E-Junkie Forum

E-Junkie Forum http://www.e-junkie.com/bb/ E-Junkie Forum RSS en-us Copyright 2012, 19.5 Degrees. All rights reserved. webmaster@e-junkie.com webmaster@e-junkie.com Sun, 19 Jul 2009 13:48:14 GMT Fri, 10 Feb 2012 18:17:03 GMT 681 E-JUNKIE 5 E-Junkie Forum http://www.e-junkie.com/bb/ http://www.e-junkie.com/ej/logo.gif 290 104 Post #5 http://www.e-junkie.com/bb/topic/3054/pg/0#post10787 http://www.e-junkie.com/bb/topic/3054/pg/0#post10787 Sun, 19 Jul 2009 13:48:14 GMT
Also, it would be a nice idea to md5 the key code that gets sent. In some cases, if this gets sniffed it can be redeemed before the purchaser actually gets to redeem it themself!

1 further question.... PHP is not my strong point, so can you clarify for me please:

($_POST['handshake']!==md5("your@login.email".md5("your_e-junkie_password")))

Am I expecting:

email DOT password or
emailpassword
?

Thanks]]> E-junkie Discussions; instantxboxgold.com Post #4 http://www.e-junkie.com/bb/topic/3054/pg/0#post10787 http://www.e-junkie.com/bb/topic/3054/pg/0#post10787 Wed, 31 Dec 2008 20:54:19 GMT zvikicoRegarding VAT: I couldn't find the option to block it in my PayPal account. Can somebody point me in the right direction?

Inquire with PayPal help pages or support staff directly and let them know you are using a third-party cart that already adds VAT before going to a PayPal checkout. A search for VAT in their help pages didn't return any results, but I am thinking this may be related to their Sales Tax settings, so if you disable adding Sales Tax, that may disable VAT as well? Any information we have regarding PayPal would be secondhand, so better to get the final word straight from the source.

If there's a mismatch, I will not get an IPN and have to process it manually? Is there a way to send the IPN later? (my system is automated, so I have no way of entering payments manually)
BTW, from my experience, PayPal IPNs are sometimes fail to verify on legitimate transactions. What happens in such cases?

Honestly, the case of a mismatch is so rare that we only ever hear about it in a "what if" context like this, and in fact I cannot even recall ever handling any support inquiry regarding an actual mismatch in any real transaction context.

In the highly unlikely event of a mismatch, you can choose to block such transactions in your PayPal account, so checkout cannot complete in the first place, or if you choose to allow PayPal to process mismatched transactions, then we will not process the sale (including no IPN forwarding to your integration URL) but will only send you notification of the problem. You may wish to contact the buyer directly to explain the problem, perhaps refund their payment and have them try again.

Regarding the verification: How can I confirm the IPNs are coming from your server?
The MD5 handshake is constant as long as I don't change my username/password. This means that if somebody sniffed an IPN from your server to mine, he can easily spoof a message. Having a handshake which is an MD5 of other, not constant properties, public and obscure, (e.g. my password and the payer email) will greatly improve the security in this case.

Hm, you raise some interesting points there, ones which Development would be in a better position to consider and address, so I'll assign this to our Lead Developer's attention. I do like the idea in theory of having a "disposable single-use" MD5 handshake derived from one secret component (e.g. your password) and one dynamic component transmitted with the order data (e.g. buyer's email, or transaction ID, etc.)]]> E-junkie Discussions; E-junkieGuru Post #3 http://www.e-junkie.com/bb/topic/3054/pg/0#post10787 http://www.e-junkie.com/bb/topic/3054/pg/0#post10787 Wed, 31 Dec 2008 06:33:02 GMT
(I thought it would be better for you to answer in the forum so I took it here)

Regarding VAT: I couldn't find the option to block it in my PayPal account. Can somebody point me in the right direction?

If there's a mismatch, I will not get an IPN and have to process it manually? Is there a way to send the IPN later? (my system is automated, so I have no way of entering payments manually)
BTW, from my experience, PayPal IPNs are sometimes fail to verify on legitimate transactions. What happens in such cases?

Regarding the verification: How can I confirm the IPNs are coming from your server?
The MD5 handshake is constant as long as I don't change my username/password. This means that if somebody sniffed an IPN from your server to mine, he can easily spoof a message. Having a handshake which is an MD5 of other, not constant properties, public and obscure, (e.g. my password and the payer email) will greatly improve the security in this case.

Zviki]]> E-junkie Discussions; zvikico Post #2 http://www.e-junkie.com/bb/topic/3054/pg/0#post10787 http://www.e-junkie.com/bb/topic/3054/pg/0#post10787 Tue, 30 Dec 2008 23:26:49 GMT
The case of a mismatch in destination country provided in our cart vs. during Checkout varies according to payment processor; see each case described here:
http://www.e-junkie.com/ej/faq.shipping-destination-mismatch.htm

I think I already answered your IPN concern via email earlier, but for the benefit of others reading along, I will paste my answer again here:

We already validate the IPNs we receive from PayPal before forwarding the order data to your integration URL, so there is no chance our system would transmit data to your URL without having received a valid IPN (or equivalent payment confirmation from non-PayPal processors), and of course your integration URL would never be exposed to the public. If you suspect someone could guess your integration-submission URL and try to spoof our transmissions, you could do some verification of your own to confirm any POSTs to your URL are actually coming from our server, perhaps use the MD5-hashed handshake method suggested on our Integration help page (see Additional Variables section):
http://www.e-junkie.com/ej/help.integration.htm]]> E-junkie Discussions; E-junkieGuru Post #1 http://www.e-junkie.com/bb/topic/3054/pg/0#post10787 http://www.e-junkie.com/bb/topic/3054/pg/0#post10787 Tue, 30 Dec 2008 14:41:07 GMT
I'm selling my product using PayPal Website Payments Standard. I need to charge VAT from certain countries. I can define the VAT either in e-junkie or in PayPal.

I can see it is more user friendly to define the VAT in e-junkie, so the user will know the total sum before heading over to do the payment. I saw in earlier discussions that I need to remove the VAT from PayPal - is that correct?

My main question: I require PayPal to get an address from my customers (for VAT purposes, I don't do any shipping). Do you verify that the PayPal address information matches the country/zip entered in the shopping cart screen?

I was also concerned about the lack of IPN verification - my server dispenses license keys according to inbound IPNs. No verification means someone can easily spoof those IPNs. What do you do to avoid that?

Thanks,
Zviki]]> E-junkie Discussions; zvikico