search

AuthorizeNet / sample-code-php

This repository contains working code samples which demonstrate php integration with the Authorize.Net API
MIT License
175 stars 197 forks source link

Add check for transHashSHA2 when verifying a transaction #145

Open mintplugins opened 5 years ago

mintplugins commented 5 years ago

The transHashSHA2 should be checked here in order to confirm there wasn't a man-in-the-middle attack:

https://github.com/AuthorizeNet/sample-code-php/blob/master/PaymentTransactions/charge-credit-card.php#L97

Something like this:

$authorize_hash = $tresponse->getTransHashSha2();
$string = '^' . \SampleCodeConstants::MERCHANT_LOGIN_ID . '^' . $tresponse->getTransId(). '^' . $amount . '^';
$key = hex2bin( \SampleCodeConstants::MERCHANT_SIGNATURE_KEY );
$my_hash = strtoupper( hash_hmac( 'sha512', $string, $key ) );

if( hash_equals ( $authorize_hash, $my_hash ) ) {

    echo " Successfully created transaction with Transaction ID: " . $tresponse->getTransId() . "\n";
    echo " Transaction Response Code: " . $tresponse->getResponseCode() . "\n";
    echo " Message Code: " . $tresponse->getMessages()[0]->getCode() . "\n";
    echo " Auth Code: " . $tresponse->getAuthCode() . "\n";
    echo " Description: " . $tresponse->getMessages()[0]->getDescription() . "\n";

}