Re: Paypal and "going root"

Kenneth Downs <ken@secdat.com>

From: Kenneth Downs <ken@secdat.com>
To: Dave Page <dpage@postgresql.org>, pgsql general <pgsql-general@postgresql.org>
Date: 2007-05-18T12:23:07Z
Lists: pgsql-general
Dave Page wrote:
> Kenneth Downs wrote:
>   
>> The last one left that I have is the sticky issue of a paypal IPN
>> transaction coming in.  I believe it applies generally to financial
>> transactions.  The user is sent by our application to the Paypal site. 
>> When they pay, paypal sends a POST with various information that we
>> need.  The user does not see this, it is behind the scenes.  The POST
>> request must run as an anonymous user because I have no state
>> whatsoever.  But the request must also commit financial data.  This
>> creates a vulnerability, at least in theory.  There are fields contained
>> in the transaction meant to allow confirmation and prevent fraud, but I
>> just don't like that idea of running anonymously and committing
>> financial data.
>>
>> In this case it seems creating a stored procedure will not automatically
>> help, as then we just execute the SP anonymously, and it strikes me as
>> no different.
>>
>> Has anybody pondered this and come up with anything?
>>
>>     
>
> In response to the incoming IPN you can create a connection back to the
> paypal server to validate it. Iirc, you basically just send the entire
> request back again and it returns 'VERIFIED'.
>   

Ah yes, that's true, thanks for the wake-up on that one.

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010