| From: | Kenneth Downs <ken(at)secdat(dot)com> |
|---|---|
| To: | Dave Page <dpage(at)postgresql(dot)org>, pgsql general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: Paypal and "going root" |
| Date: | 2007-05-18 12:23:07 |
| Message-ID: | 464D9AAB.5030700@secdat.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Dave Page wrote:
> Kenneth Downs wrote:
>
>> The last one left that I have is the sticky issue of a paypal IPN
>> transaction coming in. I believe it applies generally to financial
>> transactions. The user is sent by our application to the Paypal site.
>> When they pay, paypal sends a POST with various information that we
>> need. The user does not see this, it is behind the scenes. The POST
>> request must run as an anonymous user because I have no state
>> whatsoever. But the request must also commit financial data. This
>> creates a vulnerability, at least in theory. There are fields contained
>> in the transaction meant to allow confirmation and prevent fraud, but I
>> just don't like that idea of running anonymously and committing
>> financial data.
>>
>> In this case it seems creating a stored procedure will not automatically
>> help, as then we just execute the SP anonymously, and it strikes me as
>> no different.
>>
>> Has anybody pondered this and come up with anything?
>>
>>
>
> In response to the incoming IPN you can create a connection back to the
> paypal server to validate it. Iirc, you basically just send the entire
> request back again and it returns 'VERIFIED'.
>
Ah yes, that's true, thanks for the wake-up on that one.
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kenneth Downs | 2007-05-18 12:30:08 | Re: Paypal and "going root" |
| Previous Message | Gerhard Wiesinger | 2007-05-18 11:55:30 | Tools for dumping pg_xlog, pg_clog, etc? |