I was just reading http://www.e-junkie.com/ej/help.selling-codes.php and I really liked the way you had the registration codes set up. That is, until I looked at it further.
Based on the example, the handshake is always going to be the same. Therefore, very easy for someone to spoof.
Also, the idea of having the ejunkie login/password embedded in the php file makes me cringe (although, you could figure out the md5 of the pw and just use that). Would it be possible to make it a little more sophisticated? I was thinking along the lines of using a 'shared secret' key + hmac. The handshake would then be: hmac('shared secret', 'transaction id') If php is your thing, there is code here: http://www.php.net/sha1 This will prevent someone from just spoofing the handshake.
What are your thoughts about this? The current implementation is rather weak. Unless I'm missing something??
Thanks, I look forward to hearing back from you!