[bop-devel] AuthorizeNet MD5 Check
Bill Moseley
moseley at hank.org
Tue Sep 25 13:44:26 PDT 2007
On Sun, Sep 23, 2007 at 05:44:43PM -0700, Ivan Kohler wrote:
> > http://rt.cpan.org/Public/Bug/Display.html?id=15210
>
> Yes, it would be nice to get that one taken care of. I'm not sure if
> either the "silently strip" or "throw error" solutions are really the
> right thing, and had the time to really think about what needs to be
> done here. If Authorize.Net can accept some sort of quoting or
> esacping, that would be ideal, but IIRC that's not possible. :/
The more I look at this problem the more lame Authorize.net (the
gateway) seems.
The problem is that Authorize.net doesn't escape x_encap_char in
responses? So if you submitted a name of 'William "Bill" Moseley'
that the response might include:
123,345,"some text","William "Bill" Moseley",123
and cause Text::CSV_XS to fail parsing? Amazing.
Even their sample code at:
http://developer.authorize.net/dscode/perl_aim.zip
has this comment:
###########################################################
# #
# Make absolutely sure that you use a delimiter that #
# will not show up in any legitimate name, billing #
# address, product descriptions, etc. #
# #
# For this reason, we prefer using the pipe character: #
# #
# | #
# #
# #
# If necessary, make sure you search for and replace #
# the delimiter character before you accept and process #
# user input -- so that parsing and evaluating the #
# returned string from Authorize.Net will not be #
# negatively affected. #
# #
###########################################################
x_delim_char => "|",
Looks like you should pick some odd character (tilde?) as the
delimiter and remove it from imput. And set the x_encap_char to the
empty string (although that might trigger it to use the default
setting in the Merchant Interface. Ugly to have to pick some
character that the end-user can't use. Poor implementation.
Authorize.net is scaring me.
--
Bill Moseley
moseley at hank.org
More information about the bop-devel
mailing list