Showing results for 
Search instead for 
Did you mean: 

Working php hash verification

**If you find this helpful please kudo this post. This has consumed a huge chunk of my day and you will help me build credibility for when I enroll in the certified developer program. **


Here is 100% tested, working php hash verification code for the php SDK. I believe this will also work with SIM/AIM, etc.


You need the following to have an apples to apples setup with what I used:


1: The most recent php SDK package from GitHub. I downloaded this today and installed. I believe it is a few days old.


2: If you have not generated a signature key from your production or sandbox merchant interface to use for testing, do so. You won’t get the hash in the response without it. Generate it and copy it for use in this script.


3: An API call script for some payment transaction that returns the hash. With the SDK I am getting this for voidTransaction, refundTransaction, capture, etc. I believe that any payment function that directly charges or affects a transaction will contain this. The Accept Hosted form API call obviously does not.


For requirement 1, the SIM/DPM, etc. users do not have this, if my understanding is correct. You should be able to use this as well, only substituting my method for extracting the transHashSha2 value from the response with however you accomplish this using your integration. You may also have to use different parameters in your delimited string, I would try this method first, but I have seen other developers posting attempts with more fields in the string than login, transId, and amount, and there is probably a good reason for this. 



Here is the code (p.s. do not follow the hyperlink to the C# byte array description and try to implement a php equivalent to the C# byte array script. This makes things 100X harder than they have to be, as I know well at this point. Without further delay…..)



$login = "copy and paste your merchant login id here";
$signatureKey ="copy and paste your signature key here";
$signatureKey = hex2bin($signatureKey);
$amount = $amount;

//$response stands for the response object returned by your API call
//e.g.  $response = refundTransaction($refTransId,$amount,$lastFour);

$transId = $response->getTransactionResponse()->getTransId();
$string = '^'.$login.'^'.$transId.'^'.$amount.'^';

$hash = $response->getTransactionResponse()->getTransHashSha2();
$digest = strtoupper(HASH_HMAC('sha512',$string,$signatureKey));

if(hash_equals ($digest,$hash)){

    //This if statement is the verification piece 
    //Put whatever you want your app to do with the transaction here
    //to test you can do something like echo "Hash verification validated";
    //or try this:
    //$dump = print_r($string,true);
    //$fp = file_put_contents( 'transhash.log', $dump );
    //and if your directory populates with a file named transhash.log you know 
    //verification succeeded



All Star


I have used it outside hash function by assigning in a variable.

I Put the code here so that number of lines does not exceeds same is present on



Where did you get those $_POST values from? Is that from the response? Or is that your request? When I run this I get $_POST values as an array with ^ characters added BEFORE you implode (the $hashFields array I am referring to). My SIM/DPM verification works as normal. For sure this will not work if your environment is anything like mine.  There are numerous working SIM/DPM code posted on the forum. I have 2 different methods that have been tested and worked for me and other users. 

never mind. That was some sort of noise in my script from my method. Your string is exactly right. Ir is not in your implode and hashfields where you are going wrong. 



look at the values that I got in reponse from $_POST -

My code was working before.

I have searched alot about the same and looks like my code is fine but it is not working.

Ia there any change from their side while generating hashcode with sha512?


@Renaissance  Can you provide me those 2 different sets of code?


Also see the solution to this thread. It has working and tested SIM/DPM code that is procedural like your script.  It is bizarre that this isn't working for you. Have you had a signature key change recently? 

@Renaissance Yes I changed the signature key recently. 

Basically created fresh for one client and this is not working since then and key looks ok.



There is your obvious issue. I would make a new signature key. Most likely the new one you created, you failed to copy all characters. Or if you have defined it in your PHP script, did you accidentally include any white space?