I am working on a project that incorporates real money into peoples accounts. Th

Question

I am working on a project that incorporates real money into peoples accounts. Their accounts are stored in a MySQL database and inside it there is a column called "BALANCE".

When the users send money through PayPal, the PayPal api will do a callback to my server which will credit that users Balance with whatever they sent through PayPal.

The problem is, I plan on making the altering users balance part only accessible by my application. The way the balance is updated is by the URL just setting the method as a GET and setting the amount to whatever and it credits the balance.

I do not want people to just be able to visit that callback URL and keep updating their balance fraudulently.

What security would I be able to put in place that will only let legitimate balance changes occur?

Sorry if I didn't explain this too well. If anyone has questions, I'll try and explain it better. Thanks.

Explanation / Answer

I'll second Lucas's view that you should probably find someone more experienced than you to do this (you should find someone more experienced than me as well). That said, I'll attempt to answer your question.

The PayPal API should provide a transaction ID or some other unique value. Record that in your transaction log (you do have one, don't you?); if you see that value in a later transaction, you know the transaction isn't valid. Record the invalid transaction in your audit log (you've got one of those as well, right?) and ignore it.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.