to make sure that the Coldfusion job is successful before running the SSIS package. Is there a way to call the coldfusion job from SSIS package to syncrhonize both the jobs? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352651 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: calling coldfusion page from SSIS package
If it is the CF job that executes the SSIS package, surely the very fact that it running is proof that the cf job executed. On Tue, Sep 18, 2012 at 4:35 PM, fun and learning funandlrnn...@gmail.comwrote: Hi All - I have the following scenario 1) Coldfusion page is run as a scheduled job 2) After the above script is run, a SSIS package is run. I want to make sure that the Coldfusion job is successful before running the SSIS package. Is there a way to call the coldfusion job from SSIS package to syncrhonize both the jobs? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352652 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: calling coldfusion page from SSIS package
It would probably be easier to have your CF scheduled job either 1) log an entry in a database table with a success code and timestamp, or 2) write an entry to a text file that SSIS can read. Then update your SSIS package to check the table or text file for the success code before proceeding. HTH, -Carl ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352653 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: calling coldfusion page from SSIS package
If it is the CF job that executes the SSIS package, surely the very fact that it running is proof that the cf job executed. On Tue, Sep 18, 2012 at 4:35 PM, fun and learning funandlrnn...@gmail.comwrote: No it is not the cf job that executes the SSIS job. They are run independent of each other. I am trying to synchronize them. Thanks ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352654 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: calling coldfusion page from SSIS package
Why not have the CF job call the SSIS package? Hi All - I have the following scenario 1) Coldfusion page is run as a scheduled job 2) After the above script is run, a SSIS package is run. I want to make sure that the Coldfusion job is successful before running the SSIS package. Is there a way to call the coldfusion job from SSIS package to syncrhonize both the jobs? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352655 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Question about using AJAX with Authorize.net
I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an AJAX solution to intercept the formfield data that is applicable to the transaction and is required by Authorize.net and submit that via AJAX to a method in a cfc, which will send the pertinent data to Authorize.net. In the success section of the AJAX solution to Authorize.net, I'll implement a further submission of the rest of the form data (the personally identifiable information) to another method in a cfc, which will process that data for in-house (non-Authorize.net) use. (Or something similar to this process...) Any warnings, cautions, or gotcha's in this approach? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352656 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: calling coldfusion page from SSIS package
exactly, which is what I thought he said to begin with :-) On Tue, Sep 18, 2012 at 5:03 PM, Dave Jemison djemi...@vinesse.com wrote: Why not have the CF job call the SSIS package? Hi All - I have the following scenario 1) Coldfusion page is run as a scheduled job 2) After the above script is run, a SSIS package is run. I want to make sure that the Coldfusion job is successful before running the SSIS package. Is there a way to call the coldfusion job from SSIS package to syncrhonize both the jobs? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352657 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Question about using AJAX with Authorize.net
well it depends how you process. if you redirect to authorize.net and then come back to your site, then why not simply send your thank you email after they are redirected back to your site, this is how most folks do it. The ajax stuff seems a bit overkill. If your processing serverside, then you simply need to wait till you get the response back from your CFHTTP call. On Tue, Sep 18, 2012 at 6:40 PM, Rick Faircloth r...@whitestonemedia.comwrote: I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an AJAX solution to intercept the formfield data that is applicable to the transaction and is required by Authorize.net and submit that via AJAX to a method in a cfc, which will send the pertinent data to Authorize.net. In the success section of the AJAX solution to Authorize.net, I'll implement a further submission of the rest of the form data (the personally identifiable information) to another method in a cfc, which will process that data for in-house (non-Authorize.net) use. (Or something similar to this process...) Any warnings, cautions, or gotcha's in this approach? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352658 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Question about using AJAX with Authorize.net
I work so much using AJAX I may not be able to see the forest for the trees. Without using AJAX and using its success callback function, how else will I send (my) thank you email after they are redirected back to (my) site ? My first thought is to use the AJAX success callback as the means by which I'll call another method to send a thank-you email, store info in the database (not cc info), etc. Is there a simpler way? Besides an AJAX submission and callback, how else will I continue processing info? Call another CFC method to further process form data from the re-direct page? And if the page that Authorize.net redirects to is a Thank-You page, then the form variables will have to be saved as session variables to further process the original form variables for emailing, database storage of info, etc correct? Rick -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Tuesday, September 18, 2012 1:48 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net well it depends how you process. if you redirect to authorize.net and then come back to your site, then why not simply send your thank you email after they are redirected back to your site, this is how most folks do it. The ajax stuff seems a bit overkill. If your processing serverside, then you simply need to wait till you get the response back from your CFHTTP call. On Tue, Sep 18, 2012 at 6:40 PM, Rick Faircloth r...@whitestonemedia.comwrote: I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an AJAX solution to intercept the formfield data that is applicable to the transaction and is required by Authorize.net and submit that via AJAX to a method in a cfc, which will send the pertinent data to Authorize.net. In the success section of the AJAX solution to Authorize.net, I'll implement a further submission of the rest of the form data (the personally identifiable information) to another method in a cfc, which will process that data for in-house (non-Authorize.net) use. (Or something similar to this process...) Any warnings, cautions, or gotcha's in this approach? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352659 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Question about using AJAX with Authorize.net
you send a unique transactionID along, which they then send back to you on the callback, which identifies the user, so you can send them the thank you email. You On Tue, Sep 18, 2012 at 7:11 PM, Rick Faircloth r...@whitestonemedia.comwrote: I work so much using AJAX I may not be able to see the forest for the trees. Without using AJAX and using its success callback function, how else will I send (my) thank you email after they are redirected back to (my) site ? My first thought is to use the AJAX success callback as the means by which I'll call another method to send a thank-you email, store info in the database (not cc info), etc. Is there a simpler way? Besides an AJAX submission and callback, how else will I continue processing info? Call another CFC method to further process form data from the re-direct page? And if the page that Authorize.net redirects to is a Thank-You page, then the form variables will have to be saved as session variables to further process the original form variables for emailing, database storage of info, etc correct? Rick -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Tuesday, September 18, 2012 1:48 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net well it depends how you process. if you redirect to authorize.net and then come back to your site, then why not simply send your thank you email after they are redirected back to your site, this is how most folks do it. The ajax stuff seems a bit overkill. If your processing serverside, then you simply need to wait till you get the response back from your CFHTTP call. On Tue, Sep 18, 2012 at 6:40 PM, Rick Faircloth r...@whitestonemedia.comwrote: I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an AJAX solution to intercept the formfield data that is applicable to the transaction and is required by Authorize.net and submit that via AJAX to a method in a cfc, which will send the pertinent data to Authorize.net. In the success section of the AJAX solution to Authorize.net, I'll implement a further submission of the rest of the form data (the personally identifiable information) to another method in a cfc, which will process that data for in-house (non-Authorize.net) use. (Or something similar to this process...) Any warnings, cautions, or gotcha's in this approach? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352660 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Question about using AJAX with Authorize.net
Hi Rick I use authorize.net and i can submit all sorts of personal information, name address email address etc. in the x_variable customer information. perhaps I am not sure what information you are suggesting However i do what Russ suggests, I submit the information for processing as a cfinclude in my submission form and when it is approved, use the approval to trigger my own emails from my server, both to the customer and to the fulfilment service. Rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 On 18 Sep 2012 at 13:40, Rick Faircloth wrote: I'm implementing my first donation form using Authorize.net. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352661 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Question about using AJAX with Authorize.net
You have to send Auth.net personally identifying information in order to use AVS (the address verification service), so I know they don't forbid that. Maybe it depends on the integration method you are using. Are you doing the simple integration method where you send the user to auth.net and then they come back or are you using a behind the scenes post to their api to do the auth? Judah On Tue, Sep 18, 2012 at 10:40 AM, Rick Faircloth r...@whitestonemedia.com wrote: I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an AJAX solution to intercept the formfield data that is applicable to the transaction and is required by Authorize.net and submit that via AJAX to a method in a cfc, which will send the pertinent data to Authorize.net. In the success section of the AJAX solution to Authorize.net, I'll implement a further submission of the rest of the form data (the personally identifiable information) to another method in a cfc, which will process that data for in-house (non-Authorize.net) use. (Or something similar to this process...) Any warnings, cautions, or gotcha's in this approach? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352662 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
CFCs stop working after call to WebLogic [access denied (java.io.FilePermission]
Our app makes a call to a WebLogic server. Then whether the connection is made or not, all our CFCs stop working. Apps using CFM pages are okay. In 5-10 minutes the servers grinds to a halt as error messages flood in. Immediately following the T3 (WebLogic RMI) call to the WebLogic server, these errors for ColdFusion CFC components come in. There are no errors in CFM files. Error Type=coldfusion.runtime.CfErrorWrapper ERROR TEMPLATE:[directories]/pmn.cfm ERROR DIAGNOSTICS:access denied (java.io.FilePermission [directories]\sqlprev.cfc execute) null brThe error occurred on line -1. error.message = access denied (java.io.FilePermission[directories]\sqlprev.cfc execute) error.rootCause = java.security.AccessControlException: access denied (java.io.FilePermission [directories]\sqlprev.cfc execute) The errors continue until we restart ColdFusion/JRun, then all is okay ... until the next call to WebLogic. Any ideas? thanks, Chris ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352663 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Question about using AJAX with Authorize.net
Thanks, everyone, for the comments... Judah, I'm using the Advanced Integration Method (AIM), since I'm hosting my own form. Here's what I'm referring to in the Authorize.net info about personally identifying information: From the Advanced Integration Method docs: -- Merchant-defined data fields are not intended to and must not be used to capture personally identifying information. Accordingly, the merchant is prohibited from capturing, obtaining, and/or transmitting any personally identifying information in or by means of the merchant-defined data fields. Personally identifying information includes, but is not limited to, name, address, credit card number, social security number, driver's license number, state-issued identification number, passport number, and card verification numbers (CVV, CVC2, CVV2, CID, CVN). If Authorize.Net discovers that the merchant is capturing and/or transmitting personally identifying information by means of the merchant-defined data fields, whether or not intentionally, CyberSource will immediately suspend the merchant's account, which will result in a rejection of any and all transaction requests submitted by the merchant after the point of suspension. -- That seems clear to me, that in the AIM method, I can't use the merchant-defined x_ fields to capture any of the info mentioned above. My plan was just to send to them what they require for the processing and use the other fields from the form for the in-house emailing, thank-you's, in honor of, in memory of, etc., data. I don't think that kind of data can go through Authorize.net's server and back to me. Rick -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Tuesday, September 18, 2012 3:31 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net You have to send Auth.net personally identifying information in order to use AVS (the address verification service), so I know they don't forbid that. Maybe it depends on the integration method you are using. Are you doing the simple integration method where you send the user to auth.net and then they come back or are you using a behind the scenes post to their api to do the auth? Judah On Tue, Sep 18, 2012 at 10:40 AM, Rick Faircloth r...@whitestonemedia.com wrote: I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an AJAX solution to intercept the formfield data that is applicable to the transaction and is required by Authorize.net and submit that via AJAX to a method in a cfc, which will send the pertinent data to Authorize.net. In the success section of the AJAX solution to Authorize.net, I'll implement a further submission of the rest of the form data (the personally identifiable information) to another method in a cfc, which will process that data for in-house (non-Authorize.net) use. (Or something similar to this process...) Any warnings, cautions, or gotcha's in this approach? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352664 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Question about using AJAX with Authorize.net
Ah, gotcha. The key there is definitely the merchant defined fields. They do not want you to send them personally defined information that they then post back to you (the x_ fields that you mentioned). I think you are on target with your ajax option. The other option is to post back to your server, capture the response in memory (just the Form collection), do a cfhttp post to Auth.net to do the transaction with the subset of information they need and then redirect to the receipt page (if successful) or back to the submission page if the transaction errors. This is what I've done in the past and it allows you to do the server side validation and any custom processing. The downside to this method is that it carries a higher PCI compliance because the CC details are transmitted to your server even if they are never stored anywhere other than memory. If you use Ajax calls directly from the client-side form, you can avoid some of the PCI compliance stuff because the information never hits your server. However, you would have to include the transaction key and password in your client-side form at that point which makes that information publicly available. Off the top of my head, the only thing I can think of that that would do is make it so that other people could charge credit cards and give you money from them but there may be other attack vectors that aren't obvious to me right away. If you bypassed client-side validation, maybe you could charge a negative number and refund money to the card? Probably not, but it would warrant investigation at the very least. I would also think that the fact that the client side would be doing the HTTP call would mean that you could set up a Hosts file entry for the Auth.net gateway and provide a reply on the client side that said it was successful and then your page would submit back to you assuming that the call was successful and therefore allow them to fake a transaction. I don't know if that is important in your situation or not, but fundamentally, I do no trust validation that is only performed on a machine I do not control. Cheers, Judah On Tue, Sep 18, 2012 at 2:25 PM, Rick Faircloth r...@whitestonemedia.com wrote: Thanks, everyone, for the comments... Judah, I'm using the Advanced Integration Method (AIM), since I'm hosting my own form. Here's what I'm referring to in the Authorize.net info about personally identifying information: From the Advanced Integration Method docs: -- Merchant-defined data fields are not intended to and must not be used to capture personally identifying information. Accordingly, the merchant is prohibited from capturing, obtaining, and/or transmitting any personally identifying information in or by means of the merchant-defined data fields. Personally identifying information includes, but is not limited to, name, address, credit card number, social security number, driver's license number, state-issued identification number, passport number, and card verification numbers (CVV, CVC2, CVV2, CID, CVN). If Authorize.Net discovers that the merchant is capturing and/or transmitting personally identifying information by means of the merchant-defined data fields, whether or not intentionally, CyberSource will immediately suspend the merchant's account, which will result in a rejection of any and all transaction requests submitted by the merchant after the point of suspension. -- That seems clear to me, that in the AIM method, I can't use the merchant-defined x_ fields to capture any of the info mentioned above. My plan was just to send to them what they require for the processing and use the other fields from the form for the in-house emailing, thank-you's, in honor of, in memory of, etc., data. I don't think that kind of data can go through Authorize.net's server and back to me. Rick -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Tuesday, September 18, 2012 3:31 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net You have to send Auth.net personally identifying information in order to use AVS (the address verification service), so I know they don't forbid that. Maybe it depends on the integration method you are using. Are you doing the simple integration method where you send the user to auth.net and then they come back or are you using a behind the scenes post to their api to do the auth? Judah On Tue, Sep 18, 2012 at 10:40 AM, Rick Faircloth r...@whitestonemedia.com wrote: I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an
Re: Question about using AJAX with Authorize.net
Hi rick I take this to mean anything downstream of their portal, but surely anything upstream on your server and your form is yours. If you do have any concerns I would call authorize.Net tech support. I have found them to be very helpful. rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 On 18 Sep 2012 at 17:25, Rick Faircloth wrote: From the Advanced Integration Method docs: Merchant-defined data fields are not intended to and must not be used to capture personally identifying information. Accordingly, the merchant is prohibited from capturing, obtaining, and/or transmitting any personally identifying information in or by means of the merchant-defined data fields. Personally identifying information includes, but is not limited to, name, address, credit card number, social security number, driver's license number, state-issued identification number, passport number, and card verification numbers (CVV, CVC2, CVV2, CID, CVN). If Authorize.Net discovers that the merchant is capturing and/or transmitting personally identifying information by means of the merchant-defined data fields, whether or not intentionally, CyberSource will immediately suspend the merchant's account, which will result in a rejection of any and all transaction requests submitted by the merchant after the point of suspension. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352666 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Question about using AJAX with Authorize.net
Thanks for the perspective, Juday... My plan is to run client-side validation via Javascript when info is being entered into the form, then validate with CF in a cfc method once the form passes Javascript validation and return any errors that CF picks up. Usually, there aren't any CF errors if JS didn't find any in the form data, since I program CF to validate the same way the JS does. You mentioned the transaction key and password. I'll provide that data in the JS processing and assign the values there before submitting the data via AJAX. Would that be secure? Rick -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Tuesday, September 18, 2012 5:54 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net Ah, gotcha. The key there is definitely the merchant defined fields. They do not want you to send them personally defined information that they then post back to you (the x_ fields that you mentioned). I think you are on target with your ajax option. The other option is to post back to your server, capture the response in memory (just the Form collection), do a cfhttp post to Auth.net to do the transaction with the subset of information they need and then redirect to the receipt page (if successful) or back to the submission page if the transaction errors. This is what I've done in the past and it allows you to do the server side validation and any custom processing. The downside to this method is that it carries a higher PCI compliance because the CC details are transmitted to your server even if they are never stored anywhere other than memory. If you use Ajax calls directly from the client-side form, you can avoid some of the PCI compliance stuff because the information never hits your server. However, you would have to include the transaction key and password in your client-side form at that point which makes that information publicly available. Off the top of my head, the only thing I can think of that that would do is make it so that other people could charge credit cards and give you money from them but there may be other attack vectors that aren't obvious to me right away. If you bypassed client-side validation, maybe you could charge a negative number and refund money to the card? Probably not, but it would warrant investigation at the very least. I would also think that the fact that the client side would be doing the HTTP call would mean that you could set up a Hosts file entry for the Auth.net gateway and provide a reply on the client side that said it was successful and then your page would submit back to you assuming that the call was successful and therefore allow them to fake a transaction. I don't know if that is important in your situation or not, but fundamentally, I do no trust validation that is only performed on a machine I do not control. Cheers, Judah On Tue, Sep 18, 2012 at 2:25 PM, Rick Faircloth r...@whitestonemedia.com wrote: Thanks, everyone, for the comments... Judah, I'm using the Advanced Integration Method (AIM), since I'm hosting my own form. Here's what I'm referring to in the Authorize.net info about personally identifying information: From the Advanced Integration Method docs: -- Merchant-defined data fields are not intended to and must not be used to capture personally identifying information. Accordingly, the merchant is prohibited from capturing, obtaining, and/or transmitting any personally identifying information in or by means of the merchant-defined data fields. Personally identifying information includes, but is not limited to, name, address, credit card number, social security number, driver's license number, state-issued identification number, passport number, and card verification numbers (CVV, CVC2, CVV2, CID, CVN). If Authorize.Net discovers that the merchant is capturing and/or transmitting personally identifying information by means of the merchant-defined data fields, whether or not intentionally, CyberSource will immediately suspend the merchant's account, which will result in a rejection of any and all transaction requests submitted by the merchant after the point of suspension. -- That seems clear to me, that in the AIM method, I can't use the merchant-defined x_ fields to capture any of the info mentioned above. My plan was just to send to them what they require for the processing and use the other fields from the form for the in-house emailing, thank-you's, in honor of, in memory of, etc., data. I don't think that kind of data can go through Authorize.net's server and back to me. Rick -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Tuesday, September 18, 2012 3:31 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net You have to send Auth.net
RE: Question about using AJAX with Authorize.net
Thanks, Rob... I'll do that once I have the application running fully in their sandbox testing area. Hopefully, they can pick up any flaws. This donation form is for a large organization and I would hate to cause any security problems and compromise the system or donors' info. Rick -Original Message- From: Rob Voyle [mailto:robvo...@voyle.com] Sent: Tuesday, September 18, 2012 6:35 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net Hi rick I take this to mean anything downstream of their portal, but surely anything upstream on your server and your form is yours. If you do have any concerns I would call authorize.Net tech support. I have found them to be very helpful. rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 On 18 Sep 2012 at 17:25, Rick Faircloth wrote: From the Advanced Integration Method docs: Merchant-defined data fields are not intended to and must not be used to capture personally identifying information. Accordingly, the merchant is prohibited from capturing, obtaining, and/or transmitting any personally identifying information in or by means of the merchant-defined data fields. Personally identifying information includes, but is not limited to, name, address, credit card number, social security number, driver's license number, state-issued identification number, passport number, and card verification numbers (CVV, CVC2, CVV2, CID, CVN). If Authorize.Net discovers that the merchant is capturing and/or transmitting personally identifying information by means of the merchant-defined data fields, whether or not intentionally, CyberSource will immediately suspend the merchant's account, which will result in a rejection of any and all transaction requests submitted by the merchant after the point of suspension. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352668 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
