Re: Paypal and "going root"
Kenneth Downs <ken@secdat.com>
From: Kenneth Downs <ken@secdat.com>
To: Dave Page <dpage@postgresql.org>, pgsql general <pgsql-general@postgresql.org>
Date: 2007-05-18T12:23:07Z
Lists: pgsql-general
Dave Page wrote: > Kenneth Downs wrote: > >> The last one left that I have is the sticky issue of a paypal IPN >> transaction coming in. I believe it applies generally to financial >> transactions. The user is sent by our application to the Paypal site. >> When they pay, paypal sends a POST with various information that we >> need. The user does not see this, it is behind the scenes. The POST >> request must run as an anonymous user because I have no state >> whatsoever. But the request must also commit financial data. This >> creates a vulnerability, at least in theory. There are fields contained >> in the transaction meant to allow confirmation and prevent fraud, but I >> just don't like that idea of running anonymously and committing >> financial data. >> >> In this case it seems creating a stored procedure will not automatically >> help, as then we just execute the SP anonymously, and it strikes me as >> no different. >> >> Has anybody pondered this and come up with anything? >> >> > > In response to the incoming IPN you can create a connection back to the > paypal server to validate it. Iirc, you basically just send the entire > request back again and it returns 'VERIFIED'. > Ah yes, that's true, thanks for the wake-up on that one. -- Kenneth Downs Secure Data Software, Inc. www.secdat.com www.andromeda-project.org 631-689-7200 Fax: 631-689-0527 cell: 631-379-0010