It should not be a difficult solution at all. AuthorizeNet just needs the information but the HTML form does not. You simply put the Transaction code and the username in the .conf file and have the .cgi grab it from there after the form is submitted as it's building the tranaction to AuthorizeNet. The .cgi already has to build the timestamp information at the last second, just build in that too. AuthorizeNet has a (too simple) perlscript on their page to show how to do it, or I can email you mine.
Bryan Britt Beltane Web Services -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ICQ: 53037451 Bryan L. Britt 501-327-8558 Beltane Web Services, Conway, AR http://www.beltane.com ~~~~~~~~~~Support Private Communications on the Internet~~~~~~~~~~ ----------------------- Original Message ----------------------- On Wed, 30 Jun 2004 15:59:14 -0400, "Kim Phelan" <[EMAIL PROTECTED]> wrote: > Hi everyone. > Wanted to note to the list, that this request didn't go into > the "ether" instead, we are working with Authorize to see > if we can devise a better way to deal with the trans > code. > > Combined with the conversion of SiteGalore's application > to publish to HTML instead of javascript only, the Authorize > answer is taking a little longer than I'd like. > (but HTML is still on track for Tuesday) > > I know, excuses, excuses, but we are on it :) > > Kim > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Kim Phelan > Sent: Monday, June 28, 2004 7:19 AM > To: Mark Geisinger; [EMAIL PROTECTED] > Subject: RE: Website Builder exposes Authorize.net login+key > > > I agree if this can be avoided it should be > I'll pass it along to the developers and get them to > look into it ASAP. > > Thanks guys. > > Kim > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Mark Geisinger > Sent: Monday, June 28, 2004 2:26 AM > To: [EMAIL PROTECTED] > Subject: Re: Website Builder exposes Authorize.net login+key > > > On Monday, June 28, 2004, 12:31:06 AM, you wrote: > > Mark Geisinger wrote: > > >> Wondering if Website Buildermight be useful for an entry level > >> e-commerce site, and being curious how it's handling the payment > >> gateways in JavaScript, I set up a trial account and had a look at > >> the checkout page. Much to my surprise, I found that the Authorize.net > >> login name and transaction key are in clear text in the generated > >> page. The login name is in a hidden form field, and the transaction > >> key is assigned to a variable in call_sub(). > >> > >> Does anyone at Tucows think this is a really, really, bad idea? > > > > > Is the "transaction key" that you speak of the same as the account > > password? > > While they are two discrete values for Authorize.net, the answer to your > question is yes. Absent a transaction key being established for a merchant > account, the account password can be used in x_password. > > > It would take someone about five seconds to guess our account login, so > > AFAIC embedding it in a generated page's source is somewhat stupid, but > > harmless. Embedding the account password, on the other hand, would be > > quite serious. > > > I'm looking at some code I wrote for the AuthorizeNet 3.1 gateway and > > there are two form fields are clearly named "x_login" and "x_password". > > In this trial account, have you actually set it up to use your > > AuthorizeNet account so that you can verify that this "transaction key" is > > indeed your account password? > > Hu? There is no need to either use an actual account's credentials, or verify > anything beyond the fact that the login name and transaction key is in the > source in clear text. Here's the source with the login of "bubba" and the > transaction key of "bubbafied". > > function call_sub(frm_obj) > { > loginid = frm_obj.x_login.value; > sequence = frm_obj.x_fp_sequence.value; > frm_obj.x_fp_timestamp.value = tstamp; > tstamp = frm_obj.x_fp_timestamp.value; > amount = frm_obj.x_amount.value; > txnkey = "bubbafied"; > currency = frm_obj.x_currency_code.value; > data = loginid + "^" + sequence + "^" + tstamp + "^" + amount + "^" + > currency ; > var fingerprint = hex_hmac_md5 ( txnkey, data ); > frm_obj.x_fp_hash.value = fingerprint; > frm_obj.x_invoice_num.value = frm_obj.x_fp_sequence.value + "" + parseInt( > (Math.random()*10000) ); > frm_obj.submit(); > return true; > } > > <input type='hidden' name='x_login' value='bubba' > > > -- > Best regards, > > Mark Geisinger > [EMAIL PROTECTED]
