> So do I create a MD5 hash with the fields which are being submitted to > verify.asp, and then match it up with the values returned?
verify.asp is only used with the automation interface? What are you trying to do? > What is the general purpose of it? The general purpose of the MD5 hash, in this case, is to verify that the payment notification is coming e-gold itself, and not some spoofer/thief. The way to create a MD5 hash is to take all the values that are sent to you, add in the shared secret which in this case is the AlternatePassphrase (not your login passphrase), separate them by a ":", and then run this string through a MD5 hashing function. I'm a perl-monger, so I'll show how to do it in Perl. ##################################################### # $AltPassphrase - MD5 hash of the AlternatePassphrase # (replace this with your hashed AlternatePassphrase) # $handshake - the MD5 hash created locally # $Form(xxx) - the values sent to you (supposedly) by the e-gold server # $Form{"V2_HASH"} - the MD5 hash sent with the values ##################################################### use Digest::Perl::MD5 'md5_hex'; $AltPassphrase="ABCDEF1234567890ABCDEF1234567890"; # the $handshake declaration should all be on 1 line # with no separation in the string # any unneccesary spaces will create a different MD5 hash $handshake=uc(md5_hex qq!$Form{"PAYMENT_ID"}:$Form{"PAYEE_ACCOUNT"}: $Form{"PAYMENT_AMOUNT"}:$Form{"PAYMENT_UNITS"}:$Form{"PAYMENT_METAL_ID"}: $Form{"PAYMENT_BATCH_NUM"}:$Form{"PAYER_ACCOUNT"}:$AltPassphrase: $Form{"ACTUAL_PAYMENT_OUNCES"}:$Form{"USD_PER_OUNCE"}: $Form{"FEEWEIGHT"}:$Form{"TIMESTAMPGMT"}!); chop($Form{"V2_HASH"}); if ($handshake eq $Form{"V2_HASH"}) { # Do stuff } ##################################################### If the MD5 hash you compute matches the MD5 hash sent to you, then you can be reasonably sure that it was in fact e-gold that sent it to you. You can be absolutely, positively sure that the sender knew your & e-gold's shared secret - the AlternatePassphrase. Be very careful with both the (regular/login) passphrase and the AlternatePassphrase. If you let the AlternatePassphrase loose, some unscrupulous people could send you fake payment notifications. This is described in a more detail in the SCI spec at: http://www.e-gold.com/docs/e-gold_sci.html#_Toc517753361 Hope this helps. Viking Coder ____________ http://www.two-cents-worth.com/?VikingCoder --- You are currently subscribed to e-gold-tech as: archive@jab.org To unsubscribe send a blank email to [EMAIL PROTECTED]