Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

!!! HELP !!!!


Guest

Recommended Posts

This is *not* a PayPal weakness. PayPal's Instant Payment Notification provides a security measure that is easy to implement in standard PHP. It's even easier to utilize than the MD5 hash-style solution noted earlier since it does not rely on a shared secret and requires no configuration.

 

I am happy to assist the OSC PayPal module developers to optimize the PayPal integration.

 

Also, as has been noted, the "PayPal IPN" contribution implements IPN completely.

Patrick Breitenbach

Link to comment
Share on other sites

The one issue I see with PayPay is that there is no built in referrer check :cry: . In other words unless you put in your own referrer check, someone could send a fake post to your ordering system pretending to be from PayPal. As pointed out in other posts this should not effect items that need to be shipped, but virtual items or downloads would be vulnerable.

Link to comment
Share on other sites

Except that IPN provides a mechanism to prevent that (a post-back to authenticate the txn).

 

I use PayPal quite a bit and I am a big fan of the service. :shock: I'm sure PayPal is extremely safe and users can't fake a transaction trough PayPal. :D

 

It might be I'm not a Guru. :oops: however....

 

The point I was making, was that I could send the same information to an ordering system as paypal sends, from a different site. There would be no payment or transaction on PayPal infact nothing would be passed to PayPal, however the ordering system would not know the post was not from PayPal unless there was a refer check in the ordering system. This would not be a problem for non vurtual items, as noone will ship without payment. but for instant memberships, file download access and the such like, it could cause problems. :cry: Not Paypal fault, but I think its a flaw in the process :!:

Link to comment
Share on other sites

Except that IPN includes a simple method to authenticate the payment and prevent that from happening. PayPal has you post the txn back to PayPal and responds with a VERIFIED or INVALID.

Patrick Breitenbach

Link to comment
Share on other sites

Hooray! The penny has drop, (<- UK for I see what you are saying!) My confusion was the title "Instant Payment Notification", I skipped through it as I though it was another email.. DOH... :oops: ...

Thanks for your patients pbreit. I tested the IPN code and it works great. Appologises to PayPal, :lol: they have covered every option.

 

 

Cheers VT

Link to comment
Share on other sites

This is all fine and Dandy, however, it should be *strongly* suggested that *everyone* using the stock OSC PayPal payment module install the IPN contribution.

 

The stock OSC PayPal module does have a *major* security flaw, and it is possible for orders to go through the paypal system *without* the customer paying.

 

Not a Paypal problem, but a problem with the stock OSC PayPal Payment Module.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

Works great on Ian's CRE5 out of the box.

 

I tried toying with it myself to see if I could fake an order and everything is working ok.

 

It even works if the user does not press the continue button to come back to the cart and decides to leave.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...