[Zope] Newbie: PayPal and Zope

Rick St Jean rstjean@internet.look.ca
Sun, 17 Jun 2001 12:38:01 -0400


Doing something like this is really foolish. (sorry I don't mean to offend 
but Paypal is really insecure.  You can post
what ever values you want to the site then continue... They can take the 
form that you use to sends info to paypal,
change the cost value and submit that, and the system would not know the 
difference.  There are better options out
there offered by banks that are more secure.  I know that you will be able 
to find out who they are when they goto the
conference but it is a headache you might want to avoid.

If you do want to use Paypal or any of the 50 + processors with 30 + 
drivers, the company I work for has a fantastic product.
OPayC. http://www.opayc.com/ You drop in the code to connect to a driver, 
if you want a different driver you drop in a different
file that we provide. and bam ... new your new credit card processor is up 
and running.  Also if you want advice as to which
processors are secure we can help you with that too.

Rick

At 03:05 AM 6/17/01, you wrote:
>--On 06/15/01 16:18:14 -0500 Anthony Monta chiseled:
>
>>Hi. I'm trying to set up a website that registers people for a
>>conference.  I'd like to restrict access to the conference registry form
>>to people who  have already paid to a PayPal account (i.e., registered).
>>What's the most  effective way to do this?
>>
>>The solution I've come up with so far (I'm not a programmer by
>>profession)  is to have PayPal send customers who have paid to a dtml
>>script that sets a  cookie value and then redirects the customer to a
>>form viewable only if the  cookie has the correct value.
>
>You can also get http_referrer which will either be paypal or the last page.
>
>What I do is set the cookie *before* i send them to paypal, then I update 
>an object in the ZODB when they come back from paypal (checking the 
>HTTP_REFERRER). From then on I check the object in the ZODB to see if 
>they've paid, usually keyed on AUTHENTICATED_USER.
>
>This still allows someone to construct the right HTTP POST and make it 
>look as if they paid paypal.
>
>If you really need to prevent that, you should probably use a session 
>(from Core Session Tracking) that starts right before they get to paypal 
>and expires right after they get back. Stuff all the information into the 
>session tracking object, that way you know they're not making it up- the 
>information was never on their end.
>
>This way, the cookie that stores the session id will be unique to that 
>session, and no amount of premeditation will allow them to generate a 
>false page.
>
>Hope that helps,
>--
>emf
>"something witty"
>mindlace@imeme.net
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://lists.zope.org/mailman/listinfo/zope
>**   No cross posts or HTML encoding!  **
>(Related lists - http://lists.zope.org/mailman/listinfo/zope-announce
>http://lists.zope.org/mailman/listinfo/zope-dev )

##########################################################
#  Rick St Jean,
#  rstjean@internet.look.ca
#  President of Design Shark,
#  http://www.designshark.com/,  http://www.phpmailer.com/
#  Quick Contact:  http://www.designshark.com/messaging.ihtml
#  Tel: 905-684-2952
##########################################################