opening SSL, security, (authorize.net)

Did enyone have to create a script to process credit cards using the AIM 
method through the AuthorizeNet gateway? I'm a little bit lost. There are 
few things I must do and never done before:
[e.g. open a SSL connection between my hosting server and their gateway and 
then post the data (credit card number, name, etc..) using a script.]

I used HTML forms to post data but never a script. Also, what about the 
safety concern of the following scenario:
1. My site displays a form to gather credit card info
2. Then posts to my script
3. My script sends that data and the transaction key (password) to their 
file for processing.

Q: What if someone just looks up the source of my form and submits their own 
data to step 2 ? My script would still process everything and send it all to 
step 3?
I know I could create a digest through MD5 based on let's say 
amount+secret_word and pass it as hidden to the form. Then my script in step 
2 could verify if the data is valid or if someone tried to send their own 
stuff, but in that case what's the use of the transaction key as the 
security parameter?

Mariusz

_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online  
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

0
mojelisty
7/14/2003 5:54:18 PM
perl.beginners 29381 articles. 4 followers. Follow

1 Replies
713 Views

Similar Articles

[PageSpeed] 54

mario kulka wrote:
> Did enyone have to create a script to process credit cards using the AIM 
> method through the AuthorizeNet gateway? I'm a little bit lost. There 
> are few things I must do and never done before:
> [e.g. open a SSL connection between my hosting server and their gateway 
> and then post the data (credit card number, name, etc..) using a script.]
> 
> I used HTML forms to post data but never a script. Also, what about the 
> safety concern of the following scenario:
> 1. My site displays a form to gather credit card info
> 2. Then posts to my script
> 3. My script sends that data and the transaction key (password) to their 
> file for processing.
> 
> Q: What if someone just looks up the source of my form and submits their 
> own data to step 2 ? My script would still process everything and send 
> it all to step 3?
> I know I could create a digest through MD5 based on let's say 
> amount+secret_word and pass it as hidden to the form. Then my script in 
> step 2 could verify if the data is valid or if someone tried to send 
> their own stuff, but in that case what's the use of the transaction key 
> as the security parameter?
> 

Haven't used the service personally, but you might want to have a look at:

http://search.cpan.org/author/IVAN/Business-OnlinePayment-AuthorizeNet-3.12/AuthorizeNet.pm

Might help answer your questions and provide code that you then wouldn't 
need to write. Always nice when there is already a wheel...

http://danconia.org

0
wiggins
7/14/2003 11:56:38 PM
Reply: