Jason (Lead Developer)

Thanks for the heads up on this thread.

It is also possible to accomplish this with an s2Member Shortcode.

<a href="&#91;&#91;s2Member-PayPal-Button ... output="url" /&#93;&#93;">click here</a>

For documentation on the output="" shortcode attribute, please see:
Dashboard -› s2Member® -› PayPal® Buttons -› Shortcode Attributes (Explained)

Thanks for the follow-ups.

Was your test done through PayPal Pro form, or just express?

It was through a Pro Form, using the PayPal Express Checkout option. My successful test transaction is recorded on your site, inside this log file: /wp-content/plugins/s2member-logs/paypal-payflow-api.log. Just search for my name in that log file to locate the log related entries.

I can create a express button and it works fine. Although it does direct to the page /create afterwards which doesn’t exist (can I change that if I need to setup a backup payment?)

Using a “Button” only integration, s2Member will redirect the customer to your registration form after completing checkout at PayPal. If you have BuddyPress installed, your registration page is /create instead of /wp-login.php?action=register, because BuddyPress introduces it’s own registration system (which IS compatible with s2Member by the way).

NOTE: PayPal Buttons are not the same as Express Checkout. Buttons integrate with “PayPal Standard”, whereas Pro Forms integrate with “PayPal Pro”, in your case you’re integrating with “PayPal Pro (Payflow Edition)”.

s2Member makes a PayPal option available in it’s Pro Form integration with PayPal Pro. It’s that specific PayPal option (on a Pro Form), that uses PayPal Express Checkout.

One thing the technician mentioned was something about my $1 transaction being recorded as a $1, but then $0 gets sent to PayPal as a request, if that makes any sense..

The only thing comes to mind, is s2Member’s initial Set Express Checkout API call to PayPal, where we’re setting up a Billing Agreement, and we set AMT=0.00, as documented here: https://www.x.com/developers/paypal/documentation-tools/api/setexpresscheckout-api-operation-nvp

This is also documented in the PayPal Pro (Payflow Edition) API docs.

Thanks for the follow-up.

I am using a PayPal hosted button because the ones created by s2Member put in about 4 inches of blank space ahead of them and cannot be fixed. I have spent hours working on that to no avail. Using the PayPal hosted buttons is the only option I have gotten to work with my site. How is it that the PayPal button strips out code from the Return URL? Really, the button can do that?

Yes, this is the issue. No, a PayPal-hosted button DOES have some limitations.

Please see my response here for details about these limitations. Actually, just one.
http://www.s2member.com/forums/topic/shareasale-not-tracking-sales/#post-36675

Please let us know if problems persist. Thanks!

Thanks for your patience.

Yes, s2Member will handle IPNs sent from PayPal in response to a failed eCheck payment. If this is not working on your installation, let’s begin by taking a quick look at your IPN log files. Please submit those privately through this form: s2Member® » Private Contact Form

It’s common for an eCheck to pass s2Member initially, even if it’s in a PENDING state while you’re waiting to see if the check clears. s2Member will grant the customer immediate access and hope for the best. Short of making an online member wait 4-7 days before we grant them access, that’s all we can do :-) It works best on most sites.

In the event the eCheck fails to clear, the customer will lose access, and PayPal sends the customer a notification about their eCheck having failed to clear against the transaction on your site.

Again, if this is not working properly for you (i.e. customer access is NOT being terminated when you expect they would be), we’ll be happy to review your log files and provide you with an explanation, or a solution.

Unable to reproduce this in Firefox. I’ve tested in these browsers so far.

Chrome v 23.0.1271.97 m
Firefox v 17.0.1
Firefox v 18.0
IE 8
IE 9

Has anyone else (Eduan?), been able to reproduce this yet? If so, in what browser please, and which version? Also, specifically which Payment Button are you creating when this occurs? Have you been able to reproduce this in a clean installation of WordPress with no other plugins active; running the default theme?

Is your browser running any extensions / add-ons? Does disabling those correct the issue?

@ Chris Frishe

Thanks for reporting this important issue. I’m not aware of any limitations in this regard, so I would like to see this problem, as it occurs on your installation; so we can provide you with a resolution. Please submit a Dashboard login and FTP access privately using this form: s2Member® » Private Contact Form

Thanks for your patience.

I’ve just completed a review of this thread. Here are my findings.

1. Your ShareASale Tracking Code looks good to me.
2. It sounds like you’ve properly implemented this in the s2Member -> API Tracking -> Signup Tracking section.

Problems…

3. It looks like your Return-Page URL is missing a vital piece of information. You posted this:

http://immbn.com/?s2member_paypal_return=1&tx=4BB30522VR234030W&st=Completed&amt=1.00&cc=USD&cm=immbn%2ecom&item_number=&sig=c0L4mQ5nfzMx5yKllBJOkezFX%2fI2Ctx%2fCtluuBLwJwaFDJyS306%2bLxk5PDXaGCoBvJWuhAn%2bxXrwvDT75n9cEAIlAlEh9kJDh5BVl3OZa6DcHzJwadnrWylt9l%2f7yBo6PnDIW41wBVVqXa%2fzTjUyezxYa2oQygG3t2kZw%2fdZCoI%3d

This URL should include the s2member_paypal_return_tra variable, but it is missing.

4. As a result of the missing Return-Page variable (s2member_paypal_return_tra), your log file is missing an entry which states that s2Member has processed your Signup Tracking Codes. What you should have in the logs, is something like this.

5 => ‘Registration Cookies set on ( `web_accept|subscr_signup|subscr_payment` ) w/o update vars.’,
6 => ‘Transient Tracking Cookie set on ( `web_accept|subscr_signup|subscr_payment` ) w/o update vars.’,
>>> 7 => 'Storing Signup Tracking Codes into a Transient Queue. These will be processed on-site.',
8 => ‘Redirecting Customer to Registration Page. They need to Register now.’,

1. You’ve NOT used the s2Member Shortcode, and instead you’ve used the full PayPal Button Code in raw HTML, or a PayPal-hosted button? We recommend that you integrate with s2Member Shortcodes for the best compatibility across all features made possible by s2Member.

See: Dashboard -› s2Member® -› PayPal® Buttons -› Membership Level # Buttons

2. Your Shortcode is being modified by a custom hack file, or another plugin that is attempting to integrate with s2Member?

NOTE: If you’re attempting to build the PayPal Button via PHP code, we recommend using the do_shortcode() function provided by WordPress. Here is an example:

<?php echo do_shortcode('&#91;&#91;s2Member-PayPal-Button ... attributes go here of course... /&#93;&#93;'); ?>

Please let us know if problems persist. Thank you!

Thanks for the follow-up.

It uses $_SERVER[“REQUEST_URI”] in raw form to echo it out in HTML (into an field and into a link).

The value of $_SERVER variables can’t be trusted, as it can be tampered by the end user.

This is why the WP core uses the esc_url() function whenever WP needs to use REQUEST_URI.
You’re using esc_attr instead, which doesn’t seem to provide enough URL cleaning, and thus open this input for XSS

Just to clarify… s2Member is not using this variable $_SERVER["REQUEST_URI"] in raw form for display, we’re wrapping it with esc_attr(), which sanitizes this variable for display in any HTML attribute, by removing these potentially harmful characters. Thus, preventing the possibility of XSS where this data is concerned.

I understand your desire to follow WordPress standards to the letter on this, by using the specific esc_url() function. However, I’m not aware of any vulnerability arising from our use of esc_attr().

This is a multipurpose function that will sanitize ANY HTML attribute, regardless of what one might consider the value to be going into a sanitation routine for an attribute. The esc_url() function does provide some additional options for controlling invalid protocols, but in terms of XSS, it’s not doing anything more than esc_attr() already accomplishes. An attribute, is an attribute, and an attribute should always be cleaned before display, regardless of what data we might expect it to contain. The esc_attr() function prevents XSS.

All of that being said, I appreciate you bringing this up. We’ll certainly make an effort to fully conform with WordPress standards by applying esc_url() when working with $_SERVER['REQUEST_URI']. I’m adding this to our list now, so we can have this updated for the next maintenance release. For the sake of conformity, I agree this should be implemented if at all possible.

Please let us know if anything else comes up. We’ll be happy to review it with you.

Related issue at X.com PayPal forums. Posting this as a reference only.

The only concern I now have is that those user fields are needed on the mailchimp side as well, so we need to be sure the custom fields are updated before any calls to the mailchimp api. I presume things would happen in the right order, but do you know for sure if ws_plugin__s2member_during_configure_user_registration_front_side is called before ws_plugin__s2member_mailchimp_merge_array? In general, is there an easy way to know in what order these filters are applied?

The code sample and registration Hook I provided (ws_plugin__s2member_during_configure_user_registration_front_side) will accomplish that for you, as it DOES come before s2Member’s call to the MailChimp API. For future reference, it’s really a good idea to search the s2Member source code for the Hooks/Filters you’re using, and analyze the code itself. There are simply too many Hooks/Filters available, to try and document each of these and provide an execution order. Inspecting the code, even just briefly, should give you a better understanding in most cases. I recommend Advanced Find/Replace. Or if you have an editor like Dreamweaver, or something that provides a directory/file search, that would work for you.

PS – off topic: I can’t find the tag to put those filter names in ‘code hilite inline’ format as you did – the code tags always create a block for me – is there a trick? Tx!

We work with a slightly different set of tools than our customer’s do here. However, you can accomplish something similar using <tt>my inline code</tt>. You won’t get the syntax hiliting this way, but it’s better than nothing :-) In the future I’ll see if we can improve upon this for everyone. You can get syntax hiliting in code blocks, but our customers can’t do syntax hiliting inline yet.

~ Test with inline code sample using a tt tag. Customers can do this.

Thanks for the heads up on this thread.

I was unable to reproduce this. Can one of you please take a look at the screenshot below, or provide me with a list of specific instructions about how to reproduce this? Which browser and version also please.