Posted by Michael Vilain on 03/01/07 17:59

In article <MXDFh.3524$jx3.345@newssvr25.news.prodigy.net>,
Paul Furman <paul-@-edgehill.net> wrote:

> Jerry Stuckle wrote:
>
> > Paul Furman wrote:
> >
> >> I'm setting up credit card payment through authorize.net and they have
> >> the option to send a POST string back to my site once complete. I'm
> >> not sure how to proceed. They don't have much to read about this,
> >> their tech support seemed to think I've got the general idea though &
> >> said I might have have my hosting server set up permissions to recieve
> >> POST data that way.
> >>
> >> Let me paste their explanation:
> >> -----------
> >> Gateway Response API
> >> This section describes the response returned by the gateway when a
> >> transaction is submitted for processing. The gateway response to a
> >> transaction submitted via SIM is either a Receipt Page that is
> >> displayed to the consumer or a POST string to a site designated by the
> >> merchant. The merchant can then parse the POST string, customize a
> >> response, and submit it back to the gateway. The gateway will then
> >> relay the response to the customer�s browser.
> >>
> >> x_response_code
> >> Indicates the result of the transaction:
> >> 1 = Approved
> >> 2 = Declined
> >> 3 = Error
> >>
> >> x_trans_id
> >> This number identifies the transaction in the system and can be used
> >> to submit a modification of this transaction at a later time, such as
> >> voiding, crediting or capturing the transaction.
> >>
> >> x_invoice_num
> >> This is the merchant's supplied invoice number
> >>
> >> etc...
> >> --------
> >>
> >> So best I figure I'm going to get a redirect to my server And I'm
> >> guessing I'd use something like this:
> >>
> >> if (isset($_REQUEST['x_response_code'])) {
> >> //then finalize the order, subtract from inventory
> >> // and generate a reciept
> >>
> >> And I'm not so comfortable with the idea of setting up a page on my
> >> site that lets any external server send POST data & retrieve
> >> customer's order details. I think I'm not understanding all this. I do
> >> need to know if their credit card was accepted to continue processing
> >> the order on my end though. I don't want to update the inventory &
> >> they end up getting their card rejected or give up.
> >
> >
> > Paul
> >
> > It's just a page they POST the information to, just like a browser.
> >
> > Set up the page you want them to access. The data they send will be in
> > the $_POST array.
>
> OK I got it working sort of... problem is, one more step that's optional
> for the customer... there is no automatic redirect, the customer has to
> click another button to go back to our site and finalize the transaction
> on our end. At that point, their credit card is already charged though.
> The alternative is to use the Relay method which sounds considerably
> more complicated, perhaps I'll just trust that they will click that last
> button... if I word it right.
>
> [Checkout] [Cancel]
> -type in CC number, seeded $amount, name address & 255 character
> description, etc.
> [Submit]
> -reciept page shows at authorize.net minus full list of what's ordered
> -email copy sent from them
> [Finalize Transaction]
> -returns to our site with confirmation status in POST where we then
> remove inventory and another email is sent out with the full order list.
>
> I'm guessing there is a security issue with my web site if it can
> recieve POST data from an external source like that, I haven't actually
> checked if it's coming through yet.

I used AIM (advanced Integration Method) with a perl cgi script to send
a page to the secure server through SSL. The returned status of the
actual call in perl is the POST result which I parsed. Then I return
the user to the page I want them to after displaying "Your card has been
charged. DO NOT use the BACK button or it will be charged again!"

I didn't investigate how to do this purely with php as my ISP didn't
offer php as a CGI language, only perl or shell. So, perl it was.

Of course, YMMV. Learning perl along with php (not that great a jump)
would look very good on a resume, btw...

--
DeeDee, don't press that button! DeeDee! NO! Dee...

[Back to original message]