5

I'm trying to integrate into SagePay using PHP and the Protocol documents. However I seem to be having a problem with the MD5 hash!

Everything up to the point where we receive the notification POST is fine. However when we go to verify the signature it doesn't match the one in the notification POST??? Yet I have followed the document to the letter and quadruple checked everything. As well as changing things outside the scope of the document thinking there might be a typo etc..???? Any help much appreciated!!!

A2: Acknowledged response on first POST.

3.00,OK,2014 : The Transaction was Registered Successfully.,{4483C552-6078-6D1C-E37C-294B89DB1DCA},O9WQNAKEHJ,<https://test.sagepay.com/gateway/service/cardselection?vpstxid={4483C552-6078-6D1C-E37C-294B89DB1DCA}>

A3: Notification POST to callback.

VPSProtocol,TxType,VendorTxCode,VPSTxId,Status,StatusDetail,TxAuthNo,AVSCV2,AddressResult,PostCodeResult,CV2Result,GiftAid,3DSecureStatus,CAVV,CardType,Last4Digits,VPSSignature,DeclineCode,ExpiryDate,BankAuthCode

3.00,DEFERRED,m-5367c2da33a72,{4483C552-6078-6D1C-E37C-294B89DB1DCA},OK,0000 : The Authorisation was Successful.,6953629,SECURITY CODE MATCH ONLY,NOTMATCHED,NOTMATCHED,MATCHED,0,OK,AAABARR5kwAAAAAAAAAAAAAAAAA=,VISA,0006,CB2EFFBC5A872B26DA0AA50F85DD1FEA,00,0115,999777

I build the string based on this:

    $string = $this->getSagePayTxID()
    .$this->getVendorTxCode()
    .$this->getSagePayStatus()
    .$this->getTxAuthNo()
    .SAGEPAY_VENDOR
    .$this->getAVSCV2()
    .$this->getSecurityKey()
    .$this->getAddressResult()
    .$this->getPostCodeResult()
    .$this->getCV2Result()
    .$this->getGiftAid()
    .$this->get3DSecureStatus()
    .$this->getCAVV()
    .$this->getCardType()
    .$this->getLast4Digits()
    .$this->getDeclineCode()
    .$this->getExpiryDate()
    .$this->getFraudResponse()
    .$this->getBankAuthCode();

    if($signature == strtoupper(md5($string)))
    {
        return TRUE;
    }
    else
    {
        return FALSE;    
    }

The string produced is this:

{4483C552-6078-6D1C-E37C-294B89DB1DCA}m-5367c2da33a72OK6953629atbristolltdSECURITY CODE MATCH ONLYO9WQNAKEHJNOTMATCHEDNOTMATCHEDMATCHED0OKAAABARR5kwAAAAAAAAAAAAAAAAA=VISA0006000115999777

Thanks for any help!!!

Mako77
  • 85
  • 8
  • Have you made sure that (1) the vendor name is in lower case and (2) that you are url decoding the data returned from SagePay, eg 'ALL+MATCH' should be included in the string as 'ALL MATCH' (3)any curly braces are removed before the string is hashed# – dav83 May 07 '14 at 14:12

2 Answers2

3

The string you build doesn't seem to match the documentation, which states:

MD5 signature of the concatenation of the values of: VPSTxId + VendorTxCode + Status + TxAuthNo + VendorName+ AVSCV2 + SecurityKey + AddressResult + PostCodeResult + CV2Result + GiftAid + 3DSecureStatus + CAVV + AddressStatus + PayerStatus + CardType + Last4Digits + DeclineCode + ExpiryDate + FraudResponse + BankAuthCode.

NOTE: MD5 value is returned in UPPER CASE.

Please ensure the VendorName is LOWER CASE prior to hashing. Use urldecode to reverse the urlencoding you received from Sagepay If a field is returned without a value this should not be be checked against the string

Compare the fields after CAVV with your fields. Yours seems to be missing the AddressStatus and PayerStatus.

Also, I don't think @dav83's number (3) in his comment is correct. In my code where it's working correctly, my VPSTxId does contain the curly braces (just like in your example).

Dan
  • 5,692
  • 3
  • 35
  • 66
  • AddressStatus and PayerStatus are only returned if using PayPal and the documentation states that if a field does not have any value it should not be included in validating the signature. I know I'm a little bit late to this, but experiencing a similar issue – jpmcc Sep 03 '15 at 11:40
2

This was in fact due to URL encoding in the end.

The 'html_entity_decode' was required for the VPSTxId. The POST needs to be urlencode and the response needs to be urldecode.

Mako77
  • 85
  • 8