Dave Page wrote:
Kenneth Downs wrote:
The last one left that I have is the sticky issue of a paypal IPN
transaction coming in. I believe it applies generally to financial
transactions. The user is sent by our application to the Paypal site.
When they pay, paypal sends a POST with various information that we
need. The user does not see this, it is behind the scenes. The POST
request must run as an anonymous user because I have no state
whatsoever. But the request must also commit financial data. This
creates a vulnerability, at least in theory. There are fields contained
in the transaction meant to allow confirmation and prevent fraud, but I
just don't like that idea of running anonymously and committing
financial data.
In this case it seems creating a stored procedure will not automatically
help, as then we just execute the SP anonymously, and it strikes me as
no different.
Has anybody pondered this and come up with anything?
In response to the incoming IPN you can create a connection back to the
paypal server to validate it. Iirc, you basically just send the entire
request back again and it returns 'VERIFIED'.
Ah yes, that's true, thanks for the wake-up on that one.
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010