Authorize.net gateway setup

Question

1. Hi I am setting up a payment form from authorize.net - I have been on the developer center for two days trying to figure out where I can find the documentation with a clear cut example of the api calls I need to make. I have looked at the PDF and other stuff on the site but there is nothing that gives the documentation with examples, I am looking for something that's documented like the FB api examples, which I can see the api calls, this is about the only one I have found http://developer.authorize.net/guides/DPM/wwhelp/wwhimpl/js/html/wwhelp.htm

2. Authorize.net uses a md5 hash for transaction responses - i know where to set the value in the merchant account but what values should i set? (e.g should I md5("some-random-words") and paste the value in the merchant account setting?)

This is my first payment gateway setup so please be patient with any unclear portions of this question. thanks

Answer 1

No worries, we were all new at this at one point.

Looking at your comment it would seem you don't need help with 1. above and for 2 I have some advice. The Hash Value that you enter on your account is really just a password.

You do definitely want to use the MD5 hash security feature where you can. It might seem complicated and the documentation doesn't help much un-confusing you, but don't underestimate what a couple of layers of security on your e-commerce site can do.

You really need to read all of the documentation I linked to in order to get the salient points. Especially this one:

Note that the MD5 Hash Value can be up to 20 characters long, including upper- and lower-case letters, numbers, spaces, and punctuation. More complex values will be more secure.

Turns out you can't enter a value over 20 characters long. But they won't validate your input when you submit, resulting in cut-off passwords if they're longer than 20 chars... and you'll never know because you think they accepted your 32 char secret.

Next, pay attention to the two types of hashing they do. In the documentation they give examples of both:

The MD5 Hash is created by combining several values.

For SIM, these values are used for creating the MD5 Hash, in this exact order:

1. The MD5 Hash Value, which is assigned by the merchant in the account's Settings.
2. The API Login ID (x_login).
3. The transaction ID number we assigned to the transaction (x_trans_id).
4. The amount of the charge (x_amount).

For Silent Post, these values are used for creating the MD5 Hash, in this exact order:

1. The MD5 Hash Value, which is assigned by the merchant in the account's Settings.
2. The transaction ID number we assigned to the transaction (x_trans_id).
3. The amount of the charge (x_amount).

The resulting string is then used to generate the MD5 hash.

Here is a PHP method I just wrote that will check your hashes for you. This will check both the API and Silent Post hashes supplied by auth.net. The data passed into it comes from the $_POST data they send to your listener.

$their_hash == x_MD5_Hash

$trans_id == x_trans_id

$amount == x_amount

private function _is_authnet($their_hash, $trans_id, $amount) {
    // Defined earlier in the class
    $login_id = AUTHORIZENET_API_LOGIN_ID;
    $private_value = AUTHORIZENET_SECRET;

    // Generate two hashes, one for API responses and one for
    // Silent Post messages
    $our_hash_api = md5($private_value . $trans_id . $amount);
    $our_hash_sp  = md5($private_value . $login_id . $trans_id . $amount);

    // Always make the hashes you're comparing uppercase for consistency
    $their_hash = strtoupper($their_hash);

    // Compare our two hashes
    if (strcmp(strtoupper($our_hash_api), $their_hash) === 0) {
        // Match
        return true;
    }
    else if (strcmp(strtoupper($our_hash_sp), $their_hash) === 0) {
        // Match
        return true;
    }

    // No match, it's likely a fake. Recommended to log
    // this event or send an alert of some kind.
    return false;
}

I know the answer is late in coming and you've most definitely moved on. But hopefully maybe one day this will help someone who ran into the same trouble I did.