Actually, VeriSign/Signio use the same method for merchant id, except you don't need to pass the amount as hidden varieble, but you certainly can. However, when the merchant sets up the gateway parameters on the VeriSign end, they specify the url that the form is accepted from. So, it you try to spoof the form and send it from an untrusted server, you are SOL. I assume these guys have a similar setup. >At 04:10 PM 10/18/2000, you wrote: >>on 10/18/00 1:09 PM, Anthony Baratta at Tony at IdeaSystems.com wrote: >> >> > http://www.rtware.net/weblink.html > > >My point with the incredulous-ness of the service is that you are >embedding your login name AND price using hidden fields in the form!!! SSL >or not, this is NOT secure. Not by a long shot. > >I can't believe that this is even considered a viable solution. I'm the >last person to ask about security (OK maybe not last, but I don't play a >security expert on TV.) and this seems so full of holes that I'm dumb >founded - versus struck dumb like some people would prefer me. ;-) > >I'll slink away and say no more if you think I'm smoking crack. > > > >---- >Anthony Baratta >President >Keyboard Jockeys > > >--------------------------------------- >For unsubscribe and other options, including >the Tip Harvester and archive of TheList go to: >http://lists.evolt.org Workers of the Web, evolt !