On Thu, May 17, 2007 at 09:45:18AM -0400, Kenneth Downs wrote:
> The last one left that I have is the sticky issue of a paypal IPN
> transaction coming in. I believe it applies generally to financial
> transactions. The user is sent by our application to the Paypal site.
> When they pay, paypal sends a POST with various information that we
> need. The user does not see this, it is behind the scenes. The POST
> request must run as an anonymous user because I have no state
> whatsoever. But the request must also commit financial data. This
> creates a vulnerability, at least in theory. There are fields contained
> in the transaction meant to allow confirmation and prevent fraud, but I
> just don't like that idea of running anonymously and committing
> financial data.
Just an additional comment to what others have said: have the incoming
connection from paypal just dump all the relevent data into an
unpriviledged table and have it send a NOTIFY. Then have a completely
seperate daemon, with the right priviledges, do any necessary
verification and update the real data. This at the very least gets you
out of handling transient connection failures, and seems more stable
all round...
Hope this helps,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.