Please wait ...


Loading...

Hash - MD5 security check

Hash - MD5 security check

This article describes how to calculate the hash value sent to Bambora and how to check the hash value received from Bambora.
Notice for payment modules

If you’re using one of our payment modules (open source modules), please find your shop solution on this list, and click on it to see our online guide. 

You can find more information about MD5 under ‘Configuration’ in the respective guides. 
Notice

Please set MD5 security check to On accepturl and by authorization in the Bambora administration under the menu Settings -> Payment system.

Sent to Bambora

The hash you send to (and receive from) Bambora must be the value of all parameters in the order they are sent + the MD5 key.
<?php
$merchantRisk = [
    'shippingmethod' => "ShipToAnotherVerifiedAddress",
    'deliverytimeframe' => "SameDayShipping",
    'deliveryemail' => "john.doe@example.com",
    'reorderitemsindicator' => "FirstTime",
    'orderavailability' => "MerchandiseAvailable",
    'preorderavailabilitydate' => "2016-04-30T00:00:00.000Z",
    'giftcard' => [
        'currency' => "SEK",
        'amount' => 123,
        'count' => 1
    ]
];
$accountInformation = [
    'authentication' => [
        'data' => "Example string",
        'method' => "NoAuthentication",
        'timestamp' => "2016-04-30T10:22:56.049Z",
    ],
    'prior3dsauthentication' => [
        'data' => "Example string",
        'method' => "FrictionlessAuthenticationOccurredByAcs",
        'reference' => "0a137f3d-9fcf-4040-b6c7-e596cb79d953",
        'timestamp' => "2016-04-30T10:22:56.049Z"
    ],
    'createdindicator' => "CreatedDuringTransaction",
    'createddate' => "2016-04-30T10:22:56.049Z",
    'changeddate' => "2016-04-30T10:22:56.049Z",
    'nameidenticaltoshippingaddressname' => true,
    'passwordchangeddate' => "2016-04-30T10:22:56.049Z",
    'shippingaddressfirstusedindicator' => "ThisTransaction",
    'shippingaddressfirstuseddate' => "2016-04-30T10:22:56.049Z",
    'shippingaddressidenticaltobillingaddress' => true,
    'transactionspast24hours' => 4,
    'transactionspastyear' => 24,
    'transactionsapprovedpastsixmonths' => 10,
    'paymentaccountcreatedindicator' => "CreatedDuringTransaction",
    'paymentaccountcreateddate' => "2016-04-30T10:22:56.049Z",
    'provisionattemptspast24hours' => 3,
    'suspiciousactivity' => false
];
$invoice = [
    'customer' => [
        'reference' => "Reference",
        'emailaddress' => "test@epay.dk",
        'firstname' => "Jens",
        'lastname' => "Jensen",
        'attention' => "The att.",
        'address' => "Testervej 1",
        'zip' => "9000",
        'city' => "Aalborg",
        'country' => "Denmark",
        'phone' => "+4598139040",
        'state' => "81",
        'homephonenumber' => "+4598139040",
        'workphonenumber' => "+4598139040",
    ],
    'shippingaddress' => [
        'firstname' => "Jens",
        'lastname' => "Jensen",
        'attention' => "The Att.",
        'address' => "Testervej 1",
        'zip' => "9000",
        'city' => "Aalborg",
        'country' => "Denmark",
        'phone' => "+4598139040",
        'state' => "81",
    ],
    'lines' => [
        array(
            'id' => "6",
            'description' => "MacBook",
            'text' => "Product Details",
            'quantity' => 1,
            'price' => 8000,
            'vat' => 25
        ),
        array(
            'id' => "shipping",
            'description' => "Shipping",
            'text' => "Product Details",
            'quantity' => 1,
            'price' => 800,
            'vat' => 25
        )
    ]
];
$paymentWindowRequest= array(
    'merchantnumber' => 'YOUR MERCHANT ID HERE',
    'amount' => '11000',
    'currency' => 'DKK',
    'merchantrisk' => $merchantRisk,
    'accountinformation' => $accountInformation,
    'invoice' => $invoice
);
?>

<script type="text/javascript" src="https://ssl.ditonlinebetalingssystem.dk/integration/ewindow/paymentwindow.js"
        charset="UTF-8">
</script>

<script type="text/javascript">
    paymentwindow = new PaymentWindow({
        <?php
        $hash = "";
        foreach ($paymentWindowRequest as $key => $value) {
            if ($key) {
                if (is_array($value)) {
                    echo "'" . $key . "':'" . json_encode($value, JSON_UNESCAPED_UNICODE) . "' ,\n";
                    $hash .= json_encode($value);
                } else {
                    echo "'" . $key . "': \"" . $value . "\",\n";
                    $hash .= $value;
                }
            }
        }
        $hash = md5($hash . "SecretMD5Key");
        ?>
        'hash': "<?php echo $hash; ?>"
    });
</script>
<input type="button" onclick="paymentwindow.open()" value="Go to payment"/>

Recieved from Bambora

The hash received from Bambora is the value of all GET parameters received except the parameter hash + the MD5 key.
<?php
$params = $_GET;
$var = "";

foreach ($params as $key => $value)
{
    if($key != "hash")
    {
        $var .= $value;
    }
}

$genstamp = md5($var . "SecretMD5Key");

if($genstamp != $_GET["hash"])
{
    echo "Hash is not valid";
    exit();
}
else
{
    //Hash is OK   
}
?>