Skip to main content

Hash - MD5 security check

This article describes how to calculate the hash value sent to ePay and how to check the hash value received from ePay.

Notice for payment modules

If you're using one of our payment modules (open source modules), please find your shop solution on this list, and click on it to see our online guide.

You can find more information about MD5 under Configuration in the respective guides.

Notice

Please set MD5 security check to On accepturl and by authorization in the ePay administration under the menu Settings -> Payment system.

Sent to ePay

The hash you send to (and receive from) ePay must be the value of all parameters in the order they are sent + the MD5 key.

<?php
$merchantRisk = [
    "shippingmethod" => "ShipToAnotherVerifiedAddress",
    "deliverytimeframe" => "SameDayShipping",
    "deliveryemail" => "john.doe@example.com",
    "reorderitemsindicator" => "FirstTime",
    "orderavailability" => "MerchandiseAvailable",
    "preorderavailabilitydate" => "2016-04-30T00:00:00.000Z",
    "giftcard" => [
        "currency" => "SEK",
        "amount" => 123,
        "count" => 1,
    ],
];
$accountInformation = [
    "authentication" => [
        "data" => "Example string",
        "method" => "NoAuthentication",
        "timestamp" => "2016-04-30T10:22:56.049Z",
    ],
    "prior3dsauthentication" => [
        "data" => "Example string",
        "method" => "FrictionlessAuthenticationOccurredByAcs",
        "reference" => "0a137f3d-9fcf-4040-b6c7-e596cb79d953",
        "timestamp" => "2016-04-30T10:22:56.049Z",
    ],
    "createdindicator" => "CreatedDuringTransaction",
    "createddate" => "2016-04-30T10:22:56.049Z",
    "changeddate" => "2016-04-30T10:22:56.049Z",
    "nameidenticaltoshippingaddressname" => true,
    "passwordchangeddate" => "2016-04-30T10:22:56.049Z",
    "shippingaddressfirstusedindicator" => "ThisTransaction",
    "shippingaddressfirstuseddate" => "2016-04-30T10:22:56.049Z",
    "shippingaddressidenticaltobillingaddress" => true,
    "transactionspast24hours" => 4,
    "transactionspastyear" => 24,
    "transactionsapprovedpastsixmonths" => 10,
    "paymentaccountcreatedindicator" => "CreatedDuringTransaction",
    "paymentaccountcreateddate" => "2016-04-30T10:22:56.049Z",
    "provisionattemptspast24hours" => 3,
    "suspiciousactivity" => false,
];
$invoice = [
    "customer" => [
        "reference" => "Reference",
        "emailaddress" => "test@epay.dk",
        "firstname" => "Jens",
        "lastname" => "Jensen",
        "attention" => "The att.",
        "address" => "Testervej 1",
        "zip" => "9000",
        "city" => "Aalborg",
        "country" => "Denmark",
        "phone" => "+4598139040",
        "state" => "81",
        "homephonenumber" => "+4598139040",
        "workphonenumber" => "+4598139040",
    ],
    "shippingaddress" => [
        "firstname" => "Jens",
        "lastname" => "Jensen",
        "attention" => "The Att.",
        "address" => "Testervej 1",
        "zip" => "9000",
        "city" => "Aalborg",
        "country" => "Denmark",
        "phone" => "+4598139040",
        "state" => "81",
    ],
    "lines" => [
        [
            "id" => "6",
            "description" => "MacBook",
            "text" => "Product Details",
            "quantity" => 1,
            "price" => 8000,
            "vat" => 25,
        ],
        [
            "id" => "shipping",
            "description" => "Shipping",
            "text" => "Product Details",
            "quantity" => 1,
            "price" => 800,
            "vat" => 25,
        ],
    ],
];
$paymentWindowRequest = [
    "merchantnumber" => "YOUR MERCHANT ID HERE",
    "amount" => "11000",
    "currency" => "DKK",
    "merchantrisk" => $merchantRisk,
    "accountinformation" => $accountInformation,
    "invoice" => $invoice,
];
?>

<script type="text/javascript" src="https://ssl.ditonlinebetalingssystem.dk/integration/ewindow/paymentwindow.js" charset="UTF-8">
</script>

<script type="text/javascript">
    paymentwindow = new PaymentWindow({
    <?php
    $hash = "";
    foreach ($paymentWindowRequest as $key => $value) {
        if ($key) {
            if (is_array($value)) {
                echo "'" .
                    $key .
                    "':'" .
                    json_encode($value, JSON_UNESCAPED_UNICODE) .
                    "' ,\n";
                $hash .= json_encode($value);
            } else {
                echo "'" . $key . "': \"" . $value . "\",\n";
                $hash .= $value;
            }
        }
    }
    $hash = md5($hash . "SecretMD5Key");
    ?>
    'hash': "<?php echo $hash; ?>"
});
</script>
<input type="button" onclick="paymentwindow.open()" value="Go to payment"/>

Received from ePay

The hash received from ePay is the value of all GET parameters received except the parameter hash + the MD5 key.

<?php
$params = $_GET;
$var = "";

foreach ($params as $key => $value) {
    if ($key != "hash") {
        $var .= $value;
    }
}

$genstamp = md5($var . "SecretMD5Key");

if ($genstamp != $_GET["hash"]) {
    echo "Hash is not valid";
    exit();
} else {
    //Hash is OK
}
?>