好authorize.net PHP庫

include("../../simdata.php"); 
... 
<!--form action="https://test.authorize.net/gateway/transact.dll" method="POST"--> 
<FORM action="https://secure.authorize.net/gateway/transact.dll" method="POST"> 
<? 
$x_description = "website.com"; 
$currency = ""; 
$tstamp = time(); 
// Seed random number for security and better randomness. 
srand(time()); 
$sequence = rand(1, 1000); 
$data = "$x_loginid^$sequence^$tstamp^$total^$currency"; 
#echo "data = $data\n"; 
#echo $x_tran_key; 
$fingerprint = bin2hex(mhash(MHASH_MD5, $data, $x_tran_key)); 
# php 5 only $fingerprint = hash_hmac("md5", $data, $x_tran_key); 
echo ("<input type='hidden' name='x_fp_sequence' value='" . $sequence . "'>\n"); 
echo ("<input type='hidden' name='x_fp_timestamp' value='" . $tstamp . "'>\n"); 
echo ("<input type='hidden' name='x_fp_hash' value='" . $fingerprint . "'>\n"); 
echo ("<input type=\"hidden\" name=\"x_description\" value=\"" . $x_description . "\">\n"); 
echo ("<input type=\"hidden\" name=\"x_login\" value=\"$x_loginid\">\n"); 
echo ("<input type=\"hidden\" name=\"x_amount\" value=\"$total\">\n"); 

?> 
<input type="hidden" name="x_first_name" value="<?=firstName($_SESSION['user']['name'])?>"> 
<input type="hidden" name="x_last_name" value="<?=lastName($_SESSION['user']['name'])?>"> 
<input type="hidden" name="x_company" value="<?=$_SESSION['user']['company']?>"> 
<input type="hidden" name="x_address" value="<?=$_SESSION['user']['address']?>"> 
<input type="hidden" name="x_city" value="<?=$_SESSION['user']['city']?>"> 
<input type="hidden" name="x_state" value="<?=$_SESSION['user']['state']?>"> 
<input type="hidden" name="x_zip" value="<?=$_SESSION['user']['zip']?>"> 
<input type="hidden" name="x_phone" value="<?=$_SESSION['user']['phone']?>"> 
<input type="hidden" name="x_email" value="<?=$_SESSION['user']['email']?>"> 
<input type="hidden" name="x_cust_id" value="<?=$_SESSION['user']['username']?>"> 
<INPUT TYPE="HIDDEN" name="x_logo_url" VALUE= "https://secure.authorize.net/mgraphics/logo_99999.gif"> 
<INPUT type="hidden" name="x_show_form" value="PAYMENT_FORM"> 
<!--INPUT type="hidden" name="x_test_request" value="TRUE"--> 

<!--input type="hidden" name="x_receipt_link_method" value="POST"> 
<input type="hidden" name="x_receipt_link_text" value="Click for listings"> 
<input type="hidden" name="x_receipt_link_url" value="http://website.com/confirmation.php"--> 

<input type="hidden" name="x_relay_response" value="TRUE"> 
<input type="hidden" name="x_relay_url" value="http://website.com/confirmation.php"> 
<input type="hidden" name="<?=session_name()?>" value="<?=session_id()?>"> 

<input type="hidden" name="" value=""> 
<input type="hidden" name="" value=""> 
<input type="hidden" name="" value=""> 
<? if ($total==0) { ?> 
    <a href="account.php">Your Account</a> 
<? } else { ?> 
    <INPUT type="submit" value="Accept Order"> 
<? } ?> 
</form>

這是我使用的confirmation.php

include("../../simdata.php"); 
#print_r($_POST); 

// verify transaction comes from authorize.net and save user details 
$responseCode = $_POST['x_response_code']; 
if ($responseCode == 1) { // approved 
    $md5 = $_POST['x_MD5_Hash']; 
    $transId = $_POST['x_trans_id']; 
    $amount = $_POST['x_amount']; 
    $myMD5 = strtoupper(md5("$x_tran_key$x_loginid$transId$amount")); 
    #echo $myMD5; 
    #print_r ($_POST); 
    #print_r ($_SESSION['user']); 

    if ($myMD5 == $md5) { // authenticated response from authorize.net 
     ... 
    } else { 
     $error = "Unauthenticated response."; 
    } 
} else if (isset($_POST['x_response_code'])) { // error 
    $error = $_POST['x_response_reason_text'].", #".$_POST['x_response_code'].'.'.$_POST['x_response_subcode']. 
     '.'.$_POST['x_response_reason_code']; 
}

來源

2009-08-03 09:48:05 Chloe

+2

只需注意$ x_tran_key不是Authorize.Net事務密鑰。這是在設置下在其帳戶上生成的MD5哈希。我一遍又一遍地運行你的代碼，直到我明白這個事實，才能運行它。 – Volomike 2013-03-17 00:18:42

+0

使用這種方法有沒有實際的安全處罰？這仍然是什麼攻擊？ – 2015-10-22 15:24:48

+0

當時我知道的比我多，我不會使用`rand`，而是使用`mcrypt_create_iv`。如果我今天這樣做了，我會使用他們的API。 – Chloe 2015-10-22 19:49:36