Re: How do I stop people posting their own shopping carts?

Hi Ropu,

I read your suggestion on how to secure the cart for HTML
api
Integration. I have a question...Right now, I'm using using
one-way
posting to Google Checkout. my e-commerce store cannot
accept API
callbacks for some reason. so all my inventory and orders
are not
integrated at all in my store when someone checks out with
Google. My
question is will this private merchant data implementation
work in my
case or not? Thank you very much.

eb

On Apr 30, 10:32 am, Ropu <rovagn...gmail.com> wrote:
> Hi, i can give you a tip, but u must create ur own
security for HTML
>
> Use the merchant private data taghttp://code.google.com/apis/checkout/dev
eloper/index.html#tag_merchan...
>
> In that tag puta unique random string that identifies
ur cart and addit to
> some table in the DB, or if u want, sign the whole HTML
cart, and add the
> signature.
>
> then, when the cart comes back in the new order notif,
check if the unique
> string is stored in ur DB. Or recontruct (this would be
the dificult part,
> because a space will change the cart, and the correct
signature!!) the cart
> and check for the signature. For the second, u can use
as cart a concat of
> Name, description, quantity and price for each item as
a big whole string.
>
> hops this ideas helps,
>
> if i have some time, i'll try to do a php
implementation of them
>
> ropu
>
> On 4/30/07, Alan <googlecheck...greatdealsinstore.co.uk> wrote:
>
>
>
>
>
>
>
> > On Apr 26, 7:14 pm, Ropu <rovagn...gmail.com> wrote:
> > > Hi Alan,
>
> > > yes, this issue has been discussed
>
> > > but here is the
> > answerhttp://code.google.com/apis/checkout/dev
eloper/google_checkout_html_a...
>
> > <snip>
>
> > > hope this helps
>
> > So basically I have to use the XML API if I want
any kind of security?
> > OK, I guess if that's the way it is, I will do it.
Just seems such an
> > obviously open hole in the whole system that I was
hoping Google would
> > have closed it. I can see this being a prime
target for scammers
> > trying to pull a fast one. I wonder how carefully
users of the HTML
> > API will check their orders?
>
> > Thanks for the reply.
> > Alan
>
> --
> .-. --- .--. ..-
> R  o  p  u- Hide quoted text -
>
> - Show quoted text -


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "API Integration Basics" group.
To post to this group, send email to
google-checkout-api-integrationgooglegroups.com
To unsubscribe from this group, send email to
google-checkout-api-integration-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/google-checko
ut-api-integration?hl=en
-~----------~----~----~----~------~----~------~--~---

In the method ropu described, unless you get the callback
and match the 
signature, there is no way you will be able to validate the
order.

----- Original Message ----- 
From: "eb" <salesebunlimited.com>
To: "Google Checkout Developers Forum - API Integration
Basics" 
<google-checkout-api-integrationgooglegroups.com>
Sent: Monday, April 30, 2007 1:10 PM
Subject: [google-checkout-api-integration] Re: How do I stop
people posting 
their own shopping carts?


>
> Hi Ropu,
>
> I read your suggestion on how to secure the cart for
HTML api
> Integration. I have a question...Right now, I'm using
using one-way
> posting to Google Checkout. my e-commerce store cannot
accept API
> callbacks for some reason. so all my inventory and
orders are not
> integrated at all in my store when someone checks out
with Google. My
> question is will this private merchant data
implementation work in my
> case or not? Thank you very much.
>
> eb
>
> On Apr 30, 10:32 am, Ropu <rovagn...gmail.com> wrote:
>> Hi, i can give you a tip, but u must create ur own
security for HTML
>>
>> Use the merchant private data 
>> taghttp://code.google.com/apis/checkout/dev
eloper/index.html#tag_merchan...
>>
>> In that tag puta unique random string that
identifies ur cart and addit 
>> to
>> some table in the DB, or if u want, sign the whole
HTML cart, and add the
>> signature.
>>
>> then, when the cart comes back in the new order
notif, check if the 
>> unique
>> string is stored in ur DB. Or recontruct (this
would be the dificult 
>> part,
>> because a space will change the cart, and the
correct signature!!) the 
>> cart
>> and check for the signature. For the second, u can
use as cart a concat 
>> of
>> Name, description, quantity and price for each item
as a big whole 
>> string.
>>
>> hops this ideas helps,
>>
>> if i have some time, i'll try to do a php
implementation of them
>>
>> ropu
>>
>> On 4/30/07, Alan <googlecheck...greatdealsinstore.co.uk> wrote:
>>
>>
>>
>>
>>
>>
>>
>> > On Apr 26, 7:14 pm, Ropu <rovagn...gmail.com> wrote:
>> > > Hi Alan,
>>
>> > > yes, this issue has been discussed
>>
>> > > but here is the
>> > answerhttp://code.google.com/apis/checkout/dev
eloper/google_checkout_html_a...
>>
>> > <snip>
>>
>> > > hope this helps
>>
>> > So basically I have to use the XML API if I
want any kind of security?
>> > OK, I guess if that's the way it is, I will do
it. Just seems such an
>> > obviously open hole in the whole system that I
was hoping Google would
>> > have closed it. I can see this being a prime
target for scammers
>> > trying to pull a fast one. I wonder how
carefully users of the HTML
>> > API will check their orders?
>>
>> > Thanks for the reply.
>> > Alan
>>
>> --
>> .-. --- .--. ..-
>> R  o  p  u- Hide quoted text -
>>
>> - Show quoted text -
>
>
> > 


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "API Integration Basics" group.
To post to this group, send email to
google-checkout-api-integrationgooglegroups.com
To unsubscribe from this group, send email to
google-checkout-api-integration-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/google-checko
ut-api-integration?hl=en
-~----------~----~----~----~------~----~------~--~---