-1

I have a php-based page that collects payment via Braintree code. I have recently had to move the files to a new server. The code is the same code as it has always been. Unfortunately now when I try to use the page I am getting the below error message?

Error: 91564: Cannot use a paymentMethodNonce more than once.

I am not sure why all of a sudden this would be happening resulting in the charge not going through. Hoping someone may help me spot me error?

Here is my file

<?php
  include('inc/dbconn.inc.php'); //database connection cridentials
  require_once("braintree_init.php"); 

  require('vendor/autoload.php');
?>
 <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.1/dist/css/bootstrap.min.css" integrity="sha384-zCbKRCUGaJDkqS1kPbPd7TveP5iyJE0EjAuZQTgFLD2ylzuqKfdKlfG/eSrtxUkn" crossorigin="anonymous">
 <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.1/jquery.min.js" integrity="sha512-aVKKRRi/Q/YV+4mjoKBsE4x3H+BkegoM/em46NNlCqNTmUYADjBbeNefNxYV7giUp0VxICtqdrbqU7iVaeZNXA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
 <script src="https://code.jquery.com/ui/1.13.2/jquery-ui.js"></script>
 <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.1/dist/js/bootstrap.min.js" integrity="sha384-VHvPCCyXqtD5DqJeNxl2dtTyhF78xXNXdkwX1CZeRusQfRKp+tA7hAShOK/B/fQ2" crossorigin="anonymous"></script>
 <script src="https://js.braintreegateway.com/web/dropin/1.33.7/js/dropin.js">. 
 </script>
 <link rel="stylesheet" href="//code.jquery.com/ui/1.13.2/themes/base/jquery-ui.css">
 <link rel="stylesheet" href="./css/formstyle.css" />
 </head>
 <body>
    <div class="row headerdiv noprint"><div class="col-md-12 text-center mt-4 mb-4"></div></div>
    <div class="container mt-4">
      <div class="row">
 <?php
   //submitted
   if($_POST['firstname'] !='')
   {
$firstname = mysqli_real_escape_string($connect, $_POST['firstname']);
$lastname = mysqli_real_escape_string($connect, $_POST['lastname']);
$emailaddr = mysqli_real_escape_string($connect, $_POST['emailaddr']);
$phone = mysqli_real_escape_string($connect, $_POST['phone']);
$streetaddress = mysqli_real_escape_string($connect, $_POST['streetaddress']);
$streetaddresstwo = mysqli_real_escape_string($connect, $_POST['streetaddresstwo']);
$city = mysqli_real_escape_string($connect, $_POST['city']);
$stateregion = mysqli_real_escape_string($connect, $_POST['stateregion']);
$zipcode = mysqli_real_escape_string($connect, $_POST['zipcode']);
$country = mysqli_real_escape_string($connect, $_POST['country']);
//$isgold = $_POST['isgold'];
$rightnowis = DATE('Y-m-d 00:00:00');
$displaydate = DATE('M d, Y');
//$itemage = $_POST['itemage'];
//the video file 
$videofile = $_POST['Videohidedata'];
$countryform = 'US';

if($emailaddr !='')
{
    $mail->addAddress("$emailaddr", "$firstname $lastname");
}
    
//insert into database query here

$last_id = mysqli_insert_id($connect);

//add items to claim item table since some claims could have multiple items
for ($a = 0; $a < count($_POST["penname"]); $a++)
{
    $penname = $_POST['penname'][$a];
    if($penname =='') { $penname='Unknown'; }
    $isentimental = $_POST['isentimental'][$a];
    $penage = $_POST['penage'][$a];
    $item_issue = $_POST['item_issue'][$a];

    //inert into claim items database
}

//$amttocharge = (20 * $a);
$amttocharge = 1; //hardcoded to charge only $1 for testing
$nonce = $_POST["payment_method_nonce"];

//process the actual payment
$result = $gateway->transaction()->sale([
            'amount' => $amttocharge,
            'paymentMethodNonce' => $nonce,
            'options' => [
                'submitForSettlement' => true
            ]
]);

if ($result->success || !is_null($result->transaction)) 
{
        $transaction = $result->transaction;
        $paymenttransactionid = $transaction->id;
        $lastfour = $transaction->creditCardDetails->last4;
        $cardtype = $transaction->creditCardDetails->cardType;
        $chargedamt = $transaction->amount;
        echo "yaya you were charged";
}
else
{
    $errorString = "";
    foreach($result->errors->deepAll() as $error) 
    {
                $errorString .= 'Error: ' . $error->code . ": " . $error->message . "\n";
    }
}
?>

My braintree_init.php file just has the below code

 <?php
   session_start();
   //sandbox
   //$gateway = new Braintree\Gateway([
   //    'environment' => 'sandbox',
   //   'merchantId' => 'sdfsdfsdf',
   //    'publicKey' => 'ffff',
   //    'privateKey' => '123456'
  //]);

  $gateway = new Braintree\Gateway([
     'environment' => 'production',
     'merchantId' => 'coolbeans',
     'publicKey' => 'fakeinfo',
     'privateKey' => 'becauseyouknowwhy'
  ]);
  $baseUrl = stripslashes(dirname($_SERVER['SCRIPT_NAME']));
  $baseUrl = $baseUrl == '/' ? $baseUrl : $baseUrl . '/';
Jayreis
  • 253
  • 1
  • 7
  • 28
  • 1
    The error indicates that the payment method nonce (which is a temporary token representing a payment method), has already been used and cannot be used again. Can you check that it is generated for each transaction? – esQmo_ Aug 31 '23 at 13:41
  • What esQmo wrote and also just by the script you present, there is nothing that checks for the error condition and any token can be passed via POST, so there is nothing that prevents/handles passing the same token again (e.g. a replay attack which such a token has to prevent, hence an only used once token). So either it's the input or somewhere you actually use the same token twice. Have you tried to diff the new and old configuration/file-tree? – hakre Aug 31 '23 at 13:49
  • I am echoing the payment nounce to the page and just submitted two charges in a row and saw that each charge submission had a different payment nounce and I dont see any other place where I have the payment nounce. – Jayreis Aug 31 '23 at 17:01
  • The most likely explanation in such cases is that the code you thought would only execute once, actually executes twice. Start by checking what requests are happening from the browser side, using the dev tool's network panel - everything in there look like it should, or are there more POST requests to this script than there should be? – CBroe Sep 01 '23 at 09:53

0 Answers0