Community Support Forums

After upgrading to version 111206, s2vars were unpopulated, as recorded by the clickbank-ipn.log.

Transactions show complete/successful s2vars up until version 111206, and then they suddenly stop working. No other changes to the site or any plugins were made before, during, and shortly after the upgrade.

One of the noticeable effects of the missing variables is that registration emails are not sent out after purchase (but the purchase itself goes thru fine). The registration/password emails, however, are critical to successful transactions. So..

After triple-checking everything and pulling my remaining few hairs out, I had no other solution but to roll back to version 111105, and viola - everything is once again working fine.

Moral of the story: evidence suggests some sort of issue or bug with the latest version of s2Member Pro (111206) and empty s2vars.

Until this is resolved, I have no choice but to avoid updates and stick with 111105, which is the latest working version of Pro I have available.

I hope this information is useful. It would be great to upgrade to the latest and greatest, but I don't have time to fiddle with this right now. I'll check back on this thread later this week and see if any news..

Until then, Thanks for a great plugin and all your efforts

Thanks for the feedback, Jeff! I'm notifying Jason about this.

Thanks for reporting this important issue.

After upgrading to version 111206, s2vars were unpopulated, as recorded by the clickbank-ipn.log.

Transactions show complete/successful s2vars up until version 111206, and then they suddenly stop working. No other changes to the site or any plugins were made before, during, and shortly after the upgrade.

Are you using the s2Member Shortcode for your ClickBank Buttons?
Or, are you using a link formulated on your own in some way?

Please note the following...

== Changelog v111206 =

* (s2Member/s2Member Pro) **Security fix**. A security vulnerability related to unsigned URLs leading to checkout pages for ccBill®, ClickBank® and Google® Checkout, has been addressed in this release. For further details, please see [this thread](http://www.primothemes.com/forums/viewtopic.php?f=4&t=15232&p=41707#p41707).

All URLs leading to checkout at ClickBank MUST now be digitally signed by s2Member. Otherwise you will have empty s2Vars after checkout, and post-processing of the payment will fail, as it should. This change in s2Member v111206 was to tighten security in this regard. Making it impossible for someone to manually change s2Vars before checkout. See: viewtopic.php?f=4&t=15232&p=41707#p41707

Using the s2Member-generated shortcode for the Clickbank buttons.

All URLs leading to checkout at ClickBank MUST now be digitally signed by s2Member.

Any tips or documentation on exactly how to do this? And why wasn't it done automatically upon upgrade? Or why wasn't info provided at that time?

I read thru the linked forum thread in your reply but did not see any info for how to fix the issue. In fact, I wasted most of my evening a couple of nights ago trying to find ANY information regarding this anywhere online. Nada. So I rolled back.

Increased security is the bomb fellas, but not if breaks the software

You're right Jeff. We should have added more documentation about the change from the beginning. Sorry about that change and how to update your site for it.

Anyone running an existing copy of s2Member with ccBill, ClickBank, or Google Checkout, who is NOT using the recommended Shortcodes provided by s2Member, will have problems getting transactions to come through successfully after upgrading to s2Member v111206.

What Jason explained above for ClickBank also applies to ccBill and Google Checkout transactions.

* s2Member's Button generators for these Payment Gateway no longer provide the full HTML Button Code as an option, because it introduces a security vulnerability. All URLs leading to checkout at ccBill, ClickBank and/or Google Checkout, must be produced by one of s2Member's Shortcodes. That way it's digitally signed by s2Member, and NOT vulnerable to attack.

For site owners that want to integrate Payment Buttons and/or Forms, you can do this inside a PHP template file.

Code: Select all

<?php
$my_shortcode = '[s2Member-Pro-ClickBank-Button ..... /]';
echo do_shortcode($my_shortcode);
?>

http://codex.wordpress.org/Function_Ref ... _shortcode

It is also possible to do this with any existing URLs, but I recommend the Shortcode first though.

Code: Select all

<?php
$my_existing_clickbank_url_with_s2_vars = 'http://....';
$my_signed_url = c_ws_plugin__s2member_utils_urls::add_s2member_sig($my_existing_clickbank_url_with_s2_vars);
?>

See also: viewtopic.php?f=40&t=12969&src_doc_v=111206#src_doc_add_s2member_sig%28%29

If you wanted to use the button in a page that's not served by the WordPress installation where s2Member is running, or even a plain HTML page in another site, here's how you'd do it:

Log out of the site, and use the Shortcode with Attribute output="url". Copy the link and use it on another site. This works just fine. Actually, you don't even need output="url", it just makes it simpler to understand. The alternative, output="anchor" ( i.e. the default ), would be fine too.

* Tip: be sure to do this while NOT logged-in, otherwise the URL returned by the Shortcode may have &s2_refererencing=[existing User ID], which would be bad.

I hope that helps! Let us know if you have any questions.

Just to make note. s2Member v111206 does not break any existing Shortcodes. This issue being discussed here, only affects site owners who have previously integrated hard links of their own, in some custom way. If you've done that, please follow the advice laid out by Cristian.

This is some great info, Thanks guys.

So just to clarify, the s2Member Shortcodes that no longer work are those that are inserted directly into pages via the WP Admin. You know, the ones with the square brackets that are (were) generated by s2Member. Now, with the latest version (111206), the only Shortcodes that work are those that are included via WP theme template files using do_shortcode($my_shortcode).

If that sounds correct, than I think I've got the idea. And if so, where/how do I generate the shortcodes for the theme template files? Are they the same as the shortcodes used via the Admin, in terms of attributes? Can we just copy, paste, and include via do_shortcode($my_shortcode)? Or is something else required?

No, the shortcodes you used in your WP pages would not need any updating, they're the same.

The ones that need updating are those buttons that are being used as HTML, either in WP or elsewhere, because these are not being parsed by s2Member again and now adding the improvements of the new release.

The HTML buttons are old now and don't have the new format that s2Member expects, the shortcodes get parsed by s2Member and turned into the HTML s2Member expects for this to work.

Regarding the do_shortcode, right, you just enter the string of the shortcode into the do_shortcode function, e.g.:

Code: Select all

do_shortcode('[s2Member-Pro-ClickBank-Button cbp="0" level="1" ccaps="" desc="Bronze Member / Description and pricing details here." custom="example.com" tp="0" tt="D" rp="1" rt="M" rr="1" image="default" output="anchor" /]'); 

I hope this helps.

No, the shortcodes you used in your WP pages would not need any updating, they're the same

We are in fact using the s2Member shortcodes in our WP pages. That's the whole point of this comment thread. We are using the s2Member shortcodes. Before the 111206 update everything worked fine. After the 111206 update, the s2vars variables are empty, causing the Clickbank checkout process to fail. We have made no changes to anything along the way, so all evidence still suggests that there is an issue with the latest version of s2Member.

To summarize: using s2Member shortcodes in WP pages before 111206 update, everything worked great. No changes made to anything on the site. Then updated to 111206 and get empty s2vars and failed Clickbank transactions. Rolled back to previous version and everything works great again.

I see. Thanks for making it clearer, sorry for not understanding earlier.

Could you post here the shortcode you're using?

Sure, here is one of them:

Code: Select all

[s2Member-Pro-ClickBank-Button cbp="1" level="1" ccaps="-all" desc="Blah blah blah" custom="ourdomain.com" tp="0" tt="D" rp="1" rt="L" rr="0" image="clickbank-button.gif" output="anchor" /]

I am lost here .. I did the shortcode output thing .. BUT it pulls my IP and everything .. so how do i get it to be blank to place on my fbtrainer.com/order.php ( which is not a WP page )

Also, how do we do the UPSELL and Order Form selection ? ... You're missing a ton of things here with the shortcode guys!

Below is what I get when I try to get the external coding for a page not within WP ... Now this coding isn't going to work as we need to pull the values ... ??? HELP!!!!

Code: Select all

http://9.fbtrainer.pay.clickbank.net/?s2_invoice=2&s2_p1=30+D&s2_p3=1+M&s2_desc=Facebook+Full+Business+Suite+Monthly+Exclusive+Membership&s2_custom=fbtrainer.com&s2_customer_ip=69.157.59.242&s2_subscr_id=s2-4ee7cd5dc54d0&s2_referencing=60&_s2member_sig=1323814237-977a8f96132ebd9dfc290ba78f2c0145

JeffStarr wrote:Sure, here is one of them:

Code: Select all

[s2Member-Pro-ClickBank-Button cbp="1" level="1" ccaps="-all" desc="Blah blah blah" custom="ourdomain.com" tp="0" tt="D" rp="1" rt="L" rr="0" image="clickbank-button.gif" output="anchor" /]

Thanks Jeff. I ran some tests in my site and gave my findings to Jason, he should get back to me soon regarding this and I'll post a update here as soon as I have it. Thanks for your patience.

cashmunkey, I didn't understand your first post, could you explain some more?

Regarding the second post, make sure you are logged out when you create the link.

Let me know if that helps.

OK. We've located the issue. The bug reproduced by Cristian affects non-recurring products only. ClickBank is not passing through some s2 Vars, whenever they're empty. The s2_p1 and s2_p3 variables are not in the IPN data for non-recurring products, which is throwing off the digital signature that the latest version of s2Member uses as a security precaution. We're looking at a possible solution to this now. I will update this thread shortly.

This issue has been corrected in the latest development copy of s2Member.
You can download the latest development copy here:
http://downloads.wordpress.org/plugin/s2member.zip
( coming soon in public release )

An upgrade of s2Member Pro is not required to fix the issue. Updating the s2Member Framework by downloading the latest development copy should correct the issue being discussed here.

Cristián or Jason ...

When we will be able to have a HTML link generated again ? I can't seem to get the link to work to copy and paste it over on a External page.

Thanks guys.