Author

Topic: Accepting Bitcoins On My Website... (Read 1630 times)

vip
Activity: 1386
Merit: 1140
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
September 12, 2011, 10:41:10 PM
#13
I am successfully running Casascius Physical Bitcoins website and taking orders with a minimum of complexity.

I simply pre-generated a large number of bitcoin addresses using a passphrase and Casascius Bitcoin Utility.  Imported it in the database.  Each time I want to collect payment, I just spit out one address, and the first 8 characters of that address becomes their order number.

In my case, I have to manually ship the items anyway, so it's no big deal for me to go to Block Explorer and confirm the payment.  I also don't have to keep any real bitcoins on the web server.

If I needed to know right away, I'd probably just use the Bitcoin Notify service.  Hopefully somebody will create an open-source equivalent, so one merely need install bitcoind (without their wallet) and some middleware to perform the notifications.  (ideally, bitcoind should offer an RPC call that returns a list of all the valid spendable transactions given a list of bitcoin addresses).
sr. member
Activity: 261
Merit: 285
September 12, 2011, 10:37:44 PM
#12
And if there will be multiple services like this you can just subscribe to all of them, so the risk of one service being down and no payment notifications incoming will be reduced further.

Another reason to use multiple services might be to mitigate the ramifications of a notify service getting hacked (like bitcointalk.org and everyone else.)

Otherwise:

1) hacker gets access to a notification service
2) hacker figures out what merchants use that notification service
3) hacker adds items to shopping carts at those merchants and checks out
4) hacker users notification service to send out false payment received notifications e.g. "6 confirmations of 50 BTC to your address xyz"
5) merchants ships goods to hacker thinking BTC have been collected

Offhand I can't think of a good (automated) way any of these notification services could guarantee the authenticity of their notifications if they were compromised. They can give you ways to make sure you're not being spoofed by a *different* IP, but I'm not sure there's a way to detect if the actual notification service has been taken over by evil-doers.
hero member
Activity: 488
Merit: 500
September 08, 2011, 05:31:52 AM
#11
BitcoinNotify is exactly what I had in mind (in some deep burried corner, its true.) And it seems to me that this is the perfect way for a web site to accept bit coins.

Agree. Yesterday i hacked up a django module to utilize bitcoinnotify service - took only 2-3 hours until it worked fine, already including support for partial payments and proper tracking of bitcoin address usage.

I really really like this idea because it seems so obvious - No need to handle any external wallet, everything is under your control.

The only downside is that you still rely on an external service to manage your payments. But i think that there will be more services appearing offering this service and/or someone will create an open-source version of that service so anybody could host it. (If not, i will do it  Grin)

What really impressed me is the speed. When you are willing to take the risk of not waiting for additional confirmations (e.g. for micropayment stuff) you get notification callback already few seconds after hitting "OK" in bitcoin client :-)

And if there will be multiple services like this you can just subscribe to all of them, so the risk of one service being down and no payment notifications incoming will be reduced further.
sr. member
Activity: 286
Merit: 251
September 08, 2011, 03:02:33 AM
#10
BitcoinNotify is exactly what I had in mind (in some deep burried corner, its true.) And it seems to me that this is the perfect way for a web site to accept bit coins.

I dont have stuff working yet, but this looks like what I want to do and is significantly easier than "writing everything from scratch".
newbie
Activity: 58
Merit: 0
September 03, 2011, 10:12:38 AM
#9
One of the purposes here is NOT to have to trust 3rd parties with my cash flow.

@mintymark: You may want to have a look at BitcoinNotify. Accepting Bitcoin payments is as simple as handling HTTP requests.

  • payments go directly to your private wallet - trust no 3rd party
  • keep your wallet disconnected from the network so it can never be stollen by hackers
  • there is nothing to install on the server
  • there is no external API to call
  • customer never leaves your store (no 3rd party site involved)
  • receive HTTP updates of the BTC exchange rates

See how to accept Bitcoin payments in your store / application / bussiness.

Feel free to pm me if you need any help.
hero member
Activity: 868
Merit: 1008
September 03, 2011, 08:05:41 AM
#8
mintymark, I think you're best off sticking with the c++ client for the time being.  If your hosting provider won't allow it, find another one.  I understand your desire to not have the full block chain, but to validate transactions yourself you'll need it...otherwise you'll have to rely on a third party to run the full client to validate transactions for you.  You might want to have a look at bitcoinjs.org...it is a little more pliable than the C++ client, but I think Stefan is still not recommending it for use in any kind of production environment (and he also strongly recommends only connecting to the network indirectly through the c++ client).
hero member
Activity: 568
Merit: 500
September 01, 2011, 01:10:09 PM
#7
It's a good question and something we went through every possibility with before settling on our own solution.

We didn't want to use a trading house's API, we wanted to manage and hold our own funds so we'd know our money was safe. We run CentOS, so we had to compile our own version of the bitcoin client. We've made that version available here if you need it: https://strikesapphire.com/bitcoind.0.3.22.bin.tar.gz

It's a slight hassle to set up, but it's secure. Basically, get that Bitcoin daemon running somewhere else, on a cheap dedicated server. Turn off mining so you don't piss off your hosting company. Then just write a little remote PHP script on the Bitcoin server that takes an argument returns an address from the wallet. Lock that down with .htaccess. When someone on the webserver requests an address, you can just call the remote page with the proper password and read the result as text. Or you can get more sophisticated using cUrl and having callback scripts, but in your case you might not have to. This does two good things: Firstly, it keeps the wallet off your webserver. Secondly, it keeps it on your own turf, which is where you probably want it.

If you look at the cost of a $100/month dedicated server versus what you're paying in transaction fees, it probably makes sense (it does for us), and anyway you can use that server for lots of other backend stuff if you like. It's always nice to have a dedicated around.
hero member
Activity: 737
Merit: 500
August 31, 2011, 06:57:20 PM
#6
Well http://www.bitcoinpayflow.com/ certainly does look interesting and I may well use this.

And I do hear what a couple of people have said about doing things the wrong way: fair comment. But are there other avenues to explore if I was going to do this on site myself ?

One of the purposes here is NOT to have to trust 3rd parties with my cash flow. 

If you want to do it yourself and not trust anyone, then you have to also not use a web hosting company (who you are trusting with your cash flow if they have access to your servers).  You would need to get hardware yourself and then have it colocated somewhere so that you are the only one with access to the servers.  At that point, you *could* install bitcoind on the servers yourself (since you are managing everything yourself).

But that is a massive hassle and is the reason why payment gateways are worth using.  It's not all that different than if you accept credit card transactions and use a credit card payment processor or gateway.  in fact it better because you only are trusting the bitcoin payment processor for an hour and it takes much longer to receive funds from your credit card payment processor.
sr. member
Activity: 438
Merit: 291
August 31, 2011, 10:31:19 AM
#5

But you are only trusting them for one hour.

If they fail to deliver the cash you stop using them and the most you can lose is what was spent on your website in one hour (i.e. 0.01% of your annual turnover!).

If you REALLY want to do it all yourself that is fine, but is VERY complex. Could be done with bitcoinj that is a Java implementation of the protocol. But you would need a host to run it on and another host to run a trusted bitcoind daemon (I would split them so the bitcoinj host can not be attacked from the internet but is hidden behind the bitcoind daemon.). And I would estimate a 2-4 weeks to code and another few weeks of testing. You would also want an external party to check your code too.

In summary I would rather trust someone with 1 hours turnover than myself not making a mistake in the code!
sr. member
Activity: 286
Merit: 251
August 31, 2011, 10:23:37 AM
#4
Well http://www.bitcoinpayflow.com/ certainly does look interesting and I may well use this.

And I do hear what a couple of people have said about doing things the wrong way: fair comment. But are there other avenues to explore if I was going to do this on site myself ?

One of the purposes here is NOT to have to trust 3rd parties with my cash flow. 


hero member
Activity: 737
Merit: 500
August 31, 2011, 10:08:18 AM
#3
sr. member
Activity: 438
Merit: 291
August 31, 2011, 09:50:04 AM
#2

I think you are going about it the wrong way.

Just use a service provider with a nice clean RESTful API and it is simple.

See:
https://en.bitcoin.it/wiki/Merchant_Howto

or specifically:
http://www.bitcoinpayflow.com/

looks easiest - you just HTTP/POST them the order details, you then get an address back.
You then display this to the user and ask them to send money to this address.

When the money is received at the address bitcoinpayflow will notify you (via a HTTP call back).

And then the send you the money after 6 confirmations.

So you only have 1hour or so of credit risk with bitcoinpayflow.



sr. member
Activity: 286
Merit: 251
August 31, 2011, 09:17:43 AM
#1
I'd like to accept bitcoins on my website.

It ought to be easy but it isnt. And I think these problems are common place. 

The first problem is that the bitcoin demon will not install or compile on the rather limited facilities of my host. (Its FC4). I asked the hosting company if they would install it and they said quite clearly they would not allow this. I think this would be common with many hosting companies. I tried persuasion, but 6 weeks have gone past and I think I should try something else.

Actually I do not want the whole client at all. What I would like is the ability to monitor transactions and  generate addresses. This way the web site could say "payment received" and take appropriate action, and to generate an address for a purchase request or checkout. The latter seems easy, but how do I monitor the blockchain for a payment to a particular address?

One way to do it would be use the block explorer. But this builds dependency on another web site, and also takes a long time,  (10 minutes) for small transactions I'd like to know at once that payment has been sent even if I do not wait for confirmations. I may want to display confirmations as well.

I have considered the perl client as a starting point but not got very far with that.

Grondilu et al have demonstrated bash scripts for generating addresses, which could be useful.

Can anyone point me in the direction of code that I could use as a starting point for this ?  (That is monitoring the pending blockchain.) 

Jump to: