modules/uc_protx_vsp_direct/uc_protx_vsp_direct.module

<?php
// $Id: uc_protx_vsp_direct.module,v 1.1.2.10 2009/05/11 14:05:55 longwave Exp $

/**
 * @file
 * Protx VSP Direct payment gateway module for Ubercart.
 *
 * Developed by solarian (http://drupal.org/user/166738).
 * Incorporating suggestions from hanoii (http://drupal.org/user/23157).
 * Implementing v2.23 of the VSP Direct Protocol.
 * http://www.sagepay.com/documents/sagepayDirectProtocolandIntegrationGuideline.pdf
 *
 * Note: Originally the Protx interface was called the "Verified Payment System"
 * and was referred to by the acronym "VPS", but now it's called "Veri-Secure Payment"
 * and therefore has a different acronym, "VSP".
 * Data fields and URLs, however, still partly use the "VPS" acronym.
 *
 * This software is licenced under the GPLv2.
 *
 */

define('UC_PROTX_VSP_DIRECT_PROTOCOL_VERSION', '2.23');

function _uc_protx_vsp_direct_comments_to_protx($order_id) {
  $comments = uc_order_comments_load($order_id, TRUE);

  if (is_array($comments)) {
    foreach ( $comments  as $comment ) {
      $subpatterns = array();
      preg_match('/VendorTxCode: (.*)/', $comment->message, $subpatterns);
      if ( $subpatterns[1] ) {
        $protx['vendortxcode'] = $subpatterns[1];
      }
      $subpatterns = array();
      preg_match('/VPSTxId: (.*)/', $comment->message, $subpatterns);
      if ( $subpatterns[1] ) {
        $protx['vpstxid'] = $subpatterns[1];
      }

      $subpatterns = array();
      preg_match('/SecurityKey: (.*)/', $comment->message, $subpatterns);
      if ( $subpatterns[1] ) {
        $protx['securitykey'] = $subpatterns[1];
      }

      $subpatterns = array();
      $str = t('Transaction authenticated');
      preg_match("/$str/", $comment->message, $subpatterns);
      if ( $subpatterns[0] ) {
        $protx['authenticated'] = TRUE;
      }

      $subpatterns = array();
      $str = t('Transaction authorized');
      preg_match("/$str/", $comment->message, $subpatterns);
      if ( $subpatterns[0] ) {
        $protx['authorized'] = TRUE;
      }
    }
  }

  //print_r($protx);
  return $protx;
}

/*******************************************************************************
 * Hook Functions (Drupal)
 ******************************************************************************/

/**
 * Implementation of hook_menu().
 */
function uc_protx_vsp_direct_menu($may_cache) {
  $items = array();

  // add css
  if (!$may_cache) {
    drupal_add_css(drupal_get_path('module', 'uc_protx_vsp_direct') .'/uc_protx_vsp_direct.css', 'module', 'all', FALSE);
  }

  if ($may_cache) {
    $items[] = array(
      'path' => 'uc_protx_vsp_direct/3DSecure',
      'callback' => 'uc_protx_vsp_direct_3DSecure',
      'access' => TRUE,
      'type' => MENU_CALLBACK,
    );
    $items[] = array(
      'path' => 'uc_protx_vsp_direct/3DSecure_callback',
      'callback' => 'uc_protx_vsp_direct_3DSecure_callback',
      'access' => TRUE,
      'type' => MENU_CALLBACK,
    );
    $items[] = array(
      'path' => 'uc_protx_vsp_direct/3DSecure_waitingPage',
      'callback' => 'uc_protx_vsp_direct_3DSecure_waitingPage',
      'access' => TRUE,
      'type' => MENU_CALLBACK,
    );
    $items[] = array(
      'path' => 'uc_protx_vsp_direct/3DSecure_complete',
      'callback' => 'uc_protx_vsp_direct_3DSecure_complete',
      'access' => TRUE,
      'type' => MENU_CALLBACK,
    );
  }
  else {
    if (is_numeric(arg(3))) {
      $items[] = array(
        'path' => 'admin/store/orders/'. arg(3) .'/uc_protx_vsp_direct_auth',
        'title' => t('Protx authorization terminal: Order @order_id', array('@order_id' => arg(3))),
        'description' => t('Authorize apayment for order @order_id.', array('@order_id' => arg(3))),
        'callback' => 'uc_protx_vsp_direct_auth_page',
        'callback arguments' => array(arg(3)),
        'access' => user_access('authorize credit cards'),
        'type' => MENU_CALLBACK
      );
    }
  }

  return $items;
}


/**
 * Implementation of hook_form_alter().
 */
function uc_protx_vsp_direct_form_alter($form_id, &$form) { // This just adds the Protx logo.
  if ($form_id == 'uc_payment_gateways_form' && isset($form['uc_pg_protx_vsp_direct']['uc_pg_protx_vsp_direct_enabled']['#title'])) {
    $form['uc_pg_protx_vsp_direct']['uc_pg_protx_vsp_direct_enabled']['#title'] .= '<img src="'. base_path() . drupal_get_path('module', 'uc_protx_vsp_direct') .'/img/protxtrans150_75.gif" alt="" id="uc_protx_vsp_direct_protx" />';
  }
}

/*******************************************************************************
 * Hook Functions (Ubercart)
 ******************************************************************************/

function uc_protx_vsp_direct_payment_gateway() {

  $gateways[] = array(
    'id' => 'protx_vsp_direct',
    'title' => t('Protx VSP Direct'),
    'description' => t('Process credit card payments using Protx VSP Direct.'),
    'settings' => 'uc_protx_vsp_direct_settings_form',
    'credit' => 'uc_protx_vsp_direct_charge',
  );

  return $gateways;
}

/**
 * Implementation of hook_store_status().
 */
function uc_protx_vsp_direct_store_status() {
  // Throw up an error row if encryption has not been setup yet.
  $vendor = variable_get('uc_protx_vsp_direct_vendor', '');
  if ($vendor) {
    $statuses[] = array(
      'status' => 'ok',
      'title' => t('Protx Vendor mame'),
      'desc' => t('You have properly set a vendor name for protx: %vendor.', array('%vendor' => $vendor)),
    );
  }
  else {
    $statuses[] = array(
      'status' => 'error',
      'title' => t('Protx Vendor mame'),
      'desc' => t('Protx VSP Direct module has not been configured yet. Please configure its settings from the !settings, under the Protx VPS Direct collapsed box.', array('!settings' => l(t('Payment gateways section of Ubercart'), 'admin/store/settings/payment/edit/gateways'))),
    );
  }

  $server = variable_get('uc_protx_vsp_direct_server', 2);
  if ($server < 2) {
    $statuses[] = array(
      'status' => 'warning',
      'title' => t('Protx Server'),
      'desc' => t('Protx VSP Direct is not configured to use the Live server. No real transaction will be processed. You can change it in the !settings, under the Protx VPS Direct collapsed box. (Currently set to %server)', array('!settings' => l(t('Payment gateways section of Ubercart'), 'admin/store/settings/payment/edit/gateways'), '%server' => $server == 1 ? t('Test server') : t('VSP Simulator'))),
    );
  }
  else {
    $statuses[] = array(
      'status' => 'ok',
      'title' => t('Protx Server'),
      'desc' => t('Protx VSP Direct is configured to use the Live server. Transactions will be processed normally.'),
    );
  }

  return $statuses;
}

/*******************************************************************************
 * Callback Functions, Forms, and Tables
 ******************************************************************************/

/**
 * Callback for payment gateway settings.
 */
function uc_protx_vsp_direct_settings_form() {

  if (!extension_loaded('curl')) {
    drupal_set_message(t('The Protx VSP Direct payment gateway requires the cURL PHP extension to be loaded.'), 'error');
  }

  if (variable_get('uc_credit_validate_numbers', FALSE)) {
    drupal_set_message(t('Message from Protx_VSP_Direct module: Credit card number validation is broken in Ubercart 1.0.  You are advised to turn it off in "Payment Methods->Credit card settings"'), 'error');
  }

  $form['uc_protx_vsp_direct_vendor'] = array(
    '#type' => 'textfield',
    '#title' => t('Vendor Login Name'),
    '#default_value' => variable_get('uc_protx_vsp_direct_vendor', ''),
    '#description' => t(''),
    '#size' => 15,
    '#maxlength' => 15,
  );

  $form['uc_protx_vsp_direct_server'] = array(
    '#type' => 'radios',
    '#title' => t('Protx Server'),
    '#options' => array(t('VSP Simulator'), t('Test Server'), t('Live System')),
    '#default_value' => variable_get('uc_protx_vsp_direct_server', 2),
    '#description' => t(''),
  );

  $options = array();
  $options['PAYMENT'] = t('PAYMENT');
  $options['AUTHENTICATE'] = t('AUTHENTICATE');
  $form['uc_protx_vsp_direct_transaction'] = array(
    '#type' => 'radios',
    '#title' => t('Transaction type'),
    '#options' => $options,
    '#default_value' => variable_get('uc_protx_vsp_direct_transaction', 'PAYMENT'),
    '#description' => t('Select what type of transaction type should be used when sending the payment to the protx server. So far just PAYMENT and AUTHENTICATE are supported and DEFERRED is currently missing. In case of choosing AUTHENTICATE, authorization of the card should be done manually using the protx server.'),
  );

  $form['uc_protx_vsp_direct_iframe'] = array(
    '#type' => 'checkbox',
    '#title' => t('Use inline frames for 3D-Secure'),
    '#default_value' => variable_get('uc_protx_vsp_direct_iframe', 1),
    '#description' => t("<strong>For 3D-Secure transactions only.</strong>  Using an inline frame allows the transaction to appear as if it's all taking place at this store, but it's not W3C standards compliant if you're using the normal (for Drupal) XHTML Strict Document Type Declaration.  However, this is not really a problem in practice, or you can change your theme's DTD (e.g., to a Frameset DTD) if you prefer.  If this setting is turned off, it will be obvious to the user that he is being redirected to a different server to complete the transaction, rather like Protx VSP Form."),
  );

  $form['uc_protx_vsp_direct_send_extra'] = array(
    '#type' => 'checkbox',
    '#title' => t('Send additional transaction data'),
    '#default_value' => variable_get('uc_protx_vsp_direct_send_extra', 0),
    '#description' => t('Protx offer to store extra info such as the customer&rsquo;s personal info and delivery address, the contents of their order and their IP address.  Some of this information is used for fraud screening purposes.'),
  );

  $form['uc_protx_vsp_direct_info_cards'] = array(
    '#type' => 'markup',
    '#value' => theme('uc_protx_vsp_direct_cards'),
  );

  $form['#validate'] = array('uc_protx_vsp_direct_settings_validate' => Array());
  return $form;
}


function uc_protx_vsp_direct_settings_validate($form_values) {
  $field = 'uc_protx_vsp_direct_vendor';
  $vendor = strlen($form_values[$field]['#post'][$field]);
  if ($vendor==0 || $vendor>15) {
    form_set_error($field, t('Please enter a valid Vendor Login Name.'));
  }
}


/*******************************************************************************
 * Module and Helper Functions
 ******************************************************************************/
function uc_protx_vsp_direct_charge($order_id, $amount, $data) {

  if (!extension_loaded('curl')) {
    drupal_set_message(t('The Protx VSP Direct payment gateway requires the cURL PHP extension to be loaded.'), 'error');
  }

  global $user;
  $order = uc_order_load($order_id);
  $result = array(
    'success' => FALSE,
    'comment' => '', // For uc_payment_receipts if success == TRUE
    'message' => '', // For watchdog() if success == FALSE; sent to drupal_set_message() if not default payment gateway
    'uid' => $user->uid,
  );
  $data['Vendor'] = variable_get('uc_protx_vsp_direct_vendor', '');
  if ($data['Vendor']=='' || strlen($data['Vendor'])>15) {
    $result['message'] = t('Invalid Vendor Login Name.  Authorization Request could not be sent.');
    return $result;
  }

  // ----------------------------------------
  // Set HTTPS URL
  $url = uc_protx_vsp_direct_url('registration', variable_get('uc_protx_vsp_direct_server', 2));
  // ----------------------------------------

  // ----------------------------------------
  // Validate Card Type data from select list.
  // 'VISA', 'MC', 'DELTA', 'SOLO', 'MAESTRO', 'UKE', 'AMEX', 'DC' or 'JCB'
  $searches = array(
    '`.*?delta.*`i' => 'DELTA',// Visa Delta needs to take precedence in this list over ordinary Visa
    '`.*?electron.*`i' => 'UKE', // Visa Electron needs to take precedence in this list over ordinary Visa
    '`.*?visa.*`i' => 'VISA',
    '`.*?master[ ]*card.*`i' => 'MC',
    '`.*?solo.*`i' => 'SOLO',
    '`.*?(maestro|switch).*`i' => 'MAESTRO',
    '`.*?(amex|american[ ]*express).*`i' => 'AMEX',
    '`.*?diner.*`i' => 'DC',
    '`.*?jcb.*`i' => 'JCB',
  );

  $data['CardType'] = '';
  foreach ($searches as $pattern => $replace) {
    if (preg_match($pattern, $order->payment_details['cc_type'])) {
      $data['CardType'] = $replace;
      break;
    }
  }
  if ($data['CardType'] == '') {
    $result['message'] = t('Cannot find card type "%CardType".', array('%CardType' => $order->payment_details['cc_type']));
    return $result;
  }
  // ----------------------------------------


  // ----------------------------------------
  // Build the basic set of data for this transaction.
  $max = 0;
  foreach ($order->products as $product) {  // The 100-character description perhaps ought to consist of the most expensive item.
    if (  ($product->price * $product->qty) > $max  ) {
      $data['description'] = $product->title;
    }
    $max = max($max, $product->price);
  }
  if (count($order->products)>1) {
    $appendix .= ' [etc.] - '. count($order->products) .' products';
  }
  $data['description'] = substr($data['description'], 0, 100-strlen($appendix)) . $appendix;

  // We must do a basic sanity check on the card number because Credit Card module might not do any at all (as of Ubercart RC5).
  if (!ctype_digit($order->payment_details['cc_number'])) {
    $result['message'] = t('Invalid card number.');
    return $result;
  }

  $delivery_country = uc_get_country_data(array('country_id' => $order->delivery_country));
  $billing_country = uc_get_country_data(array('country_id' => $order->billing_country));

  $transaction = array(
    'VPSProtocol' => UC_PROTX_VSP_DIRECT_PROTOCOL_VERSION,
    'TxType' => variable_get('uc_protx_vsp_direct_transaction', 'PAYMENT'),
    'Vendor' => $data['Vendor'],
    'VendorTxCode' => md5(  time() . $user->uid . $order->order_id . rand()  ), // This must be unique to the vendor.
    'Amount' => sprintf('%01.2f', $amount),
    'Currency' => variable_get('uc_currency_code', 'GBP'), // This is a UK-based payment gateway, hence GBP default.
    'Description' => $data['description'],
    'CardHolder' => substr($order->payment_details['cc_owner'], 0, 50),
    'CardNumber' => $order->payment_details['cc_number'],
    'ExpiryDate' => sprintf('%02d', $order->payment_details['cc_exp_month']) . substr($order->payment_details['cc_exp_year'], -2),
    'CV2' => $order->payment_details['cc_cvv'],
    'CardType' => $data['CardType'],
    'BillingSurname' => substr($order->billing_last_name, 0, 20),
    'BillingFirstnames' => substr($order->billing_first_name, 0, 20),
    'BillingAddress1' => substr($order->billing_street1, 0, 100),
    'BillingAddress2' => substr($order->billing_street2, 0, 100),
    'BillingCity' => substr($order->billing_city, 0, 40),
    'BillingPostCode' => substr($order->billing_postal_code, 0, 10),
    'BillingCountry' => $billing_country[0]['country_iso_code_2'],
    'BillingPhone' => substr($order->billing_phone, 0, 20),
    'DeliverySurname' => substr($order->delivery_last_name, 0, 20),
    'DeliveryFirstnames' => substr($order->delivery_first_name, 0, 20),
    'DeliveryAddress1' => substr($order->delivery_street1, 0, 100),
    'DeliveryAddress2' => substr($order->delivery_street2, 0, 100),
    'DeliveryCity' => substr($order->delivery_city, 0, 40),
    'DeliveryPostCode' => substr($order->delivery_postal_code, 0, 10),
    'DeliveryCountry' => $delivery_country[0]['country_iso_code_2'],
    'DeliveryPhone' => substr($order->delivery_phone, 0, 20),
    'GiftAidPayment' => '0',
    'ApplyAVSCV2' => '0',
    'Apply3DSecure' => '0',
    'AccountType' => 'E',
  );
  // ----------------------------------------


  // ----------------------------------------
  // Extra fields which need to be patched into credit card module -- StartDate, IssueNumber.
  if (isset($order->payment_details['cc_start_month']) && isset($order->payment_details['cc_start_year'])) {
    $month = $order->payment_details['cc_start_month'];
    $year = $order->payment_details['cc_start_year'];
    if (is_numeric($month) && is_numeric($year) && $month>0 && $month<13 && strlen($year)==4) {
      $transaction = array_merge($transaction, array(  'StartDate' => sprintf('%02d', $month) . substr($year, -2)  ));
    }
  }

  if (isset($order->payment_details['cc_issue'])) {  // N.B. issue number must be stored as string, since '4' is different from '04'.
    $issue = $order->payment_details['cc_issue'];
    if (is_numeric($issue) && (strlen($issue)==1 || strlen($issue)==2)) {
      $transaction = array_merge($transaction, array(  'IssueNumber' => $order->payment_details['cc_issue']  ));
    }
  }
  // ----------------------------------------


  // ----------------------------------------
  // Collect extra information for Protx if this option is checked.
  if (variable_get('uc_protx_vsp_direct_send_extra', 0)) {

    $data['CustomerName'] = rtrim($order->delivery_first_name .' '. $order->delivery_last_name .', '. $order->delivery_company, ', ');
    if ($data['CustomerName'] == '') {
      $data['CustomerName'] = rtrim($order->billing_first_name .' '. $order->billing_last_name .', '. $order->billing_company, ', ');
    }

    // The Basket field is <=7,500 characters.
    // The first line is just the total of lines in the basket, followed by a colon.
    // The final line should be shipping, tax, etc., and any items that can't be included in under 7,500 chars.
    // The final line has no final colon
    $basket['strlen'] = 0;
    $basket['subtotal'] = 0;

    // The number of lines of items, inc. the extra one for shipping, tax and any items that don't fit in under 7,500 chars:
    $basket['lines'] = count($order->products) + 1;

    foreach ($order->products as $x => $product) {
      $item_total = $product->price * $product->qty;
      $basket['amounts'][] = $item_total;
      $basket['items'][] = str_replace(
        ':', ' - ', $product->title)
        .':'. $product->qty
        .':' // Net
        .':' // Tax
        .':'. sprintf('%01.2f', $product->price) // Gross
        .':'. sprintf('%01.2f', $item_total)
        .':'
      ;
      $basket['strlen'] += strlen(end($basket['items']));
      $basket['subtotal'] += $item_total;
    }

    $basket['finalLine']['amount'] = $amount - $basket['subtotal'];// At this stage this will probably just be tax & shipping.
    $basket['finalLine']['text'] = '[Other items, shipping and taxes]:::::';

    // The final line has no final colon, but we need one to complete the first line.
    while (  strlen($basket['lines'] .':') + $basket['strlen'] > (7500 - strlen($basket['finalLine']['text'] . $basket['finalLine']['amount']))  ) {
      $basket['strlen'] -= strlen(array_pop($basket['items']));
      $basket['lines']--;
      $basket['finalLine']['amount'] += array_pop($basket['amounts']);
    }

    $data['Basket'] = $basket['lines'] .':';
    foreach ($basket['items'] as $item) {
      $data['Basket'] .= $item;
    }
    $data['Basket'] .= $basket['finalLine']['text'] . $basket['finalLine']['amount'];


    if (getenv('HTTP_CLIENT_IP'))         {
      $data['ClientIPAddress'] = getenv('HTTP_CLIENT_IP');
    }
    elseif (getenv('HTTP_X_FORWARDED_FOR'))   {
      $data['ClientIPAddress'] = getenv('HTTP_X_FORWARDED_FOR');
    }
    elseif (getenv('HTTP_X_FORWARDED'))       {
      $data['ClientIPAddress'] = getenv('HTTP_X_FORWARDED');
    }
    elseif (getenv('HTTP_FORWARDED_FOR'))     {
      $data['ClientIPAddress'] = getenv('HTTP_FORWARDED_FOR');
    }
    elseif (getenv('HTTP_FORWARDED'))         {
      $data['ClientIPAddress'] = getenv('HTTP_FORWARDED');
    }
    else {
      $data['ClientIPAddress'] = $_SERVER['REMOTE_ADDR'];
    }

    $transaction = array_merge(
      $transaction,
      array(
        'CustomerName' => $data['CustomerName'],
        'ContactNumber' => $order->billing_phone,
        //'ContactFax' => $order->, // This value is not available as of Ubercart RC5.
        'CustomerEMail' => $order->primary_email,
        'Basket' => $data['Basket'],
        'ClientIPAddress' => $data['ClientIPAddress'],
      )
    );
  }
  // ----------------------------------------

  // ----------------------------------------
  // Put all this data into an HTTPS POST request
  $post = '';
  foreach ($transaction as $name => $value) {
    //$post .= urlencode(iconv('UTF-8', 'ISO-8859-1', $name)) . '=' . urlencode(iconv('UTF-8', 'ISO-8859-1', $value)) . '&';
    $post .= urlencode($name) .'='. urlencode($value) .'&';
  }
  $post = substr($post, 0, -1);

  list($response, $http_response_code, $curl_error) = uc_protx_vsp_direct_curl($url, $post);

  if ($curl_error!='') {
    $result['message'] = t('Message from PHP cURL: @curlError', array('@curlError' => $curl_error));
    return $result;
  }

  if ($http_response_code!=200) {
    $result['message'] = t('The request met with HTTP response code @code', array('@code' => $http_response_code));
    return $result;
  }
  // ----------------------------------------

  // store a comment with some protx useful data of the transaction being saved
  $comment = t(
    'Transaction sent.<br />VendorTxCode: @VendorTxCode',
    array(
      '@VendorTxCode' => $transaction['VendorTxCode'],
     )
  );
  uc_order_comment_save($order_id, $user->uid, $comment);

  // ----------------------------------------
  // Now make sense of the response.

  if ($response['Status']=='3DAUTH') {
    $_SESSION['3dsecure']['ACSURL'] = $response['ACSURL'];
    $_SESSION['3dsecure']['MD'] = $response['MD'];
    $_SESSION['3dsecure']['PAReq'] = $response['PAReq'];
    drupal_goto('uc_protx_vsp_direct/3DSecure');
  }
  else {
    uc_protx_vsp_direct_response($response, $result);
  }

  if ($result['success'] == TRUE) {
    uc_order_comment_save($order_id, $user->uid, $result['comment']);
  }

  return $result;
}

function uc_protx_vsp_direct_3DSecure() {

  if (empty($_SESSION['3dsecure']) || !isset($_SESSION['cart_order'])) {
    drupal_set_message(t('Credit card 3D-Secure authorization could not be completed.'), 'error');
    drupal_goto('cart/checkout');
  }

  $term_url = url('uc_protx_vsp_direct/3DSecure_callback', NULL, NULL, TRUE);

  // Note the different case of "PaReq" here in the HTML element name:
  if (variable_get('uc_protx_vsp_direct_iframe', 1)) {
    drupal_add_js("window.onload = function() { document.forms['uc_protx_vsp_direct_3dsecure'].submit(); }", 'inline');
    $output =
      '<form name="uc_protx_vsp_direct_3dsecure" method="post" action="'. $_SESSION['3dsecure']['ACSURL'] .'" target="Secure3D">
      <p>
      <input type="hidden" name="MD" value="'. $_SESSION['3dsecure']['MD'] .'" />
      <input type="hidden" name="PaReq" value="'. $_SESSION['3dsecure']['PAReq'] .'" />
      <input type="hidden" name="TermUrl" value="'. $term_url .'" />
      </p>
      <noscript>
      <p>
      <input type="submit" value="Click here to continue" />
      </p>
      </noscript>
      </form>
      <iframe name="Secure3D" id="Secure3D" src="'. url('uc_protx_vsp_direct/3DSecure_waitingPage') .'">
      </iframe>'
    ;
    return $output;
  }
  else {
    $output =
      '<?xml version="1.0" encoding="utf-8"?>
      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
      <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
      <head>
      <title>3D-Secure</title>
      <script type="text/javascript">window.onload = function() { document.forms[0].submit(); }</script>
      </head>
      <body>
      <form method="post" action="'. $_SESSION['3dsecure']['ACSURL'] .'">
      <p>
      <input type="hidden" name="MD" value="'. $_SESSION['3dsecure']['MD'] .'" />
      <input type="hidden" name="PaReq" value="'. $_SESSION['3dsecure']['PAReq'] .'" />
      <input type="hidden" name="TermUrl" value="'. $term_url .'" />
      </p>
      <noscript>
      <p>
      <input type="submit" value="Click here to continue" />
      </p>
      </noscript>
      </form>
      </body>
      </html>'
    ;
    echo $output;
    exit;
  }
}

function uc_protx_vsp_direct_3DSecure_callback() {

  // Note the different case of "PaReq" in the $_POST version:
  if (!isset($_POST['MD']) || !isset($_POST['PaRes']) || !isset($_SESSION['3dsecure']['MD'])
       || !isset($_SESSION['cart_order']) || $_POST['MD'] != $_SESSION['3dsecure']['MD']) {
    drupal_set_message(t('Credit card 3D-Secure authorization could not be completed.'), 'error');
    drupal_goto('cart/checkout');
  }

  $order = uc_order_load($_SESSION['cart_order']);
  if ($order === FALSE) {
    drupal_goto('cart/checkout');
  }
  $amount = $order->amount;

  $url = uc_protx_vsp_direct_url('3d-secure', variable_get('uc_protx_vsp_direct_server', 2));
  $post = 'MD='. $_POST['MD'] .'&PARes='. $_POST['PaRes'];
  list($response, $http_response_code, $curl_error) = uc_protx_vsp_direct_curl($url, $post);

  if ($curl_error!='') {
    watchdog('uc_protx_vsp_direct', t('Payment failed: Message from PHP cURL: @curlError', array('@curlError' => $curl_error)), WATCHDOG_ERROR);
    drupal_set_message(t('Credit card 3D-Secure authorization could not be completed.'), 'error');
    drupal_goto('cart/checkout');
  }

  if ($http_response_code!=200) {
  watchdog('uc_protx_vsp_direct', t('Payment failed: The 3D-Secure callback request met with HTTP response code @code', array('@code' => $http_response_code)), WATCHDOG_WARNING);
    return;
  }

  $result['success'] = FALSE;
  uc_protx_vsp_direct_response($response, $result);

  unset($_SESSION['3dsecure']);

  if ($result['success'] == TRUE) {
    uc_payment_enter($order->order_id, 'credit', $order->order_total, $order->uid, '', $result['comment']);
    uc_order_comment_save($order->order_id, $order->uid, $result['comment']);
    $_SESSION['do_complete'] = TRUE;
    $redirect = 'cart/checkout/complete';
  }
  else {
    watchdog('uc_protx_vsp_direct', t('Payment failed: @message', array('@message' => $result['message'])), WATCHDOG_WARNING);
    drupal_set_message(variable_get('uc_credit_fail_message', t('We were unable to process your credit card payment. Please verify your card details and try again.  If the problem persists, contact us to complete your order.')), 'error');
    $redirect = 'cart/checkout';
  }

  if (variable_get('uc_protx_vsp_direct_iframe', 1)) {
    $output =
      '<html><head><title></title></head><body onload="document.forms[0].submit();"><form name="uc_protx_vsp_direct_3dsecure" method="post" action="'. url($redirect) .'" target="_top"></body></html>
      <noscript>
      <input type="submit" value="Please click here to continue." />
      </noscript>
      </form>'
    ;
    echo $output;
    exit;
  }
  else {
  drupal_goto($redirect);
  }
}

function uc_protx_vsp_direct_curl($url, $post) {
  $ch = curl_init($url);
  curl_setopt_array(
    $ch,
    array(
      CURLOPT_HEADER => FALSE,
      // If Protx are sending a redirect this should really be handled manually
      CURLOPT_FOLLOWLOCATION => FALSE,
      CURLOPT_FRESH_CONNECT => TRUE,
      CURLOPT_POST => TRUE,
      CURLOPT_RETURNTRANSFER => TRUE,
      CURLOPT_SSL_VERIFYPEER => FALSE,
      CURLOPT_TRANSFERTEXT => TRUE,
      CURLOPT_VERBOSE => FALSE,
      CURLOPT_CONNECTTIMEOUT => 60,
      CURLOPT_SSL_VERIFYHOST => 2,
      CURLOPT_POSTFIELDS => $post,
    )
  );

  $raw_response = curl_exec($ch);
  $http_response_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
  $curl_error = curl_error($ch);

  $response_strings = explode("\r\n", $raw_response);

  foreach ($response_strings as $str) {
    list($name, $value) = explode('=', $str, 2); // This strange limit method is required because sometimes the '=' character is also part of the data.
    if ($name!='') $response[$name] = $value;
  }

  curl_close($ch);
  return array($response, $http_response_code, $curl_error);
}

function uc_protx_vsp_direct_url($method, $server) {

  $servers = array(
    // Ordinary method, or for first stage of 3D-Secure method
    'registration' => array(
      0 => 'https://test.sagepay.com/Simulator/VSPDirectGateway.asp',
      1 => 'https://test.sagepay.com/gateway/service/vspdirect-register.vsp',
      2 => 'https://live.sagepay.com/gateway/service/vspdirect-register.vsp',
    ),
    'authorize' => array(
      0 => 'https://test.sagepay.com/Simulator/VSPServerGateway.asp?Service=VendorAuthoriseTx',
      1 => 'https://test.sagepay.com/gateway/service/authorise.vsp',
      2 => 'https://live.sagepay.com/gateway/service/authorise.vsp',
    ),
    // 3D-Secure method, used only when $response['Status']=='3DAUTH'
    '3d-secure' => array( 
      0 => 'https://test.sagepay.com/Simulator/VSPDirectCallback.asp',
      1 => 'https://test.sagepay.com/gateway/service/direct3dcallback.vsp',
      2 => 'https://live.sagepay.com/gateway/service/direct3dcallback.vsp',
    ),
  );

  return $servers[$method][$server];
}

function uc_protx_vsp_direct_3DSecure_waitingPage() {
  echo '<html><head><title></title></head><body><p style="font-family: Verdana; color: #AAA; font-weight: bold">Please wait to be redirected to your card issuer for authorization...</p></body></html>';
}

function uc_protx_vsp_direct_response($response, &$result) {

  switch ($response['Status']) {

    case 'AUTHENTICATED':
    case 'OK':
      if ( $response['Status'] == 'AUTHENTICATED' ) {
        $str = t('Transaction authenticated');
      }
      else {
        $str = t('Transaction authorized');
      }
      $result['message'] = '';
      $result['comment'] = t(
        '@response_str.
        <br />VPSTxId: @VPSTxId
        <br />SecurityKey: @SecurityKey
        <br />TxAuthNo: @TxAuthNo
        <br />AVSCV2: @AVSCV2
        <br /><em>(AddressResult: @AddressResult | PostCodeResult: @PostCodeResult | CV2Result: @CV2Result)</em>
        <br />3D-Secure Status: @3DSecureStatus',
        array(
          '@VPSTxId'        => $response['VPSTxId'],
          '@SecurityKey'    => $response['SecurityKey'],
          '@TxAuthNo'       => $response['TxAuthNo'],
          '@AVSCV2'         => $response['AVSCV2'],
          '@AddressResult'  => $response['AddressResult'],
          '@PostCodeResult' => $response['PostCodeResult'],
          '@CV2Result'      => $response['CV2Result'],
          '@3DSecureStatus' => $response['3DSecureStatus'],
          '@response_str' => $str,
        )
      );

      if ($response['3DSecureStatus']=='OK') {
        $result['comment'] .= t('<br />CAVV: @CAVV', array('@CAVV' => $response['CAVV']));
      }

      $result['success'] = TRUE;
      break;

    case 'NOTAUTHED':
      $result['message'] = t('The transaction was not authorised by the acquiring bank.');
      break;

    case 'REJECTED':
      $result['message'] = t('The VSP System rejected the transaction because of the rules you have set on your Protx account.  The message was: %StatusDetail', array('%StatusDetail' => $response['StatusDetail']));
      break;

    case 'INVALID':
    case 'MALFORMED':
    case 'ERROR':
      $result['message'] = $response['StatusDetail'];
      break;

    case 'REGISTERED':
    default:
      // This should never happen.
      $result['message'] = t('Protx responded with a status code that indicates acceptance of the request, but which is not implemented by this module: @code @StatusDetail', array('@code' => $response['Status'], '@StatusDetail' => $response['StatusDetail']));
      break;
  }

}

/**
 * Implementation of hook_order_pane().
 */
function uc_protx_vsp_direct_order_pane() {
  $panes[] = array(
    'id' => 'uc_protx_vsp_direct',
    'callback' => 'uc_protx_vsp_direct_order_pane_callback',
    'title' => t('Protx'),
    'desc' => t('Display protx authorization button.'),
    'class' => 'pos-left',
    'weight' => 5,
    'show' => array('view'), //'edit', 'customer', 'invoice', 'customer'),
  );

  return $panes;
}

/**
 * Handle the Payment order pane.
 */
function uc_protx_vsp_direct_order_pane_callback($op, $arg1) {
  switch ($op) {
    case 'view':
      $order = $arg1;
      $protx = _uc_protx_vsp_direct_comments_to_protx($order->order_id);
      if ( $protx['authenticated'] && !$protx['authorized'] ) {
        $output = drupal_get_form('uc_protx_vsp_direct_order_pane_view_form', $order);
      }
      return $output;
  }
}

function uc_protx_vsp_direct_order_pane_view_form($order) {
  $form['order_id'] = array(
    '#type' => 'hidden',
    '#value' => $order->order_id,
  );

  $form['submit'] = array(
      '#type' => 'submit',
      '#value' => t('Authorize card'),
    );

  return $form;
}

function uc_protx_vsp_direct_order_pane_view_form_submit($form_id, $form_values) {
  return 'admin/store/orders/'. $form_values['order_id'] .'/uc_protx_vsp_direct_auth';
}

function uc_protx_vsp_direct_perm() {
  return array(
      'authorize credit cards',
    );
}

function uc_protx_vsp_direct_auth_page($order_id) {
  $comments = uc_order_comments_load($order_id, TRUE);
  $output .= tapir_get_table('op_admin_comments_view_table', $comments);
  $output .= drupal_get_form('uc_protx_vsp_direct_auth_form', $order_id);

  return $output;
}

function uc_protx_vsp_direct_auth_form($order_id) {
  $form['order_id'] = array(
    '#type' => 'value',
    '#value' => $order_id,
  );

  $form['submit'] = array(
      '#type' => 'submit',
      '#value' => t('Authorize card'),
    );

  return $form;
}

function uc_protx_vsp_direct_auth_form_submit($form_id, $form_values) {
  global $user;

  $order_id = $form_values['order_id'];
  $order = uc_order_load($order_id);
  $protx = _uc_protx_vsp_direct_comments_to_protx($order_id);

  $transaction = array(
      'VPSProtocol' => UC_PROTX_VSP_DIRECT_PROTOCOL_VERSION,
      'TxType' => 'AUTHORISE',
      'Vendor' => variable_get('uc_protx_vsp_direct_vendor', ''),
      'VendorTxCode' => md5(  time() . $user->uid . $order->order_id . rand()  ), // This must be unique to the vendor.
      'Amount' => sprintf('%01.2f', $order->order_total),
      'Currency' => variable_get('uc_currency_code', 'GBP'), // This is a UK-based payment gateway, hence GBP default.
      'Description' => t('Authorizing order @orderid.', array('@orderid' => $order_id)),
      // VPSTxId of the authenticate transaction against which the authorisation is required.
      'RelatedVPSTxId' => $protx['vpstxid'],
      // VendorTxCode of the authenticate transaction against which the authorisation is require
      'RelatedVendorTxCode' => $protx['vendortxcode'],
      // The SecurityKey of the authenticate transaction sent back by the VSP System when the transaction was registered.
      'RelatedSecurityKey' => $protx['securitykey'],
      // (optional) Using this flag you can fine tune the AVS/CV2 checks and rule set you’ve defined at a transaction level. This is useful in circumstances where direct and trusted customer contact has been established and you wish to override the default security checks.
      'ApplyAVSCV2' => '0',
    );

  // Put all this data into an HTTPS POST request
  $post = '';
  foreach ($transaction as $name => $value) {
    //$post .= urlencode(iconv('UTF-8', 'ISO-8859-1', $name)) . '=' . urlencode(iconv('UTF-8', 'ISO-8859-1', $value)) . '&';
    $post .= urlencode($name) .'='. urlencode($value) .'&';
  }
  $post = substr($post, 0, -1);

  $url = uc_protx_vsp_direct_url('authorize', variable_get('uc_protx_vsp_direct_server', 2));
  list($response, $http_response_code, $curl_error) = uc_protx_vsp_direct_curl($url, $post);

  if ($curl_error!='') {
    watchdog('uc_protx_vsp_direct', t('Message from PHP cURL: @curlError', array('@curlError' => $curl_error)), WATCHDOG_ERROR);
    drupal_set_message(t('Credit card authorization could not be completed.'), 'error');
    return 'admin/store/orders/'. $order_id .'/uc_protx_vsp_direct_auth';
  }

  if ($http_response_code!=200) {
    watchdog('uc_protx_vsp_direct', t('The request met with HTTP response code @code', array('@code' => $http_response_code)), WATCHDOG_ERROR);
    drupal_set_message(t('Credit card authorization could not be completed.'), 'error');
    return 'admin/store/orders/'. $order_id .'/uc_protx_vsp_direct_auth';
  }

  uc_protx_vsp_direct_response($response, $result);

  if ( $result['success'] ) {
    drupal_set_message(t('The transaction was succesfully authorised by the acquiring bank.'));
    uc_order_comment_save($order_id, $user->uid, $result['message']);
 }
 else {
    drupal_set_message($result['message'], 'error');
  }

  return 'admin/store/orders/'. $order_id .'/uc_protx_vsp_direct_auth';
}

/**
 * Outputs the cards used in the configuration fieldset
 * @return <string>
 */
function theme_uc_protx_vsp_direct_cards() {
  $img_path = base_path() . drupal_get_path('module', 'uc_protx_vsp_direct') .'/img';
  $img_path_cards = base_path() . drupal_get_path('module', 'uc_protx_vsp_direct') .'/img/protx_cards';

  $output = <<<CARDS
<div class="uc_protx_vsp_direct_cards">
<img src="$img_path_cards/mastercard normal.gif" alt="Mastercard" />
<img src="$img_path_cards/visa.gif" alt="Visa" />
<img src="$img_path_cards/delta.gif" alt="Visa Debit" />
<img src="$img_path_cards/electron.gif" alt="Electron" />
<img src="$img_path_cards/amexsmall.gif" alt="American Express" />
</div>
<div class="uc_protx_vsp_direct_cards">
<img src="$img_path_cards/maestro.gif" alt="Maestro" />
<img src="$img_path_cards/solo.gif" alt="Solo" />
<img src="$img_path_cards/dinersclublogo125_26.gif" alt="Diners" />
<img src="$img_path_cards/jcb.gif" alt="JCB" />
</div>
<div class="uc_protx_vsp_direct_cards">
<p>This gateway supports 3D-Secure:</p>
<img src="$img_path/vbv_logo24.gif" alt="Verified by Visa" />
<img src="$img_path/msc_logo24.gif" alt="Mastercard SecureCode" />
</div>
CARDS;

  return $output;
}