Do you realise if you are using a webadvantage payment gateway you can get the callback url and id values out of hidden fields to tell the website that you've successfully paid?

Complained to westpac they don't see it as a problem. :/

tell me more:
is this an advantage or disadvantage to yourself?
ie can you get free stuff

depends how vigilant the vendor is as to whether they ship you anything, but either way it is sure to annoy westpac's customers, like me, who could potentially see a backend full of paid orders, but no money in the bank

this sounds like a mega score
there are many businesses around who would not check to see whether payment has actually been received.

this sounds like a mega score fraud

Fixed.

hmm this has me concerned because the money from webadvantage doesnt show up on your bank account until the next day. I don't really understand what you're saying though

Well one of my clients who uses paypal, never logs in to his paypal to check payments, he just goes by the automated email sent to him. So you could send him a phony confirmation email with your 'from' set as the website/paypal (can't remember which) and he would probably send you the merchandise.

westpac don't care yet because you haven't told one of the lazy news.com.au reporters about it.

find a dildo store using the gateway so they can push the sex angle, and it will be front page news in no time.

haha natslovr

thermite, what you've described in your last post - I don't see how that's a westpac issue. the 'from' address of emails is probably the most trivial thing in the entire online universe to forge and should never, ever be used as a means of verification.

I don't see how that's a westpac issue.

It's not, it's an unrelated issue, but a relevant anecdote

last edited by thermite at 14:08:37 23/Jul/08

I think he was using the email spoofing as an anal gland, Jim

oh
maybe I am failing at teh comprehensions

thermite posted something, lecock said he didn't get what thermite was saying, so thermite replies "well.... etc"

so what's the actual issue, out of interest? I can't work it fully out from the original post

When you go to purchase something from an eCommerce website, which uses the westpac 'web advantage' service to take the payment; instead of making the payment, you can view the source, get the 'confirmation' URL out of there along with some other parameters in the hidden form fields, go straight to that URL, and the ecommerce website will consider the transaction complete, and mark it as paid.
Westpac advises that the ecom administrators should check this against their actual bank records at the end of the day, but it is inconvenient, and takes the automaticness out of it.

EDIT:

get the 'confirmation' URL out of there along with some other parameters in the hidden form fields, go straight to that URL, and the ecommerce website will consider the transaction complete, and mark it as paid

I didnt see this. The below you hide the IPN url in your merchange account. And some give you the IP's that will be calling your page.

Most merchant / beauro accounts do this. google payments, paypal, nochex, hsbc.

Its not really an issue.

1. You put in your DB the amount and a transaction id.
2. You mark the DB as payment pending.
3. You pass the customer to the customer to the payment page.
4. On successful payment, the webpage calls your IPN (instant payment notification) page.
5. You check the values havent been tampered with...


last edited by mooby at 19:10:39 23/Jul/08

sounds like an implementation issue thermite, from what you're saying. shame on westpac though if they are instructing you to do it exactly that way.

mooby, I'm not sure I understood that exactly. The values aren't tampered or anything, they're passed through the correct way. Actually they did suggest checking that the IP was the same as usual, but I do not think that is an ideal solution - could bite me in the ass one day, and they did not tell us this beforehand, so it wasn't until we were trying to do some fancy ajax on the IPN page that we realised this flaw, so most people using this service would not check the IP.