Jump to content


Photo

what it does here


  • This topic is locked This topic is locked
1 reply to this topic

#1 Jasmine2002

Jasmine2002

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 16 November 2002 - 01:36 AM

Hello everyone, I have a question.
From the paypal site the following script in vb is provided, but I'm wondering about the first section:
=========================
Dim str, OrderID, Txn_id, Payment_status
Dim objHttp

' read post from PayPal system and add 'cmd'
str = Request.Form
OrderID = Request.Form("item_number")
Txn_id = Request.Form("txn_id")
Payment_status = Request.Form("payment_status")

' post back to PayPal system to validate
str = str & "&cmd=_notify-validate"
set objHttp = Server.CreateObject("Msxml2.ServerXMLHTTP")
objHttp.open "POST", "https://www.paypal.com/cgi-bin/webscr", false
objHttp.Send str
=========================
My website's IPN reads the information received from paypal, and then sends back this information right away to verify it.....but it's not checking this information against a database or something.....SOOOO, let's say a user tampered with the submission form and changed the Trial rate from 10.00 to 1.00........it will just continue to do everything right??????????
or could someone please tell me how I can secure this?


Thanks alot!


<%@LANGUAGE="VBScript"%>
<%
Dim str, OrderID, Txn_id, Payment_status
Dim objHttp

' read post from PayPal system and add 'cmd'
str = Request.Form
OrderID = Request.Form("item_number")
Txn_id = Request.Form("txn_id")
Payment_status = Request.Form("payment_status")

' post back to PayPal system to validate
str = str & "&cmd=_notify-validate"
set objHttp = Server.CreateObject("Msxml2.ServerXMLHTTP")
objHttp.open "POST", "https://www.paypal.com/cgi-bin/webscr", false
objHttp.Send str

' assign posted variables to local variables
' note: additional IPN variables also available -- see IPN documentation
Item_name = Request.Form("item_name")
Receiver_email = Request.Form("receiver_email")
Item_number = Request.Form("item_number")
Invoice = Request.Form("invoice")
Payment_status = Request.Form("payment_status")
Payment_gross = Request.Form("payment_gross")
Txn_id = Request.Form("txn_id")
Payer_email = Request.Form("payer_email")

' Check notification validation
if (objHttp.status <> 200 ) then
' HTTP error handling
elseif (objHttp.responseText = "VERIFIED") then
' check that Payment_status=Completed
' check that Txn_id has not been previously processed
' check that Receiver_email is an email address in your PayPal account
' process payment
elseif (objHttp.responseText = "INVALID") then
' log for manual investigation
else
' error
end if
set objHttp = nothing
%>


#2 DaveC

DaveC

    Advanced Member

  • Members
  • PipPipPip
  • 37 posts

Posted 16 November 2002 - 10:34 AM

The script itself doesn't actually watch what is happening to the payment. The IPN process is a double verification that something happened.

What you need to do is to look at the values passed to you and compare them with what you believe you should receive for that notification...

so for example,

10.00 is sent to paypal. You have recorded that 10.00 against invoice number 1.

When the notification comes to you, it will give you the invoice number 1. You then look up what the value should be for invoice number 1 and compare it with what paypal has sent you. If the values do not match, you tell your DB to not give the secret code, inform yourself and inform the person that ordered.

The verification is down to you. Paypal can only give you what it has received. You should do your verification within the part marked...

elseif (objHttp.responseText = "VERIFIED") then
' check that Payment_status=Completed
' check that Txn_id has not been previously processed
' check that Receiver_email is an email address in your PayPal account
' process payment

If the verification is OK, then you deliver whatever should be delivered within the above part.

Hope this helps.

DaveC

Web development - http://www.revilloc.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users