[thelist] OT: e-commerce PayPal - And another question on top of that :)

[Keith]

At 09:14 AM Thursday 5/9/02, Galen wrote:


>Please pardon my lack of knowledge but would this be correct (not coded,
>stated in theory?) If the referrer is www.paypal.com/*whatever actual pay
>URL is*

Nope. Don't use a referrer, ever, to authenticate the source of a
transmission. HTTP_REFERER is very easy to fake. Instead, create a unique
ID for the transaction and store it and send that ID with the payment to
PayPal, on return from PayPal check the ID for validity. Or use PayPal's
"Instant Notification" script. With IN they send a unique ID with their
response, the script contacts PayPal server-to-server and asks it to verify
the ID, their server responds directly to your server that the ID is
verified and you go on to process the results.


>I just watched a piece on TechTV about PayPal...  Basically the same things
>we have gone over here, be careful and be honest and realise that they are
>no longer a bank (if they ever were) and you should be all set barring
>disgruntled customers.


PayPal never was a bank. In a way they are reinventing basic banking
concepts in web terms, while the banking community hasn't done anything
more than bolt the web up to their 1960's banking concepts.

In fact, PayPal started out as a lark so some guy could tip the waiter at
the restaurant by sending his tip to the waiter's palm pilot. The next
thing they knew people were using it on eBay for auctions and they had to
redesign to handle that. PayPal has been playing catchup with their user's
use of them all along. It's quite an interesting story of how need and
response play a never ending game of tag. Every time PayPal thinks they
solved yesterday's need the user's see new opportunity in how they solved
it and create new needs.


keith

cache at dowebscentral.com