No worries, we were all new at this at one point.
Looking at your comment it would seem you don't need help with 1. above and for 2 I have some advice. The Hash Value that you enter on your account is really just a password.
You do definitely want to use the MD5 hash security feature where you can. It might seem complicated and the documentation doesn't help much un-confusing you, but don't underestimate what a couple of layers of security on your e-commerce site can do.
You really need to read all of the documentation I linked to in order to get the salient points. Especially this one:
Note that the MD5 Hash Value can be up to 20 characters long, including upper- and lower-case letters, numbers, spaces, and punctuation. More complex values will be more secure.
Turns out you can't enter a value over 20 characters long. But they won't validate your input when you submit, resulting in cut-off passwords if they're longer than 20 chars... and you'll never know because you think they accepted your 32 char secret.
Next, pay attention to the two types of hashing they do. In the documentation they give examples of both:
The MD5 Hash is created by combining several values.
For SIM, these values are used for creating the MD5 Hash, in this exact order:
- The MD5 Hash Value, which is assigned by the merchant in the account's Settings.
- The API Login ID (x_login).
- The transaction ID number we assigned to the transaction (x_trans_id).
- The amount of the charge (x_amount).
For Silent Post, these values are used for creating the MD5 Hash, in this exact order:
- The MD5 Hash Value, which is assigned by the merchant in the account's Settings.
- The transaction ID number we assigned to the transaction (x_trans_id).
- The amount of the charge (x_amount).
The resulting string is then used to generate the MD5 hash.
Here is a PHP method I just wrote that will check your hashes for you. This will check both the API and Silent Post hashes supplied by auth.net. The data passed into it comes from the $_POST data they send to your listener.
$their_hash == x_MD5_Hash
$trans_id == x_trans_id
$amount == x_amount
private function _is_authnet($their_hash, $trans_id, $amount) {
// Defined earlier in the class
$login_id = AUTHORIZENET_API_LOGIN_ID;
$private_value = AUTHORIZENET_SECRET;
// Generate two hashes, one for API responses and one for
// Silent Post messages
$our_hash_api = md5($private_value . $trans_id . $amount);
$our_hash_sp = md5($private_value . $login_id . $trans_id . $amount);
// Always make the hashes you're comparing uppercase for consistency
$their_hash = strtoupper($their_hash);
// Compare our two hashes
if (strcmp(strtoupper($our_hash_api), $their_hash) === 0) {
// Match
return true;
}
else if (strcmp(strtoupper($our_hash_sp), $their_hash) === 0) {
// Match
return true;
}
// No match, it's likely a fake. Recommended to log
// this event or send an alert of some kind.
return false;
}
I know the answer is late in coming and you've most definitely moved on. But hopefully maybe one day this will help someone who ran into the same trouble I did.