Re: Question about using AJAX with Authorize.net
The response string is returned in the callback. Just .split(|) it to
get a javascript array. Then do whatever you need to in the response
callback.
script type=text/javascript
$.ajax({
type: POST,
url: authNetURL,
data: { ... }
}).done(function( data ) {
var parsedData = data.split(|);
console.log( Data Response:, data, Parsed Response,
parsedData);
if (parsedData[0] == 1)
alert(SUCCESS\nCode: + parsedData[0]);
else
alert(FAILURE\nCode: + parsedData[0] + \nReason:
+ parsedData[3]);
});
/script
This is what the string data looks like coming back:
3|2|33|Credit card number is
required.||P|0|||0.00|CC|auth_capture||7A27F022C6CA581165E16ED2D88F2135||
The meanings of the columns returned are in the Authorize.net docs and
can also be found starting at line 423 of this file, but remember CF
uses 1 based indexes while JS uses 0 based.
http://svn.riaforge.org/cfpayment/trunk/api/gateway/authorizenet/authorizenet.cfc
On 9/22/12 10:16 PM, Rick Faircloth wrote:
All that's quite beyond me, Jonah. Partly because
I don't make use of the createObject() methodology,
so I don't understand it very well. The other part, is, well,
I just don't understand how to apply everything in the docs.
I guess I'll just need to talk to Authorize.net on Monday
and see if they know what I need to make this work. I just
don't know how to handle the data they send back; a pipe-delimited
list of all transaction information.
I'm not sure what it's called. Using CFHTTP, all of that is contained
in cfhttp.fileContent. With that I know how to access the data in
the delimited string they return.
Using jQuery AJAX to submit my form, I'm not sure what variable
(like filecontent for cfhttp) it would come in so I can reference it.
Does that make sense?
Rick
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352729
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Question about using AJAX with Authorize.net
!= '' )
//{
$('#processing_image').hide();
//
$('#processing_text').hide();
//
$('#processing_success').fadeIn(250);
//
$('#response_code').empty().append(response); }
//else{
$('#response_code').empty().append(response); }
} // success function
}); // $.ajax
}); // click function
}); // document ready function
-Original Message-
From: .jonah [mailto:jonah@creori.com]
Sent: Sunday, September 23, 2012 2:42 AM
To: cf-talk
Subject: Re: Question about using AJAX with Authorize.net
The response string is returned in the callback. Just .split(|) it to
get a javascript array. Then do whatever you need to in the response
callback.
script type=text/javascript
$.ajax({
type: POST,
url: authNetURL,
data: { ... }
}).done(function( data ) {
var parsedData = data.split(|);
console.log( Data Response:, data, Parsed Response,
parsedData);
if (parsedData[0] == 1)
alert(SUCCESS\nCode: + parsedData[0]);
else
alert(FAILURE\nCode: + parsedData[0] + \nReason:
+ parsedData[3]);
});
/script
This is what the string data looks like coming back:
3|2|33|Credit card number is
required.||P|0|||0.00|CC|auth_capture||7A27F022C6CA5
81165E16ED2D88F2135||
The meanings of the columns returned are in the Authorize.net docs and
can also be found starting at line 423 of this file, but remember CF
uses 1 based indexes while JS uses 0 based.
http://svn.riaforge.org/cfpayment/trunk/api/gateway/authorizenet/authorizene
t.cfc
On 9/22/12 10:16 PM, Rick Faircloth wrote:
All that's quite beyond me, Jonah. Partly because
I don't make use of the createObject() methodology,
so I don't understand it very well. The other part, is, well,
I just don't understand how to apply everything in the docs.
I guess I'll just need to talk to Authorize.net on Monday
and see if they know what I need to make this work. I just
don't know how to handle the data they send back; a pipe-delimited
list of all transaction information.
I'm not sure what it's called. Using CFHTTP, all of that is contained
in cfhttp.fileContent. With that I know how to access the data in
the delimited string they return.
Using jQuery AJAX to submit my form, I'm not sure what variable
(like filecontent for cfhttp) it would come in so I can reference it.
Does that make sense?
Rick
~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352730
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Question about using AJAX with Authorize.net
I don't quite know how you're using that endpoint with AJAX.
If you click on that URL in firebug, you'll see you're not actually
getting a response at all.
Also, try your form in Chrome.
I get this in the console:
XMLHttpRequest cannot load
https://test.authorize.net/gateway/transact.dll. Origin http://my test
server is not allowed by Access-Control-Allow-Origin.
Where in the authorize.net docs does it talk about using this endpoint
in this way?
On 9/23/12 5:54 AM, Rick Faircloth wrote:
$(document).ready(function() {
$('#donation_form_submit').click(function() {
var x_login = '25F2wqnuFs';
var x_tran_key = '3B58p37d9PJxUUR9';
var x_relay_response= 'false';
var x_type = 'AUTH_CAPTURE';
var x_method= 'CC';
var x_description = 'Donation';
var x_card_num = $('#x_card_num').val();
var x_card_num =
x_card_num.replace(/\D/g,'');
var x_exp_date =
$('#p_cc_exp_month').val()+$('#p_cc_exp_year').val();
var x_amount=
$('input[name=x_amount]:checked').val();
var x_first_name= $('#x_first_name').val();
var x_last_name = $('#x_last_name').val();
var x_address = $('#x_address').val();
var x_city = $('#x_city').val();
var x_state = $('#x_state').val();
var x_zip = $('#x_zip').val();
var x_email = $('#x_email').val();
values = { x_login:x_login,
x_tran_key: x_tran_key,
x_relay_response: x_relay_response,
x_type: x_type,
x_method: x_method,
x_description: x_description,
x_card_num: x_card_num,
x_exp_date: x_exp_date,
x_amount: x_amount,
x_first_name: x_first_name,
x_last_name:x_last_name,
x_address: x_address,
x_city: x_city,
x_state:x_state,
x_zip: x_zip,
x_email:x_email
}
$.ajax ({ cache: false,
type: 'post',
url:
'https://test.authorize.net/gateway/transact.dll',
dataType: 'json',
data: values,
beforeSend: function() {
$('#processing_image').fadeIn(250);
$('#processing_text').fadeIn(250);
},
success:function(data) {
(this alert never works...) - alert('inside
success callback');
var parsedData =
data.split('|');
(nothing appears in the console log - console.log('Data
Response:', data, 'Parsed Response:', parsedData);
if (
parsedData[0] == 1 )
(this alert doesn't show) --- {
alert('SUCCESS\nCode: ' + parsedData[0])}
(this alert doesn't show) --- else{
alert('FAILURE\nCode: ' + parsedData[0] + '\nReason: ' + parsedData[3]) }
(this is the success code I've been trying -- //if (
response != '' )
//{
$('#processing_image').hide();
//
$('#processing_text').hide();
//
$('#processing_success').fadeIn(250);
//
$('#response_code').empty().append(response); }
//else{
$('#response_code').empty().append(response); }
} // success function
}); // $.ajax
}); // click
RE: Question about using AJAX with Authorize.net
When you say endpoint, you mean the success
section of the code? That's always the way I do AJAX
when I'm sending requests to component methods for processing.
Is there something about sending a post to another
server/domain that makes that unworkable?
not actually getting a response at all
Yes, I've noticed that from the start...nothing in Firebug
in the Response section in any browser.
The only thing I see different in Firebug in Chrome is under
headers RequestHeaders I've got these lines:
Content-Typeapplication/x-www-form-urlencoded
Accept application/json, text/javascript, */*; q=0.01
Is there a disconnect between the content-type (sent? received?)
and what will be accepted (by my code? by Auth.net's server?)
Does this tell you anything?
And you asked where in the Authorized.net docs have I seen this
endpoint... well, nowhere, but then, I haven't seen much of
anything except a ton of PHP code and an example of CF processing
using CFHTTP.
I noticed that cfpayment uses CFHTTP in part of the programming.
If I use CFHTTP to process the form, does that mean that I'm now
handling the form data on my server, requiring more stringent
PCI compliance that doing a straight AJAX post?
I'm sure there's just something I don't understand about what's
going on, especially since this is my first experience with a
payment gateway, as well as the first time I've ever used AJAX
to post to another domain/site.
So, is what I'm trying to do with my code even possible?
I'm getting correct processing on Authorize.net's end. They send
me the customer and merchant email receipts.
I just can't figure out how to get a response back to my AJAX
function.
Any more suggestions?
Rick
-Original Message-
From: .jonah [mailto:jonah@creori.com]
Sent: Sunday, September 23, 2012 3:51 PM
To: cf-talk
Subject: Re: Question about using AJAX with Authorize.net
I don't quite know how you're using that endpoint with AJAX.
If you click on that URL in firebug, you'll see you're not actually
getting a response at all.
Also, try your form in Chrome.
I get this in the console:
XMLHttpRequest cannot load
https://test.authorize.net/gateway/transact.dll. Origin http://my test
server is not allowed by Access-Control-Allow-Origin.
Where in the authorize.net docs does it talk about using this endpoint
in this way?
On 9/23/12 5:54 AM, Rick Faircloth wrote:
$(document).ready(function() {
$('#donation_form_submit').click(function() {
var x_login = '25F2wqnuFs';
var x_tran_key = '3B58p37d9PJxUUR9';
var x_relay_response= 'false';
var x_type = 'AUTH_CAPTURE';
var x_method= 'CC';
var x_description = 'Donation';
var x_card_num = $('#x_card_num').val();
var x_card_num =
x_card_num.replace(/\D/g,'');
var x_exp_date =
$('#p_cc_exp_month').val()+$('#p_cc_exp_year').val();
var x_amount=
$('input[name=x_amount]:checked').val();
var x_first_name=
$('#x_first_name').val();
var x_last_name = $('#x_last_name').val();
var x_address = $('#x_address').val();
var x_city = $('#x_city').val();
var x_state = $('#x_state').val();
var x_zip = $('#x_zip').val();
var x_email = $('#x_email').val();
values = { x_login:x_login,
x_tran_key: x_tran_key,
x_relay_response: x_relay_response,
x_type: x_type,
x_method: x_method,
x_description: x_description,
x_card_num: x_card_num,
x_exp_date: x_exp_date,
x_amount: x_amount,
x_first_name: x_first_name,
x_last_name:x_last_name,
x_address: x_address,
x_city: x_city,
x_state:x_state,
x_zip: x_zip,
x_email:x_email
}
$.ajax ({ cache: false,
type: 'post',
url:
'https://test.authorize.net/gateway
Re: Question about using AJAX with Authorize.net
I don't have time right now to delve into the details of coming up with
a new way to use Authorize.net and what you're trying to do isn't an
approved method of integration.
Their approach for what you're wanting to do is the Direct Post Method:
http://developer.authorize.net/api/dpm
Have you taken a look at its docs and examples?
Once you have that method working and you really want to try something
new you could try to migrate it to posting via AJAX instead of directly...
On 9/23/12 6:27 PM, Rick Faircloth wrote:
When you say endpoint, you mean the success
section of the code? That's always the way I do AJAX
when I'm sending requests to component methods for processing.
Is there something about sending a post to another
server/domain that makes that unworkable?
not actually getting a response at all
Yes, I've noticed that from the start...nothing in Firebug
in the Response section in any browser.
The only thing I see different in Firebug in Chrome is under
headers RequestHeaders I've got these lines:
Content-Typeapplication/x-www-form-urlencoded
Accept application/json, text/javascript, */*; q=0.01
Is there a disconnect between the content-type (sent? received?)
and what will be accepted (by my code? by Auth.net's server?)
Does this tell you anything?
And you asked where in the Authorized.net docs have I seen this
endpoint... well, nowhere, but then, I haven't seen much of
anything except a ton of PHP code and an example of CF processing
using CFHTTP.
I noticed that cfpayment uses CFHTTP in part of the programming.
If I use CFHTTP to process the form, does that mean that I'm now
handling the form data on my server, requiring more stringent
PCI compliance that doing a straight AJAX post?
I'm sure there's just something I don't understand about what's
going on, especially since this is my first experience with a
payment gateway, as well as the first time I've ever used AJAX
to post to another domain/site.
So, is what I'm trying to do with my code even possible?
I'm getting correct processing on Authorize.net's end. They send
me the customer and merchant email receipts.
I just can't figure out how to get a response back to my AJAX
function.
Any more suggestions?
Rick
-Original Message-
From: .jonah [mailto:jonah@creori.com]
Sent: Sunday, September 23, 2012 3:51 PM
To: cf-talk
Subject: Re: Question about using AJAX with Authorize.net
I don't quite know how you're using that endpoint with AJAX.
If you click on that URL in firebug, you'll see you're not actually
getting a response at all.
Also, try your form in Chrome.
I get this in the console:
XMLHttpRequest cannot load
https://test.authorize.net/gateway/transact.dll. Origin http://my test
server is not allowed by Access-Control-Allow-Origin.
Where in the authorize.net docs does it talk about using this endpoint
in this way?
On 9/23/12 5:54 AM, Rick Faircloth wrote:
$(document).ready(function() {
$('#donation_form_submit').click(function() {
var x_login = '25F2wqnuFs';
var x_tran_key = '3B58p37d9PJxUUR9';
var x_relay_response= 'false';
var x_type = 'AUTH_CAPTURE';
var x_method= 'CC';
var x_description = 'Donation';
var x_card_num = $('#x_card_num').val();
var x_card_num =
x_card_num.replace(/\D/g,'');
var x_exp_date =
$('#p_cc_exp_month').val()+$('#p_cc_exp_year').val();
var x_amount=
$('input[name=x_amount]:checked').val();
var x_first_name=
$('#x_first_name').val();
var x_last_name = $('#x_last_name').val();
var x_address = $('#x_address').val();
var x_city = $('#x_city').val();
var x_state = $('#x_state').val();
var x_zip = $('#x_zip').val();
var x_email = $('#x_email').val();
values = { x_login:x_login,
x_tran_key: x_tran_key,
x_relay_response: x_relay_response,
x_type: x_type,
x_method: x_method,
x_description: x_description,
x_card_num: x_card_num,
x_exp_date: x_exp_date,
x_amount: x_amount,
x_first_name
RE: Question about using AJAX with Authorize.net
Judah... (or anyone else...) I'm running successful transactions to Authorize.net from my form using AJAX to post that data to Authorize.net. I know the transactions are successful, because I'm getting Customer Receipts (to myself) and Merchant Receipts (again to myself). However, in the success part of my AJAX code, I don't know how to access the data/response that Authorize.net is sending back. My AJAX routine processes and submits the transaction info, then displays the Processing... message and the page sits there, because I don't know how to check for the This transaction has been approved. code. I'm not sure what variable/array to check. What variable should I test to make sure the transaction was successful in the AJAX callback? The only ColdFusion documentation I could find doesn't involve AJAX and just uses CFHTTP, which I want to avoid to simply PCI compliance. (However, I will be running server-side validation of the data, including credit card numbers, to make sure one's been entered and is in the correct format... does that mean I've now passed the data to my server and causes me to have to be as stringent about PCI compliance as if I were using CFHTTP to post to Authorize.net in the first place, instead of AJAX? Thanks for any feedback! Rick -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Tuesday, September 18, 2012 6:37 PM To: cf-talk Subject: RE: Question about using AJAX with Authorize.net Thanks for the perspective, Juday... My plan is to run client-side validation via Javascript when info is being entered into the form, then validate with CF in a cfc method once the form passes Javascript validation and return any errors that CF picks up. Usually, there aren't any CF errors if JS didn't find any in the form data, since I program CF to validate the same way the JS does. You mentioned the transaction key and password. I'll provide that data in the JS processing and assign the values there before submitting the data via AJAX. Would that be secure? Rick -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Tuesday, September 18, 2012 5:54 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net Ah, gotcha. The key there is definitely the merchant defined fields. They do not want you to send them personally defined information that they then post back to you (the x_ fields that you mentioned). I think you are on target with your ajax option. The other option is to post back to your server, capture the response in memory (just the Form collection), do a cfhttp post to Auth.net to do the transaction with the subset of information they need and then redirect to the receipt page (if successful) or back to the submission page if the transaction errors. This is what I've done in the past and it allows you to do the server side validation and any custom processing. The downside to this method is that it carries a higher PCI compliance because the CC details are transmitted to your server even if they are never stored anywhere other than memory. If you use Ajax calls directly from the client-side form, you can avoid some of the PCI compliance stuff because the information never hits your server. However, you would have to include the transaction key and password in your client-side form at that point which makes that information publicly available. Off the top of my head, the only thing I can think of that that would do is make it so that other people could charge credit cards and give you money from them but there may be other attack vectors that aren't obvious to me right away. If you bypassed client-side validation, maybe you could charge a negative number and refund money to the card? Probably not, but it would warrant investigation at the very least. I would also think that the fact that the client side would be doing the HTTP call would mean that you could set up a Hosts file entry for the Auth.net gateway and provide a reply on the client side that said it was successful and then your page would submit back to you assuming that the call was successful and therefore allow them to fake a transaction. I don't know if that is important in your situation or not, but fundamentally, I do no trust validation that is only performed on a machine I do not control. Cheers, Judah On Tue, Sep 18, 2012 at 2:25 PM, Rick Faircloth r...@whitestonemedia.com wrote: Thanks, everyone, for the comments... Judah, I'm using the Advanced Integration Method (AIM), since I'm hosting my own form. Here's what I'm referring to in the Authorize.net info about personally identifying information: From the Advanced Integration Method docs: -- Merchant-defined data fields are not intended to and must not be used to capture personally identifying information. Accordingly, the merchant is prohibited from capturing, obtaining
Re: Question about using AJAX with Authorize.net
you need to take ajax out of the loop and do a regular http post, and then look at the response that comes back, then you will see what variables they are sending you and you can then adjust your ajax code accordinly On Sat, Sep 22, 2012 at 10:22 PM, Rick Faircloth r...@whitestonemedia.comwrote: Judah... (or anyone else...) I'm running successful transactions to Authorize.net from my form using AJAX to post that data to Authorize.net. I know the transactions are successful, because I'm getting Customer Receipts (to myself) and Merchant Receipts (again to myself). However, in the success part of my AJAX code, I don't know how to access the data/response that Authorize.net is sending back. My AJAX routine processes and submits the transaction info, then displays the Processing... message and the page sits there, because I don't know how to check for the This transaction has been approved. code. I'm not sure what variable/array to check. What variable should I test to make sure the transaction was successful in the AJAX callback? The only ColdFusion documentation I could find doesn't involve AJAX and just uses CFHTTP, which I want to avoid to simply PCI compliance. (However, I will be running server-side validation of the data, including credit card numbers, to make sure one's been entered and is in the correct format... does that mean I've now passed the data to my server and causes me to have to be as stringent about PCI compliance as if I were using CFHTTP to post to Authorize.net in the first place, instead of AJAX? Thanks for any feedback! Rick -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Tuesday, September 18, 2012 6:37 PM To: cf-talk Subject: RE: Question about using AJAX with Authorize.net Thanks for the perspective, Juday... My plan is to run client-side validation via Javascript when info is being entered into the form, then validate with CF in a cfc method once the form passes Javascript validation and return any errors that CF picks up. Usually, there aren't any CF errors if JS didn't find any in the form data, since I program CF to validate the same way the JS does. You mentioned the transaction key and password. I'll provide that data in the JS processing and assign the values there before submitting the data via AJAX. Would that be secure? Rick -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Tuesday, September 18, 2012 5:54 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net Ah, gotcha. The key there is definitely the merchant defined fields. They do not want you to send them personally defined information that they then post back to you (the x_ fields that you mentioned). I think you are on target with your ajax option. The other option is to post back to your server, capture the response in memory (just the Form collection), do a cfhttp post to Auth.net to do the transaction with the subset of information they need and then redirect to the receipt page (if successful) or back to the submission page if the transaction errors. This is what I've done in the past and it allows you to do the server side validation and any custom processing. The downside to this method is that it carries a higher PCI compliance because the CC details are transmitted to your server even if they are never stored anywhere other than memory. If you use Ajax calls directly from the client-side form, you can avoid some of the PCI compliance stuff because the information never hits your server. However, you would have to include the transaction key and password in your client-side form at that point which makes that information publicly available. Off the top of my head, the only thing I can think of that that would do is make it so that other people could charge credit cards and give you money from them but there may be other attack vectors that aren't obvious to me right away. If you bypassed client-side validation, maybe you could charge a negative number and refund money to the card? Probably not, but it would warrant investigation at the very least. I would also think that the fact that the client side would be doing the HTTP call would mean that you could set up a Hosts file entry for the Auth.net gateway and provide a reply on the client side that said it was successful and then your page would submit back to you assuming that the call was successful and therefore allow them to fake a transaction. I don't know if that is important in your situation or not, but fundamentally, I do no trust validation that is only performed on a machine I do not control. Cheers, Judah On Tue, Sep 18, 2012 at 2:25 PM, Rick Faircloth r...@whitestonemedia.com wrote: Thanks, everyone, for the comments... Judah, I'm using the Advanced Integration Method (AIM), since I'm hosting my own form. Here's what I'm referring
RE: Question about using AJAX with Authorize.net
Looking at the sample CF code, which posts via CFHTTP, this is how the post response gets handled: - !--- Because coldfusion's ListToArray object ignores empty fields, we must put a space in all empty fields to make sure that they are not skipped --- cfset post_response=Replace(cfhttp.filecontent,||,| |, all) !--- the same command is run twice, because the first time it only adjusts every other empty field --- cfset post_response=Replace(post_response,||,| |, all) !--- now the ListToArray method can be used without skipping fields --- cfset response_array=ListToArray(post_response, |) !--- the results are output to the screen in the form of an html numbered list. --- cfoutput -- From that code, I get a list of all the data coming back, but I couldn't use the structure, filecontent to access any field of data. Maybe I should try filecontent[1] or something. I made the following changes, just to see if I could access the field data in the response: !--- [ ricks changes ] --- pThank you for your donation to USO Tampa Bay./p cfparam name=response_array[69] default=/ cfif len(trim(#response_array[69]#)) gt 0 pThis donation has been made in memory of #response_array[69]#./p /cfif And that works. response_array[69] is the first name of the person the donation is sent in honor of. I tried using filecontent as the structure containing all the responses, which is the first thing I see in the CF code above, cfhttp.filecontent. But that didn't work... is the filecontent part of that specific to a cfhttp post? I thought I'd mention this code before writing up a regular post to Authorize.net. Does this help figure out the structure the code is being returned in? Rick -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Saturday, September 22, 2012 5:40 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net you need to take ajax out of the loop and do a regular http post, and then look at the response that comes back, then you will see what variables they are sending you and you can then adjust your ajax code accordinly On Sat, Sep 22, 2012 at 10:22 PM, Rick Faircloth r...@whitestonemedia.comwrote: Judah... (or anyone else...) I'm running successful transactions to Authorize.net from my form using AJAX to post that data to Authorize.net. I know the transactions are successful, because I'm getting Customer Receipts (to myself) and Merchant Receipts (again to myself). However, in the success part of my AJAX code, I don't know how to access the data/response that Authorize.net is sending back. My AJAX routine processes and submits the transaction info, then displays the Processing... message and the page sits there, because I don't know how to check for the This transaction has been approved. code. I'm not sure what variable/array to check. What variable should I test to make sure the transaction was successful in the AJAX callback? The only ColdFusion documentation I could find doesn't involve AJAX and just uses CFHTTP, which I want to avoid to simply PCI compliance. (However, I will be running server-side validation of the data, including credit card numbers, to make sure one's been entered and is in the correct format... does that mean I've now passed the data to my server and causes me to have to be as stringent about PCI compliance as if I were using CFHTTP to post to Authorize.net in the first place, instead of AJAX? Thanks for any feedback! Rick -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Tuesday, September 18, 2012 6:37 PM To: cf-talk Subject: RE: Question about using AJAX with Authorize.net Thanks for the perspective, Juday... My plan is to run client-side validation via Javascript when info is being entered into the form, then validate with CF in a cfc method once the form passes Javascript validation and return any errors that CF picks up. Usually, there aren't any CF errors if JS didn't find any in the form data, since I program CF to validate the same way the JS does. You mentioned the transaction key and password. I'll provide that data in the JS processing and assign the values there before submitting the data via AJAX. Would that be secure? Rick -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Tuesday, September 18, 2012 5:54 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net Ah, gotcha. The key there is definitely the merchant defined fields. They do not want you to send them personally defined information that they then post back to you (the x_ fields that you mentioned). I think you
RE: Question about using AJAX with Authorize.net
After running a regular form post (no AJAX, no CFHTTP), I get back all my form values in a pipe-delimited string, along with Authorize.net's approval code and other transaction info they return. The submission is a success. I get the successful email notification, etc. However, I'm still not sure how to access the pieces of that string. What kind of variable is it, if any? Do I need to assign the string to a variable, then parse it? In the typical AJAX I run, I'm sending data to a component method, and I create a Struct and store variables I'm returning to the success callback in there, but access them in the AJAX code via response.WHATEVER. I've tried response, fileContent, etc., trying to figure out how to reference the string that Authorize.net returns. Any more clues anyone? Thanks! Rick -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Saturday, September 22, 2012 6:05 PM To: cf-talk Subject: RE: Question about using AJAX with Authorize.net Looking at the sample CF code, which posts via CFHTTP, this is how the post response gets handled: - !--- Because coldfusion's ListToArray object ignores empty fields, we must put a space in all empty fields to make sure that they are not skipped --- cfset post_response=Replace(cfhttp.filecontent,||,| |, all) !--- the same command is run twice, because the first time it only adjusts every other empty field --- cfset post_response=Replace(post_response,||,| |, all) !--- now the ListToArray method can be used without skipping fields --- cfset response_array=ListToArray(post_response, |) !--- the results are output to the screen in the form of an html numbered list. --- cfoutput -- From that code, I get a list of all the data coming back, but I couldn't use the structure, filecontent to access any field of data. Maybe I should try filecontent[1] or something. I made the following changes, just to see if I could access the field data in the response: !--- [ ricks changes ] --- pThank you for your donation to USO Tampa Bay./p cfparam name=response_array[69] default=/ cfif len(trim(#response_array[69]#)) gt 0 pThis donation has been made in memory of #response_array[69]#./p /cfif And that works. response_array[69] is the first name of the person the donation is sent in honor of. I tried using filecontent as the structure containing all the responses, which is the first thing I see in the CF code above, cfhttp.filecontent. But that didn't work... is the filecontent part of that specific to a cfhttp post? I thought I'd mention this code before writing up a regular post to Authorize.net. Does this help figure out the structure the code is being returned in? Rick -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Saturday, September 22, 2012 5:40 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net you need to take ajax out of the loop and do a regular http post, and then look at the response that comes back, then you will see what variables they are sending you and you can then adjust your ajax code accordinly On Sat, Sep 22, 2012 at 10:22 PM, Rick Faircloth r...@whitestonemedia.comwrote: Judah... (or anyone else...) I'm running successful transactions to Authorize.net from my form using AJAX to post that data to Authorize.net. I know the transactions are successful, because I'm getting Customer Receipts (to myself) and Merchant Receipts (again to myself). However, in the success part of my AJAX code, I don't know how to access the data/response that Authorize.net is sending back. My AJAX routine processes and submits the transaction info, then displays the Processing... message and the page sits there, because I don't know how to check for the This transaction has been approved. code. I'm not sure what variable/array to check. What variable should I test to make sure the transaction was successful in the AJAX callback? The only ColdFusion documentation I could find doesn't involve AJAX and just uses CFHTTP, which I want to avoid to simply PCI compliance. (However, I will be running server-side validation of the data, including credit card numbers, to make sure one's been entered and is in the correct format... does that mean I've now passed the data to my server and causes me to have to be as stringent about PCI compliance as if I were using CFHTTP to post to Authorize.net in the first place, instead of AJAX? Thanks for any feedback! Rick -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Tuesday, September 18, 2012 6:37 PM To: cf-talk Subject: RE: Question about using AJAX with Authorize.net
Re: Question about using AJAX with Authorize.net
Wait, you're doing this in CF? Just use the cfpayment library: http://cfpayment.riaforge.org/ or the the good parts of the authorizenet.cfc by itself. On 9/22/12 7:23 PM, Rick Faircloth wrote: After running a regular form post (no AJAX, no CFHTTP), I get back all my form values in a pipe-delimited string, along with Authorize.net's approval code and other transaction info they return. The submission is a success. I get the successful email notification, etc. However, I'm still not sure how to access the pieces of that string. What kind of variable is it, if any? Do I need to assign the string to a variable, then parse it? In the typical AJAX I run, I'm sending data to a component method, and I create a Struct and store variables I'm returning to the success callback in there, but access them in the AJAX code via response.WHATEVER. I've tried response, fileContent, etc., trying to figure out how to reference the string that Authorize.net returns. Any more clues anyone? Thanks! Rick -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Saturday, September 22, 2012 6:05 PM To: cf-talk Subject: RE: Question about using AJAX with Authorize.net Looking at the sample CF code, which posts via CFHTTP, this is how the post response gets handled: - !--- Because coldfusion's ListToArray object ignores empty fields, we must put a space in all empty fields to make sure that they are not skipped --- cfset post_response=Replace(cfhttp.filecontent,||,| |, all) !--- the same command is run twice, because the first time it only adjusts every other empty field --- cfset post_response=Replace(post_response,||,| |, all) !--- now the ListToArray method can be used without skipping fields --- cfset response_array=ListToArray(post_response, |) !--- the results are output to the screen in the form of an html numbered list. --- cfoutput -- From that code, I get a list of all the data coming back, but I couldn't use the structure, filecontent to access any field of data. Maybe I should try filecontent[1] or something. I made the following changes, just to see if I could access the field data in the response: !--- [ ricks changes ] --- pThank you for your donation to USO Tampa Bay./p cfparam name=response_array[69] default=/ cfif len(trim(#response_array[69]#)) gt 0 pThis donation has been made in memory of #response_array[69]#./p /cfif And that works. response_array[69] is the first name of the person the donation is sent in honor of. I tried using filecontent as the structure containing all the responses, which is the first thing I see in the CF code above, cfhttp.filecontent. But that didn't work... is the filecontent part of that specific to a cfhttp post? I thought I'd mention this code before writing up a regular post to Authorize.net. Does this help figure out the structure the code is being returned in? Rick -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Saturday, September 22, 2012 5:40 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net you need to take ajax out of the loop and do a regular http post, and then look at the response that comes back, then you will see what variables they are sending you and you can then adjust your ajax code accordinly On Sat, Sep 22, 2012 at 10:22 PM, Rick Faircloth r...@whitestonemedia.comwrote: Judah... (or anyone else...) I'm running successful transactions to Authorize.net from my form using AJAX to post that data to Authorize.net. I know the transactions are successful, because I'm getting Customer Receipts (to myself) and Merchant Receipts (again to myself). However, in the success part of my AJAX code, I don't know how to access the data/response that Authorize.net is sending back. My AJAX routine processes and submits the transaction info, then displays the Processing... message and the page sits there, because I don't know how to check for the This transaction has been approved. code. I'm not sure what variable/array to check. What variable should I test to make sure the transaction was successful in the AJAX callback? The only ColdFusion documentation I could find doesn't involve AJAX and just uses CFHTTP, which I want to avoid to simply PCI compliance. (However, I will be running server-side validation of the data, including credit card numbers, to make sure one's been entered and is in the correct format... does that mean I've now passed the data to my server and causes me to have to be as stringent about PCI compliance as if I were using CFHTTP to post to Authorize.net in the first place, instead of AJAX
RE: Question about using AJAX with Authorize.net
Thanks for the tip, Jonah... let me check it out. Rick -Original Message- From: .jonah [mailto:jonah@creori.com] Sent: Saturday, September 22, 2012 11:12 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net Wait, you're doing this in CF? Just use the cfpayment library: http://cfpayment.riaforge.org/ or the the good parts of the authorizenet.cfc by itself. On 9/22/12 7:23 PM, Rick Faircloth wrote: After running a regular form post (no AJAX, no CFHTTP), I get back all my form values in a pipe-delimited string, along with Authorize.net's approval code and other transaction info they return. The submission is a success. I get the successful email notification, etc. However, I'm still not sure how to access the pieces of that string. What kind of variable is it, if any? Do I need to assign the string to a variable, then parse it? In the typical AJAX I run, I'm sending data to a component method, and I create a Struct and store variables I'm returning to the success callback in there, but access them in the AJAX code via response.WHATEVER. I've tried response, fileContent, etc., trying to figure out how to reference the string that Authorize.net returns. Any more clues anyone? Thanks! Rick -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Saturday, September 22, 2012 6:05 PM To: cf-talk Subject: RE: Question about using AJAX with Authorize.net Looking at the sample CF code, which posts via CFHTTP, this is how the post response gets handled: - !--- Because coldfusion's ListToArray object ignores empty fields, we must put a space in all empty fields to make sure that they are not skipped --- cfset post_response=Replace(cfhttp.filecontent,||,| |, all) !--- the same command is run twice, because the first time it only adjusts every other empty field --- cfset post_response=Replace(post_response,||,| |, all) !--- now the ListToArray method can be used without skipping fields --- cfset response_array=ListToArray(post_response, |) !--- the results are output to the screen in the form of an html numbered list. --- cfoutput -- From that code, I get a list of all the data coming back, but I couldn't use the structure, filecontent to access any field of data. Maybe I should try filecontent[1] or something. I made the following changes, just to see if I could access the field data in the response: !--- [ ricks changes ] --- pThank you for your donation to USO Tampa Bay./p cfparam name=response_array[69] default=/ cfif len(trim(#response_array[69]#)) gt 0 pThis donation has been made in memory of #response_array[69]#./p /cfif And that works. response_array[69] is the first name of the person the donation is sent in honor of. I tried using filecontent as the structure containing all the responses, which is the first thing I see in the CF code above, cfhttp.filecontent. But that didn't work... is the filecontent part of that specific to a cfhttp post? I thought I'd mention this code before writing up a regular post to Authorize.net. Does this help figure out the structure the code is being returned in? Rick -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Saturday, September 22, 2012 5:40 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net you need to take ajax out of the loop and do a regular http post, and then look at the response that comes back, then you will see what variables they are sending you and you can then adjust your ajax code accordinly On Sat, Sep 22, 2012 at 10:22 PM, Rick Faircloth r...@whitestonemedia.comwrote: Judah... (or anyone else...) I'm running successful transactions to Authorize.net from my form using AJAX to post that data to Authorize.net. I know the transactions are successful, because I'm getting Customer Receipts (to myself) and Merchant Receipts (again to myself). However, in the success part of my AJAX code, I don't know how to access the data/response that Authorize.net is sending back. My AJAX routine processes and submits the transaction info, then displays the Processing... message and the page sits there, because I don't know how to check for the This transaction has been approved. code. I'm not sure what variable/array to check. What variable should I test to make sure the transaction was successful in the AJAX callback? The only ColdFusion documentation I could find doesn't involve AJAX and just uses CFHTTP, which I want to avoid to simply PCI compliance. (However, I will be running server-side validation of the data, including credit card numbers, to make sure one's been
RE: Question about using AJAX with Authorize.net
All that's quite beyond me, Jonah. Partly because I don't make use of the createObject() methodology, so I don't understand it very well. The other part, is, well, I just don't understand how to apply everything in the docs. I guess I'll just need to talk to Authorize.net on Monday and see if they know what I need to make this work. I just don't know how to handle the data they send back; a pipe-delimited list of all transaction information. I'm not sure what it's called. Using CFHTTP, all of that is contained in cfhttp.fileContent. With that I know how to access the data in the delimited string they return. Using jQuery AJAX to submit my form, I'm not sure what variable (like filecontent for cfhttp) it would come in so I can reference it. Does that make sense? Rick -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Sunday, September 23, 2012 12:35 AM To: cf-talk Subject: RE: Question about using AJAX with Authorize.net Thanks for the tip, Jonah... let me check it out. Rick -Original Message- From: .jonah [mailto:jonah@creori.com] Sent: Saturday, September 22, 2012 11:12 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net Wait, you're doing this in CF? Just use the cfpayment library: http://cfpayment.riaforge.org/ or the the good parts of the authorizenet.cfc by itself. On 9/22/12 7:23 PM, Rick Faircloth wrote: After running a regular form post (no AJAX, no CFHTTP), I get back all my form values in a pipe-delimited string, along with Authorize.net's approval code and other transaction info they return. The submission is a success. I get the successful email notification, etc. However, I'm still not sure how to access the pieces of that string. What kind of variable is it, if any? Do I need to assign the string to a variable, then parse it? In the typical AJAX I run, I'm sending data to a component method, and I create a Struct and store variables I'm returning to the success callback in there, but access them in the AJAX code via response.WHATEVER. I've tried response, fileContent, etc., trying to figure out how to reference the string that Authorize.net returns. Any more clues anyone? Thanks! Rick -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Saturday, September 22, 2012 6:05 PM To: cf-talk Subject: RE: Question about using AJAX with Authorize.net Looking at the sample CF code, which posts via CFHTTP, this is how the post response gets handled: - !--- Because coldfusion's ListToArray object ignores empty fields, we must put a space in all empty fields to make sure that they are not skipped --- cfset post_response=Replace(cfhttp.filecontent,||,| |, all) !--- the same command is run twice, because the first time it only adjusts every other empty field --- cfset post_response=Replace(post_response,||,| |, all) !--- now the ListToArray method can be used without skipping fields --- cfset response_array=ListToArray(post_response, |) !--- the results are output to the screen in the form of an html numbered list. --- cfoutput -- From that code, I get a list of all the data coming back, but I couldn't use the structure, filecontent to access any field of data. Maybe I should try filecontent[1] or something. I made the following changes, just to see if I could access the field data in the response: !--- [ ricks changes ] --- pThank you for your donation to USO Tampa Bay./p cfparam name=response_array[69] default=/ cfif len(trim(#response_array[69]#)) gt 0 pThis donation has been made in memory of #response_array[69]#./p /cfif And that works. response_array[69] is the first name of the person the donation is sent in honor of. I tried using filecontent as the structure containing all the responses, which is the first thing I see in the CF code above, cfhttp.filecontent. But that didn't work... is the filecontent part of that specific to a cfhttp post? I thought I'd mention this code before writing up a regular post to Authorize.net. Does this help figure out the structure the code is being returned in? Rick -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Saturday, September 22, 2012 5:40 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net you need to take ajax out of the loop and do a regular http post, and then look at the response that comes back, then you will see what variables they are sending you and you can then adjust your ajax code accordinly On Sat, Sep 22, 2012 at 10:22 PM, Rick Faircloth r...@whitestonemedia.comwrote: Judah... (or anyone else...) I'm running
Question about using AJAX with Authorize.net
I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an AJAX solution to intercept the formfield data that is applicable to the transaction and is required by Authorize.net and submit that via AJAX to a method in a cfc, which will send the pertinent data to Authorize.net. In the success section of the AJAX solution to Authorize.net, I'll implement a further submission of the rest of the form data (the personally identifiable information) to another method in a cfc, which will process that data for in-house (non-Authorize.net) use. (Or something similar to this process...) Any warnings, cautions, or gotcha's in this approach? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352656 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Question about using AJAX with Authorize.net
well it depends how you process. if you redirect to authorize.net and then come back to your site, then why not simply send your thank you email after they are redirected back to your site, this is how most folks do it. The ajax stuff seems a bit overkill. If your processing serverside, then you simply need to wait till you get the response back from your CFHTTP call. On Tue, Sep 18, 2012 at 6:40 PM, Rick Faircloth r...@whitestonemedia.comwrote: I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an AJAX solution to intercept the formfield data that is applicable to the transaction and is required by Authorize.net and submit that via AJAX to a method in a cfc, which will send the pertinent data to Authorize.net. In the success section of the AJAX solution to Authorize.net, I'll implement a further submission of the rest of the form data (the personally identifiable information) to another method in a cfc, which will process that data for in-house (non-Authorize.net) use. (Or something similar to this process...) Any warnings, cautions, or gotcha's in this approach? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352658 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Question about using AJAX with Authorize.net
I work so much using AJAX I may not be able to see the forest for the trees. Without using AJAX and using its success callback function, how else will I send (my) thank you email after they are redirected back to (my) site ? My first thought is to use the AJAX success callback as the means by which I'll call another method to send a thank-you email, store info in the database (not cc info), etc. Is there a simpler way? Besides an AJAX submission and callback, how else will I continue processing info? Call another CFC method to further process form data from the re-direct page? And if the page that Authorize.net redirects to is a Thank-You page, then the form variables will have to be saved as session variables to further process the original form variables for emailing, database storage of info, etc correct? Rick -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Tuesday, September 18, 2012 1:48 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net well it depends how you process. if you redirect to authorize.net and then come back to your site, then why not simply send your thank you email after they are redirected back to your site, this is how most folks do it. The ajax stuff seems a bit overkill. If your processing serverside, then you simply need to wait till you get the response back from your CFHTTP call. On Tue, Sep 18, 2012 at 6:40 PM, Rick Faircloth r...@whitestonemedia.comwrote: I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an AJAX solution to intercept the formfield data that is applicable to the transaction and is required by Authorize.net and submit that via AJAX to a method in a cfc, which will send the pertinent data to Authorize.net. In the success section of the AJAX solution to Authorize.net, I'll implement a further submission of the rest of the form data (the personally identifiable information) to another method in a cfc, which will process that data for in-house (non-Authorize.net) use. (Or something similar to this process...) Any warnings, cautions, or gotcha's in this approach? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352659 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Question about using AJAX with Authorize.net
you send a unique transactionID along, which they then send back to you on the callback, which identifies the user, so you can send them the thank you email. You On Tue, Sep 18, 2012 at 7:11 PM, Rick Faircloth r...@whitestonemedia.comwrote: I work so much using AJAX I may not be able to see the forest for the trees. Without using AJAX and using its success callback function, how else will I send (my) thank you email after they are redirected back to (my) site ? My first thought is to use the AJAX success callback as the means by which I'll call another method to send a thank-you email, store info in the database (not cc info), etc. Is there a simpler way? Besides an AJAX submission and callback, how else will I continue processing info? Call another CFC method to further process form data from the re-direct page? And if the page that Authorize.net redirects to is a Thank-You page, then the form variables will have to be saved as session variables to further process the original form variables for emailing, database storage of info, etc correct? Rick -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Tuesday, September 18, 2012 1:48 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net well it depends how you process. if you redirect to authorize.net and then come back to your site, then why not simply send your thank you email after they are redirected back to your site, this is how most folks do it. The ajax stuff seems a bit overkill. If your processing serverside, then you simply need to wait till you get the response back from your CFHTTP call. On Tue, Sep 18, 2012 at 6:40 PM, Rick Faircloth r...@whitestonemedia.comwrote: I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an AJAX solution to intercept the formfield data that is applicable to the transaction and is required by Authorize.net and submit that via AJAX to a method in a cfc, which will send the pertinent data to Authorize.net. In the success section of the AJAX solution to Authorize.net, I'll implement a further submission of the rest of the form data (the personally identifiable information) to another method in a cfc, which will process that data for in-house (non-Authorize.net) use. (Or something similar to this process...) Any warnings, cautions, or gotcha's in this approach? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352660 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Question about using AJAX with Authorize.net
Hi Rick I use authorize.net and i can submit all sorts of personal information, name address email address etc. in the x_variable customer information. perhaps I am not sure what information you are suggesting However i do what Russ suggests, I submit the information for processing as a cfinclude in my submission form and when it is approved, use the approval to trigger my own emails from my server, both to the customer and to the fulfilment service. Rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 On 18 Sep 2012 at 13:40, Rick Faircloth wrote: I'm implementing my first donation form using Authorize.net. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352661 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Question about using AJAX with Authorize.net
You have to send Auth.net personally identifying information in order to use AVS (the address verification service), so I know they don't forbid that. Maybe it depends on the integration method you are using. Are you doing the simple integration method where you send the user to auth.net and then they come back or are you using a behind the scenes post to their api to do the auth? Judah On Tue, Sep 18, 2012 at 10:40 AM, Rick Faircloth r...@whitestonemedia.com wrote: I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an AJAX solution to intercept the formfield data that is applicable to the transaction and is required by Authorize.net and submit that via AJAX to a method in a cfc, which will send the pertinent data to Authorize.net. In the success section of the AJAX solution to Authorize.net, I'll implement a further submission of the rest of the form data (the personally identifiable information) to another method in a cfc, which will process that data for in-house (non-Authorize.net) use. (Or something similar to this process...) Any warnings, cautions, or gotcha's in this approach? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352662 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Question about using AJAX with Authorize.net
Thanks, everyone, for the comments... Judah, I'm using the Advanced Integration Method (AIM), since I'm hosting my own form. Here's what I'm referring to in the Authorize.net info about personally identifying information: From the Advanced Integration Method docs: -- Merchant-defined data fields are not intended to and must not be used to capture personally identifying information. Accordingly, the merchant is prohibited from capturing, obtaining, and/or transmitting any personally identifying information in or by means of the merchant-defined data fields. Personally identifying information includes, but is not limited to, name, address, credit card number, social security number, driver's license number, state-issued identification number, passport number, and card verification numbers (CVV, CVC2, CVV2, CID, CVN). If Authorize.Net discovers that the merchant is capturing and/or transmitting personally identifying information by means of the merchant-defined data fields, whether or not intentionally, CyberSource will immediately suspend the merchant's account, which will result in a rejection of any and all transaction requests submitted by the merchant after the point of suspension. -- That seems clear to me, that in the AIM method, I can't use the merchant-defined x_ fields to capture any of the info mentioned above. My plan was just to send to them what they require for the processing and use the other fields from the form for the in-house emailing, thank-you's, in honor of, in memory of, etc., data. I don't think that kind of data can go through Authorize.net's server and back to me. Rick -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Tuesday, September 18, 2012 3:31 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net You have to send Auth.net personally identifying information in order to use AVS (the address verification service), so I know they don't forbid that. Maybe it depends on the integration method you are using. Are you doing the simple integration method where you send the user to auth.net and then they come back or are you using a behind the scenes post to their api to do the auth? Judah On Tue, Sep 18, 2012 at 10:40 AM, Rick Faircloth r...@whitestonemedia.com wrote: I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement an AJAX solution to intercept the formfield data that is applicable to the transaction and is required by Authorize.net and submit that via AJAX to a method in a cfc, which will send the pertinent data to Authorize.net. In the success section of the AJAX solution to Authorize.net, I'll implement a further submission of the rest of the form data (the personally identifiable information) to another method in a cfc, which will process that data for in-house (non-Authorize.net) use. (Or something similar to this process...) Any warnings, cautions, or gotcha's in this approach? Thanks for any feedback! Rick ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352664 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Question about using AJAX with Authorize.net
Ah, gotcha. The key there is definitely the merchant defined fields. They do not want you to send them personally defined information that they then post back to you (the x_ fields that you mentioned). I think you are on target with your ajax option. The other option is to post back to your server, capture the response in memory (just the Form collection), do a cfhttp post to Auth.net to do the transaction with the subset of information they need and then redirect to the receipt page (if successful) or back to the submission page if the transaction errors. This is what I've done in the past and it allows you to do the server side validation and any custom processing. The downside to this method is that it carries a higher PCI compliance because the CC details are transmitted to your server even if they are never stored anywhere other than memory. If you use Ajax calls directly from the client-side form, you can avoid some of the PCI compliance stuff because the information never hits your server. However, you would have to include the transaction key and password in your client-side form at that point which makes that information publicly available. Off the top of my head, the only thing I can think of that that would do is make it so that other people could charge credit cards and give you money from them but there may be other attack vectors that aren't obvious to me right away. If you bypassed client-side validation, maybe you could charge a negative number and refund money to the card? Probably not, but it would warrant investigation at the very least. I would also think that the fact that the client side would be doing the HTTP call would mean that you could set up a Hosts file entry for the Auth.net gateway and provide a reply on the client side that said it was successful and then your page would submit back to you assuming that the call was successful and therefore allow them to fake a transaction. I don't know if that is important in your situation or not, but fundamentally, I do no trust validation that is only performed on a machine I do not control. Cheers, Judah On Tue, Sep 18, 2012 at 2:25 PM, Rick Faircloth r...@whitestonemedia.com wrote: Thanks, everyone, for the comments... Judah, I'm using the Advanced Integration Method (AIM), since I'm hosting my own form. Here's what I'm referring to in the Authorize.net info about personally identifying information: From the Advanced Integration Method docs: -- Merchant-defined data fields are not intended to and must not be used to capture personally identifying information. Accordingly, the merchant is prohibited from capturing, obtaining, and/or transmitting any personally identifying information in or by means of the merchant-defined data fields. Personally identifying information includes, but is not limited to, name, address, credit card number, social security number, driver's license number, state-issued identification number, passport number, and card verification numbers (CVV, CVC2, CVV2, CID, CVN). If Authorize.Net discovers that the merchant is capturing and/or transmitting personally identifying information by means of the merchant-defined data fields, whether or not intentionally, CyberSource will immediately suspend the merchant's account, which will result in a rejection of any and all transaction requests submitted by the merchant after the point of suspension. -- That seems clear to me, that in the AIM method, I can't use the merchant-defined x_ fields to capture any of the info mentioned above. My plan was just to send to them what they require for the processing and use the other fields from the form for the in-house emailing, thank-you's, in honor of, in memory of, etc., data. I don't think that kind of data can go through Authorize.net's server and back to me. Rick -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Tuesday, September 18, 2012 3:31 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net You have to send Auth.net personally identifying information in order to use AVS (the address verification service), so I know they don't forbid that. Maybe it depends on the integration method you are using. Are you doing the simple integration method where you send the user to auth.net and then they come back or are you using a behind the scenes post to their api to do the auth? Judah On Tue, Sep 18, 2012 at 10:40 AM, Rick Faircloth r...@whitestonemedia.com wrote: I'm implementing my first donation form using Authorize.net. I've found in their fine-print that I cannot submit any personally identifiable information to their servers. We have a form which includes personally identifiable information for emailing thank-you's, etc. Therefore, I'm planning to implement
Re: Question about using AJAX with Authorize.net
Hi rick I take this to mean anything downstream of their portal, but surely anything upstream on your server and your form is yours. If you do have any concerns I would call authorize.Net tech support. I have found them to be very helpful. rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 On 18 Sep 2012 at 17:25, Rick Faircloth wrote: From the Advanced Integration Method docs: Merchant-defined data fields are not intended to and must not be used to capture personally identifying information. Accordingly, the merchant is prohibited from capturing, obtaining, and/or transmitting any personally identifying information in or by means of the merchant-defined data fields. Personally identifying information includes, but is not limited to, name, address, credit card number, social security number, driver's license number, state-issued identification number, passport number, and card verification numbers (CVV, CVC2, CVV2, CID, CVN). If Authorize.Net discovers that the merchant is capturing and/or transmitting personally identifying information by means of the merchant-defined data fields, whether or not intentionally, CyberSource will immediately suspend the merchant's account, which will result in a rejection of any and all transaction requests submitted by the merchant after the point of suspension. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352666 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Question about using AJAX with Authorize.net
Thanks for the perspective, Juday... My plan is to run client-side validation via Javascript when info is being entered into the form, then validate with CF in a cfc method once the form passes Javascript validation and return any errors that CF picks up. Usually, there aren't any CF errors if JS didn't find any in the form data, since I program CF to validate the same way the JS does. You mentioned the transaction key and password. I'll provide that data in the JS processing and assign the values there before submitting the data via AJAX. Would that be secure? Rick -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Tuesday, September 18, 2012 5:54 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net Ah, gotcha. The key there is definitely the merchant defined fields. They do not want you to send them personally defined information that they then post back to you (the x_ fields that you mentioned). I think you are on target with your ajax option. The other option is to post back to your server, capture the response in memory (just the Form collection), do a cfhttp post to Auth.net to do the transaction with the subset of information they need and then redirect to the receipt page (if successful) or back to the submission page if the transaction errors. This is what I've done in the past and it allows you to do the server side validation and any custom processing. The downside to this method is that it carries a higher PCI compliance because the CC details are transmitted to your server even if they are never stored anywhere other than memory. If you use Ajax calls directly from the client-side form, you can avoid some of the PCI compliance stuff because the information never hits your server. However, you would have to include the transaction key and password in your client-side form at that point which makes that information publicly available. Off the top of my head, the only thing I can think of that that would do is make it so that other people could charge credit cards and give you money from them but there may be other attack vectors that aren't obvious to me right away. If you bypassed client-side validation, maybe you could charge a negative number and refund money to the card? Probably not, but it would warrant investigation at the very least. I would also think that the fact that the client side would be doing the HTTP call would mean that you could set up a Hosts file entry for the Auth.net gateway and provide a reply on the client side that said it was successful and then your page would submit back to you assuming that the call was successful and therefore allow them to fake a transaction. I don't know if that is important in your situation or not, but fundamentally, I do no trust validation that is only performed on a machine I do not control. Cheers, Judah On Tue, Sep 18, 2012 at 2:25 PM, Rick Faircloth r...@whitestonemedia.com wrote: Thanks, everyone, for the comments... Judah, I'm using the Advanced Integration Method (AIM), since I'm hosting my own form. Here's what I'm referring to in the Authorize.net info about personally identifying information: From the Advanced Integration Method docs: -- Merchant-defined data fields are not intended to and must not be used to capture personally identifying information. Accordingly, the merchant is prohibited from capturing, obtaining, and/or transmitting any personally identifying information in or by means of the merchant-defined data fields. Personally identifying information includes, but is not limited to, name, address, credit card number, social security number, driver's license number, state-issued identification number, passport number, and card verification numbers (CVV, CVC2, CVV2, CID, CVN). If Authorize.Net discovers that the merchant is capturing and/or transmitting personally identifying information by means of the merchant-defined data fields, whether or not intentionally, CyberSource will immediately suspend the merchant's account, which will result in a rejection of any and all transaction requests submitted by the merchant after the point of suspension. -- That seems clear to me, that in the AIM method, I can't use the merchant-defined x_ fields to capture any of the info mentioned above. My plan was just to send to them what they require for the processing and use the other fields from the form for the in-house emailing, thank-you's, in honor of, in memory of, etc., data. I don't think that kind of data can go through Authorize.net's server and back to me. Rick -Original Message- From: Judah McAuley [mailto:ju...@wiredotter.com] Sent: Tuesday, September 18, 2012 3:31 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net You have to send Auth.net
RE: Question about using AJAX with Authorize.net
Thanks, Rob... I'll do that once I have the application running fully in their sandbox testing area. Hopefully, they can pick up any flaws. This donation form is for a large organization and I would hate to cause any security problems and compromise the system or donors' info. Rick -Original Message- From: Rob Voyle [mailto:robvo...@voyle.com] Sent: Tuesday, September 18, 2012 6:35 PM To: cf-talk Subject: Re: Question about using AJAX with Authorize.net Hi rick I take this to mean anything downstream of their portal, but surely anything upstream on your server and your form is yours. If you do have any concerns I would call authorize.Net tech support. I have found them to be very helpful. rob Robert J. Voyle, Psy.D. Director, Clergy Leadership Institute For Coaching and Training in Appreciative Inquiry Author: Restoring Hope: Appreciative Strategies to Resolve Grief and Resentment http://www.appreciativeway.com/ 503-647-2378 or 503-647-2382 On 18 Sep 2012 at 17:25, Rick Faircloth wrote: From the Advanced Integration Method docs: Merchant-defined data fields are not intended to and must not be used to capture personally identifying information. Accordingly, the merchant is prohibited from capturing, obtaining, and/or transmitting any personally identifying information in or by means of the merchant-defined data fields. Personally identifying information includes, but is not limited to, name, address, credit card number, social security number, driver's license number, state-issued identification number, passport number, and card verification numbers (CVV, CVC2, CVV2, CID, CVN). If Authorize.Net discovers that the merchant is capturing and/or transmitting personally identifying information by means of the merchant-defined data fields, whether or not intentionally, CyberSource will immediately suspend the merchant's account, which will result in a rejection of any and all transaction requests submitted by the merchant after the point of suspension. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:352668 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
