- Next: How to debug a Windows Service written in C# or VB.NET
- Previous: How to detect .NET 2.0 vs. .NET 4.0 assemblies, and x86 vs. x64 vs. AnyCPU
- Subscribe to the RSS feed
"Wyatt Says..." is a collection of articles by Wyatt O'Day talking about wyDay products and the things we've learned along the way.
Wyatt Says...
Moneybookers is quickly becoming a viable competitor to PayPal. And because of this our LimeLM customers have been asking for a completely automated payment form example similar to how our PayPal example works. That is, the customer enters the number of licenses they want, they click “Buy now”, they enter their info on the PayPal page, then they click “Order”, and a few seconds later the customer is magically sent their shiny new product key.
With PayPal this whole process is simple — just use the PayPal IPN (instant payment notification). That is, you specify an URL for PayPal to talk to once the order is complete. From there you can validate the order and take any action you like (e.g. sending product keys).
Moneybookers has a similar process except there are hardly any examples showing how to use it properly. And the example code that is on the web is riddled with very serious security vulnerabilities (SQL injections, failing to validate the order comes from Moneybookers, etc., etc.).
This article will show you how to use the Moneybookers equivalent to PayPal’s IPN. That is, you’ll be able to automatically generate product keys once a customer orders your software using Moneybookers. The code I post will be for both C# (ASP.NET) and PHP. If you would rather download a fully built payment form that lets you user switch between payment methods (credit card, bank transfer, PayPal, or Moneybookers), then you can signup for LimeLM and download the LimeLM Web API Pack. Here’s a screenshot of what payment form example looks like:
Or, you can read on for the example that’s not specific to LimeLM.
Step 1. Signup for a Moneybookers test account
The first thing you need to do is get a test “merchant” account from Moneybookers. Unfortunately Moneybookers still doesn’t have a streamlined process for creating a test account, and their support staff is rather surly, so follow the instructions carefully:
- Sign up for a Moneybookers “Business account”. Do not use the same email you’ll be using for your real account.
- Sign up for a Moneybookers “Personal account”. Use a different email than the “Business account”. Do not use the same email you’ll be using for your real account.
- Contact Moneybookers and ask them to convert these 2 accounts to test accounts. It doesn’t need to be a long email. Just something simple like:
We need you to turn 2 accounts to test accounts:
“Buyer account”:
Email: buyer-email@example.com
Customer ID: 12456789“Merchant account”:
Email: merchant-email@example.com
Customer ID: 98765421
Step 2. Create a “secret word”
In your new merchant account you’ll need to create a “Secret Word” on the “Merchant tools” page:
Now that you’ve created your test Moneybookers accounts and set your secret word you’re ready to add the payment form to your website.
Step 3 (option 1). Use our pre-built payment form
If you’re using LimeLM you can use our pre-built payment form. Just configure a few settings, add the payment form to your site, and you’re ready to go. See the “Automate license generation with Skrill (a.k.a. Moneybookers)” article.
Step 3 (option 2). Create your own payment form
If you don’t want to use the pre-built payment example in the LimeLM API Pack, or you’re not using C#, VB.NET, or PHP, then you can still automate your orders with Moneybookers. The first step is to add the Moneybookers payment form to your website:
<form action="https://www.moneybookers.com/app/payment.pl" method="post"> <input type="hidden" name="pay_to_email" value="merchant-email@example.com"/> <input type="hidden" name="status_url" value="http://example.com/verify.cgi"/> <input type="hidden" name="language" value="EN"/> <input type="hidden" name="amount" value="Total amount (e.g. 39.60)"/> <input type="hidden" name="currency" value="Currency code (e.g. USD)"/> <input type="hidden" name="detail1_description" value="YourApp"/> <input type="hidden" name="detail1_text" value="License"/> <input type="submit" value="Pay!"/> </form>
Change the “status_url” field to point to your script that will verify and generate the product keys and change the “pay_to_email” field to the test “merchant email” you created earlier. Then configure the price, currency code, and product name.
Optionally set your logo
You can customize the Moneybookers payment screen with your own logo. The logo must be hosted on a secure site — that is, the link must start with https:// not http://. Also, the logo must be at most 200px wide and 50px tall. If you have a logo that meets those requirements then add a “logo_url” field to your form. For example:
<input type="hidden" name="logo_url" value="https://example.com/logo.png"/>
This is an example showing what the wyDay logo looks like on the Moneybookers checkout page:
Step 4. Verify the Moneybookers order
After a customer has completed their order through Moneybookers, Moneybookers will contact the script you provided in the “status_url” argument (e.g. “http://example.com/verify.cgi”). Moneybookers will POST the order information to your script and it’s up to you to verify that it’s a valid order and not just some hacker trying to get free product key from you.
Luckily Moneybookers gives the prescribed method for verifying orders in their gateway integration manual. Quoting from their manual:
A hidden text field called md5sig is included in the form submitted to the Merchant’s server. The value of this field is a 128 bit message digest, expressed as a string of thirty-two hexadecimal digits in UPPERCASE. The md5sig is constructed by performing an MD5 calculation on a string built up by concatenating the other fields returned to the status_url. Specifically the MD5 hash is a concatenation of the following fields:
- merchant_id
- transaction_id
- the uppercase MD5 value of the ASCII equivalent of the secret word submitted in the “Merchant Tools” section of the Merchant’s online Moneybookers account.
- mb_amount
- mb_currency
- status
PHP example code
In PHP this looks like (taken from paychecker.php):
// Validate the Moneybookers signature
$concatFields = $_POST['merchant_id']
.$_POST['transaction_id']
.strtoupper(md5('Paste your secret word here'))
.$_POST['mb_amount']
.$_POST['mb_currency']
.$_POST['status'];
$MBEmail = 'merchant-email@example.com';
// Ensure the signature is valid, the status code == 2,
// and that the money is going to you
if (strtoupper(md5($concatFields)) == $_POST['md5sig']
&& $_POST['status'] == 2
&& $_POST['pay_to_email'] == $MBEmail)
{
// Valid transaction.
//TODO: generate the product keys and
// send them to your customer.
}
else
{
// Invalid transaction. Bail out
exit;
}
C# (ASP.NET) example code
In C# (for ASP.NET) this involves a bit more work. First create a simple helper function that creates the uppercase MD5 hash of a string:
static string StringToMD5(string str)
{
MD5CryptoServiceProvider cryptHandler = new MD5CryptoServiceProvider();
byte[] ba = cryptHandler.ComputeHash(Encoding.UTF8.GetBytes(str));
StringBuilder hex = new StringBuilder(ba.Length * 2);
foreach (byte b in ba)
hex.AppendFormat("{0:X2}", b);
return hex.ToString();
}
Then, the validation code will look something like this:
// Validate the Moneybookers signature
string concatFields = Request.Form["merchant_id"]
+ Request.Form["transaction_id"]
+ StringToMD5("Paste your secret word here")
+ Request.Form["mb_amount"]
+ Request.Form["mb_currency"]
+ Request.Form["status"];
string MBEmail = "merchant-email@example.com";
// Ensure the signature is valid, the status code == 2,
// and that the money is going to you
if (Request.Form["md5sig"] == StringToMD5(concatFields)
&& Request.Form["status"] == "2"
&& Request.Form["pay_to_email"] == MBEmail)
{
// Valid transaction.
//TODO: generate the product keys and
// send them to your customer.
}
else
{
// Invalid transaction. Bail out
return;
}
Step 5. Further verification, generating product keys, etc.
There’s one further step of verification I didn’t talk about: making sure the customer paid the correct amount. That is, verifying the “mb_amount” field is correct. For instance you don’t want to send a user a product key if they only pay 1 penny instead of the full amount. Also, you can further extend the payment form and the verification code to handle quantity. But this is a bit beyond the scope of the article. If you want to see that in action then download the example payment form included in the LimeLM Web API Pack.
Once you’ve verified the order you can use the limelm.pkey.generate web API function to generate product keys and email them to your customer.
Step 6. Test the payment form
Now that you have everything configured you’re ready to test your Moneybookers payment. Run through the complete payment process to see everything works how you expect it to work.
Step 7. Create a real Moneybookers account, change the setting
After you’ve finished testing your payment process you’re ready to sign up for a real Moneybookers “Business account” and change the “pay_to_email” field to the email you used to create this account.
Download full example code
We have a fully built payment page for PHP and ASP.NET (for C# and VB.NET) included in the LimeLM Web API Pack (get it on your API page). If you haven’t already signed up for LimeLM then sign up now. All plans have a 30-day free trial. Or, if you’re just putting your toes in the water, there’s even a free plan that has no time limit and doesn’t require a credit card.
- Next: How to debug a Windows Service written in C# or VB.NET
- Previous: How to detect .NET 2.0 vs. .NET 4.0 assemblies, and x86 vs. x64 vs. AnyCPU
Subscribe to the 'Wyatt Says...' RSS Feed and keep up to date on on my articles on updaters, usability, open source C# components, and software licensing.
Hi,
I’ve been watching limelm for over a year and I’m seeing it being enhanced, great! Do you have a plan to add read-made PHP scripts for generating keys foir FastSpring when an order is placed? You now FastSpring is the best payment processor on earth (in terms of support).
Hey Edwin,
We’ll put together a ready-made FastSpring example for you. If you’re especially anxious to start using LimeLM you can copy & paste the code in the SendPKeys(…) function in the PaymentSettings.php file which is included in the LimeLM Web API pack. That SendPKeys() function shows you how to call the LimeLM web API and parse the result.
I’ll let you know when we’ve written the FastSpring integration example.
We now have a fully written example showing how to create product keys after a customer orders from your FastSpring order form. See Automate license generation with FastSpring.
Keep up the great work of providing us with useful information.
Hi Wyatt,
I cannot get the php script you offer to work with Moneybookers (saved and link to status_url both in .php & .cgi). After payment validation, I would like to make a redirection towards a special page (in case status success), or another one in case of failed transaction – instead of generating the keys.
But either the page exit, or block on nothing.
Would you have an idea why so?
thanks a lot!
Hey John,
The status_url isn’t visited by the user. It’s visited by Moneybookers. Moneybookers sends it information and the status_url script verifies the information and makes a decision (e.g. sends a license).
Hey Wyatt,
Greetings from Nashua! Glad to see a fellow NHite cooking up some quality software. I just picked up a licence for wyBuild today and am looking forward to integrating it with PhotoMonkee this weekend. (My LimeLM signup shouldn’t be too far away either…).
Cheers!
Thanks Rob! If you have any questions don’t be afraid to ask.
Can you please post a list of supported IDE’s platforms etc?
I need QT with MingW
and I want to use Fastspring
– can you help?
See Automate license generation with FastSpring.
We support Windows, Mac, and Linux, and all stable comilers. MingW is very unstable, and very buggy (you get what you pay for). I would advise using the gnu compilers on Linux/Mac and using Microsoft’s compilers on Windows.
Hi! Have a question about the data moneybookers sends back to status_url.
I have a very basic payment form – pay_to_email, Product, Amount, Currency and status_url, and it posts everything to payment.pl. So, the customer enters all the other data – his First and Last name, Address, City, Zip, Country, email – right at moneybookers side.
The question is – will moneybookers actually send me the customers details back to status_url, so I can physically ship the order? I mean I need not only transaction_id, mb_amount and email, but Name and Address as well. Is it possible to check that with test accounts?
Thanks a lot!
In order for Moneybookers to pass other fields back to your “status_url” script you have to pass the data along with a special “merchant_fields” value saying which values you want MoneyBookers to pass along.
This is covered in detail in the merchant manual I linked to in the post.
Hello, could you please show example of handling status_url ?
I’ve tried several ways and as you suggested in pervious posts above but still not working.
So, as others ask here how to pass status_url and return_url page in the way ensuring transaction has been processed and redirecting to final page for customer?
Nik
The post has an example. See the example signup form which specifies the “status_url”:
And the example snippet of code shows how to verify the order is valid. I’m not sure how I could make it any easier. Just read the post.
Define “not working”. Did you debug up to the step that’s not behaving as you expect? What have you tried? What do you expect? What is happening instead?
Hello again,
Thank your response, but there is some part os this script I am missing or some routine – as order form is resulting with ‘0’
I’ ve set form and php version,
please test if you can
http://www.e-ecommerc.net/site/mb-order-form.html
http://www.e-ecommerc.net/site/verify.php
I could also send you MoneyBookers test account info if you are willing to help this out
and manage to pass status_url and return_url page in the way ensuring
transaction has been processed?
Best Regards,
Nik P.
1853728_@_telenormail.rs
Verify.php
http://www.e-ecommerc.net/site/verify.txt
I’m sorry I don’t have time to debug your script. Just take apart the problem step-by-step: why is it returning 0? What do your PHP error logs say? Trying logging every step in the process. Etc., etc.
Hello would you please remove posts from Nik P
as it is not convenient to have links here
nor the subject is moderating,
Regards, Nik P
I am trying to implement in asp.net site , I have written Status_URL = “www.google.com” , I check that payment made successfully but Status_URL is not calling.
Am I missing something?
Yes, you are. You need to specify the location of your script that does the checking t ensure the order is valid. See “Step 4.” in the post.
Hi,
Can someone share the ASP classic code example.
Thanks
Use the ASP.NET example and adapt it to ASP. It’s not a whole lot of code.
i read all things which u have provided….
but there is vast different between original account and your snapshot of the merchant account….
hut……**ody***!
Hello,
thanks for job!
But how to pass purchase from my test account(with 0 funds) ?
Contact moneybookers and tell them to put more fake money in your test account.
Hello…
Thank you for this great tutorial…
Honestly i am not able to find the “merchant tools” page and the interface in the screen shot seems too different than than what i got.
Any recommendation?
thank you again :)
Every thing was working fine in my developmet server.But in my live server “Status_URL” not call after payment.Is there any issue in my server.
There might be. Look at your server logs.
But in my develop server “status_url”(http://victoria-tech.com:8145/aetosFrontService/pay/web-callback!skrill.action) not call after payment. but other people can visit this URL .why
Just added this to one of my websites, I am getting a error action too like Aaron. Any fix for this?
What’s the question? You can access the status url? Yeah, I know. That’s the entire point of verifying the order comes from Moneybookers (a.k.a skrill) and not from Joe Schmo trying to score a free license.
If you’re using our code you shouldn’t have any problem. If you have a specific question about a specific error then you need to give that information. My mind reading skills aren’t what they used to be.
Maybe you know why Skrill do not post transaction id along with return_url? In documentation it is clearly written that return_url will include transaction id while called.
No, ask Skrill.
Thanks for that!
Can you please tell me if you know of a variable in the Skrill response that is different when paying between real accounts, and between test accounts (too much of a hustle to make them again)?
I mean, like PayPal’s “test_ipn” variable, that is present when paying between test accounts, and absent when paying between real accounts. Is there some Skrill variable like that (instead of just being present or absent, it could also have a different value)?
I want to be able to tell programatically if the real merchant account has been converted to a test account (for obvious security concerns).
Aw, this was a very nice post. Taking a few minutes and actual effort to generate a great article… but what can I say… I procrastinate a lot and never manage to get anything done.
Very nice post……One thing I would like to ask is how to pass custom fields like userid……and does it need to be concetenated too for md5sig?
Hi,
from a security point of view, the hidden price field can be modified before placing the order. Therefore you probably need to check the price in your validation to ensure everyhting is correct.
Something like:
if (strtoupper(md5($concatFields)) == $_POST[‘md5sig’]
&& $_POST[‘status’] == 2
&& $_POST[‘pay_to_email’] == $MBEmail
&& (int)$_POST[‘amount’]) == Session::getCurrentAmount())
{
// Valid transaction.
…
What do you think about that?
Thanks for your feedback