Friday, January 9, 2009

Handling AlertPay IPN Advanced Integration

I have recently run across a small problem with the AlertPay integration.

With AlertPay IPN integration, they provide you with some basic scripts where you can handle the query strings passed from an AlertPay transaction posted to your AlertUrl. With IPN, this is an awesome way of capturing any payments made on your website and handling them the way you want to in your database. Here's what happens with AlertPay IPN:

  1. Let's say we have a user Jake. Jake is a user of your website.

  2. Jake visits your website and shops around for something.

  3. Jake finds something that he likes.

  4. Jake adds this item to his shopping cart and proceeds to the checkout.

  5. Jake clicks on the "Pay Now" button.

  6. Jake is taken to the AlertPay website where he will fill in his payment information and send the payment to you.

  7. After the payment is sent, AlertPay redirects Jake back to your website.

  8. Now...The rest of this is handled behind the scenes and is not seen by the user.

  9. AlertPay processes the payment made by Jake.

  10. After AlertPay is done processing the payment, the payment information (amount, Jake's name, product bought, etc.) is sent to a URL on your website provided by you ( and configured in your account on AlertPay.

  11. The post from AlertPay is in the form of query strings which allows you to grab the querystrings programmatically and process the information in it the way you want to, making changes in your database for your records, as the website owner.

Now that we know how AlertPay IPN works, entertain this idea:

Let's say that Jake is not such an honest person and he wants your website to think that he has made a payment on the AlertPay website to you, which he hasn't. In order to do this, he reads up on the AlertPay documentation and figures out that all he has to do to fake your system out is to type in the AlertPay url ( and start attaching a bunch of querystrings that hold all of the information needed. INCLUDING HIS CORRECT ACCESS CODE provided by AlertPay when you set up IPN. Now, once he has done this, how do you know that the post to your AlertPay URL was made by Jake AND NOT By AlertPay? The answer is: You don't!!

What does this mean? Well, it means that if Jake wanted to, all he has to do is post a payment to your system at your AlertUrl that had all of the valid information in it and POOF! your website thinks that Jake has made a payment to you through the AlertPay website and your website is treating that fake post that Jake made as a valid product order!

Sucks, huh?

So, the big question is: How do we handle this? A good way of handling this is by filtering out the people who are allowed to even "hit" your AlertPay url. Let's say that your AlertPay url is: Right now, your configuration allows ANYONE to view that webpage, right? Well, in ASP.NET you disallow allow. You can allow it for ONLY the AlertPay website itself. In other words, the only way that a person can even see this url ( is by logging on from the AlertPay IP address!

How do we do that? The answer is, we get the IP address of and then we check to see who is hitting us. If they're the same IP address, then we know it's AlertPay! Here's a little class that I wrote to get the IP address of a particular website.

Imports System.Net
Imports System.Net.NetworkInformation

Public Class DNSTools
Public Shared Function GetIPAddressFromURL(ByVal URL As String) As String
Dim ip As IPHostEntry = Dns.GetHostEntry(URL)
Dim ipa() As IPAddress = ip.AddressList
Return ipa(0).ToString()
End Function
End Class

So, now, on the page load event of your AlerUrl.aspx page, you have something that calls this function


and you compare it to the requestor's IP address:


So, you'll have something like this in your Page_Load event:

If Not GetIPAddressFromURL("") = Request.UserHostAddress() Then
End If

I hope that helps. Let me know if you have any questions or comments.

No comments: