GoldMoney Online Merchant Interface
3.75/5 (3 votes)
Implementation of GoldMoney OMI in C#/ASP.NET
Introduction
GoldMoney is a payment system in which customers and merchants exchange grams of gold (gg) with in the GoldMoney system. This method of payment, although not widely used in the United States, offers some advantages over credit card systems: It does not have a charge-back system, so sales are final. Denominating purchases in gold grams eliminates the hassle of unsupported currencies, and the transaction costs are minimal.
In this article I will set out to explain how to implement the GoldMoney Online Merchant Interface (OMI) using ASP.NET and C#. The OMI interface allows you to automatically submit and receive notification of successful payments.
Using the code
The OMI interface implementation shown here has 3 parts:
- Collection of user information.
- Posting of data to GoldMoney for user purchase authorization.
- Receiving notification of successful payment.
Collect User Information
The first part is just a page, GMCollect.aspx, to collect user
information such as name and email address. GoldMoney does not require any user
information from the merchant this is only to allow the merchant to fulfill the
order. The purchase button on the collection page calls the redirection page
with the item ID and any data that was collected on this page.
private void btnPurchase_Click(object sender, System.EventArgs e)
{
// Create and entry in DB, and a new order
int itemID = 1;
int orderID = 100; // hardcoded for example but pull from DB
// Pass to redirection for posting
string url = string.Format("GMRedirect.aspx?ITEM={0}&EMAIL={1}&FIRST={2}&LAST={3}&ORDERID={4}"
,itemID
,TextEmailGold.Text
,HttpUtility.UrlEncode(TextGoldFirstName.Text)
,HttpUtility.UrlEncode(TextGoldLastName.Text)
,orderID
);
Response.Redirect(url);
}
Send Information to GoldMoney
The second part is the posting of data to the GoldMoney website. As many have
found out when using ASP.NET you cannot simple put a form button within the
code-behind and expect it to work. What I’ve done here is take the easiest
route and created a redirection page, GMRedirect.aspx. When
GMRedirect.aspx is called it will post to the GoldMoney site.
The redirection page is responsible for taking the collected data along with the items purchase price and putting it in the variables to be posted to the GoldMoney site.
private void Page_Load(object sender, System.EventArgs e)
{
try
{
string memo = string.Empty;
// Test Mode value for GoldMoney Requests
// Uncomment to make a test purchase
//SIMMODE.Value = "1";
string tmp = Request.Params["ITEM"];
if (null != tmp && tmp.Length > 0)
{
int id = int.Parse(tmp);
int orderID = 0;
tmp = Request.Params["ORDERID"];
if (null != tmp && tmp.Length > 0)
{
orderID = int.Parse(tmp);
}
OMI_MERCHANT_REF_NO.Value = orderID.ToString();
// Look up Item information from DB
// In this example it is hardcoded
string itemName = "Widget";
double itemCost = 42.42;
double itemShipping = 1.00;
// User will see this in Memo box on GoldMoney purchase page
memo = "Payment for " + itemName;
// Storage for additional merchant information
// Item identification stored here in this example but could be anything.
MERCHANT_FIELD_1.Value = id.ToString();
OMI_CURRENCY_AMT.Value = string.Format("{0:0.00}",itemCost + itemShipping);
}
string emailStr = Request.Params["EMAIL"];
if (null != emailStr)
{
MERCHANT_FIELD_EMAIL.Value = emailStr;
}
string firstName = Request.Params["FIRST"];
if (null != firstName)
{
firstName = HttpUtility.UrlDecode(firstName);
MERCHANT_FIELD_FIRSTNAME.Value = firstName;
}
string lastName = Request.Params["LAST"];
if (null != lastName)
{
firstName = HttpUtility.UrlDecode(lastName);
MERCHANT_FIELD_LASTNAME.Value = lastName;
}
OMI_MERCHANT_MEMO.Value = memo;
}
catch (Exception ex)
{
// Log and handle exception
}
}
GoldMoney Notifications
The third part is the magic automation. GoldMoney will post to this page, GMNotify.aspx,
with all the parameters of a successful payment and the merchant variables you
passed up to it. This example assumes that GoldMoney is posting to an SSL
secure page so the variables cannot be intercepted. The notification page
validates that the message came from GoldMoney by checking a shared secret key
between your website and GoldMoney. This secret key and the URL to this
page is set in the OMI settings of your GoldMoney account. After
validating the order, place in any code you need to fulfill the order.
private void Page_Load(object sender, System.EventArgs e)
{
string _secretKey = "verybadsecretkey";
string holdingNo = "12-34-56-A";
try
{
// Check if valid transaction
if (Request.Form["OMI_SECRET_KEY"].CompareTo(_secretKey) == 0)
{
if (Request.Form["MERCHANT_FIELD_EMAIL"].Length > 0)
{
string email = Request.Form["MERCHANT_FIELD_EMAIL"];
// verify that payment is proper amount
if (Request.Form["OMI_MERCHANT_HLD_NO"].CompareTo(holdingNo) == 0)
{
int orderID = int.Parse(Request.Form["OMI_MERCHANT_REF_NO"]);
int itemID = int.Parse(Request.Form["MERCHANT_FIELD_1"]);
int currencyCode = int.Parse(Request.Form["OMI_CURRENCY_CODE"]);
double amount = double.Parse(Request.Form["OMI_CURRENCY_AMT"]);
// Validate orderID with amounts and itemID.
string firstName = Request.Form["MERCHANT_FIELD_FIRSTNAME"];
string lastName = Request.Form["MERCHANT_FIELD_LASTNAME"];
// Mail out reciept and fullfill order
}
}
else
{
// no email to send reciept too log it
}
}
else
{
// possible fraud, shared secret key with GoldMoney doesn't match.
}
}
catch //(Exception ex)
{
// Something bad happened log it.
}
}
Security Concerns
I abbreviated a number of security checks in this code for clarity. It should be
noted that the transfer of data from GMCollect.aspx to GMRedirect.aspx
can be intercepted and changed by the user. A safer method, such as session
variables or hash checks is recommended.
Another security issue is to validate that the order information and the price being sent from GoldMoney match. It might be possible, although unlikely, for the customer to adjust the price of the transaction from GoldMoney but retain the same order ID.
More Information
To setup a free GoldMoney account visit GoldMoney.com . GoldMoney OMI implementation documentation is located here.
Disclaimer
This documentation and the accompanying files are provided "as is" with no expressed or implied warranty. No responsibilities for possible damages, or side effects in its functionality. The user must assume the entire risk of using this code. The author and Screaming Bee LLC accepts no liability if it causes any damage to your computer, website, software, reputation or your love life. Use at your own risk.