pbreit Posted March 25, 2003 Posted March 25, 2003 This is *not* a PayPal weakness. PayPal's Instant Payment Notification provides a security measure that is easy to implement in standard PHP. It's even easier to utilize than the MD5 hash-style solution noted earlier since it does not rely on a shared secret and requires no configuration. I am happy to assist the OSC PayPal module developers to optimize the PayPal integration. Also, as has been noted, the "PayPal IPN" contribution implements IPN completely. Patrick Breitenbach
Guest Posted March 26, 2003 Posted March 26, 2003 The one issue I see with PayPay is that there is no built in referrer check :cry: . In other words unless you put in your own referrer check, someone could send a fake post to your ordering system pretending to be from PayPal. As pointed out in other posts this should not effect items that need to be shipped, but virtual items or downloads would be vulnerable.
pbreit Posted March 26, 2003 Posted March 26, 2003 Except that IPN provides a mechanism to prevent that (a post-back to authenticate the txn). Patrick Breitenbach
Guest Posted March 26, 2003 Posted March 26, 2003 Except that IPN provides a mechanism to prevent that (a post-back to authenticate the txn). I use PayPal quite a bit and I am a big fan of the service. :shock: I'm sure PayPal is extremely safe and users can't fake a transaction trough PayPal. :D It might be I'm not a Guru. :oops: however.... The point I was making, was that I could send the same information to an ordering system as paypal sends, from a different site. There would be no payment or transaction on PayPal infact nothing would be passed to PayPal, however the ordering system would not know the post was not from PayPal unless there was a refer check in the ordering system. This would not be a problem for non vurtual items, as noone will ship without payment. but for instant memberships, file download access and the such like, it could cause problems. :cry: Not Paypal fault, but I think its a flaw in the process :!:
pbreit Posted March 27, 2003 Posted March 27, 2003 Except that IPN includes a simple method to authenticate the payment and prevent that from happening. PayPal has you post the txn back to PayPal and responds with a VERIFIED or INVALID. Patrick Breitenbach
Guest Posted March 27, 2003 Posted March 27, 2003 Hooray! The penny has drop, (<- UK for I see what you are saying!) My confusion was the title "Instant Payment Notification", I skipped through it as I though it was another email.. DOH... :oops: ... Thanks for your patients pbreit. I tested the IPN code and it works great. Appologises to PayPal, :lol: they have covered every option. Cheers VT
wizardsandwars Posted March 27, 2003 Posted March 27, 2003 This is all fine and Dandy, however, it should be *strongly* suggested that *everyone* using the stock OSC PayPal payment module install the IPN contribution. The stock OSC PayPal module does have a *major* security flaw, and it is possible for orders to go through the paypal system *without* the customer paying. Not a Paypal problem, but a problem with the stock OSC PayPal Payment Module. ------------------------------------------------------------------------------------------------------------------------- NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit. If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.
gotflag Posted March 27, 2003 Posted March 27, 2003 And where would I download this new paypal module? Im a newbie. And which version osc would you recommend. 2.1 or 2.2m1? I will only be using it for paypal to start.
wizardsandwars Posted March 27, 2003 Posted March 27, 2003 1.) http://www.oscommerce.com/community/contributions 2.) MS1 :wink: ------------------------------------------------------------------------------------------------------------------------- NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit. If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.
gotflag Posted March 29, 2003 Posted March 29, 2003 has anyone actually succesfully installed the paypal ipn? So far looking through the boards all I see are problems with it. I just need to be able to take paypal reliably.
maxrisc Posted March 29, 2003 Posted March 29, 2003 Works great on Ian's CRE5 out of the box. I tried toying with it myself to see if I could fake an order and everything is working ok. It even works if the user does not press the continue button to come back to the cart and decides to leave.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.