1. ....do it (offline!) using bitaddress.org (see the "bulk" option).
+++++ will do.
2. Put the addresses (not the private keys) into a database on your web server. There should also be a column indicating whether or not the address has already been used. You probably also want a column indicating whether the payment has been received. I had a mysql table for all of this.
+++++ ok, i'll put the public addresses into a mongodb and add a couple fields for used and paid etc, maybe even a notes field, timestamp, etc.
3. Each time someone orders something, randomly choose an unused address. This can be done with some basic php/mysql interaction.
+++++ i'll do it in nodejs. i love your random idea here too!
4. Mark the address as used and display it to the buyer. This should be done over https so that it is not visible to third parties. This is the only time the address will be sent from you to the buyer.
+++++ yep, @franky1 is on to something there with the "
" idea. how do we quickly show the qr and hopefully the "textual" address to the customer in a way that can't get snagged by google? there must be a form post first, which sends request to node or meteor or something, then that server side code generates the image server side with a random filename which then shows that image to the customer in a compiled file format such as jpeg or gif. a simple math problem instead of captchas would keep the bots out i think. hmmmf
5. Here's the final and most problematic step. You should check for when the payment is made (with n>=0 confirmations) and mark it as paid in the database at that point. Here's how *not* to do it: Call a third party site like blockchain.info. If you call a third party, then you've leaked the address. You chould have bitcoind running on your server, but to watch an address you have to have the private key in the wallet. It's a terrible idea to have wallets with private keys on a web server (which is a real shame). You can encrypt the wallet with an extremely high entropy password and it's probably safe, but I wouldn't recommend it. I'll tell you what I did: I rented a separate server that only ran bitcoind (no apache), put the wallet in question with a very high entropy password on that server. I whitelisted that my webserver could ask about payments to certain addresses. (Well, what I did was a little more complicated, but I'm trying to give the idea.) You could also secretly just wait half an hour and then assume the payment was made. The buyer will probably assume you are waiting for confirmations. That's the technically easiest solution.
+++++ as bitaddress states on their bulk wallet page, the "bitcoin payment notification service" will be tough too since you are querying over the wire a specific address, essentially broadcasting that it's yours. i'd like to avoid bitcoind. a web service or blockchain style decentralized email address might just be the way to get automated notifications. this has got to be DUMB. a lot of my customers are mom and pop shop folks who know nothing about tech. but, if they know that they have to wait until they get the "notification" in some way, then they won't ship anything out till they know for sure it was paid for. this is a tough one indeed... hmmmf
PS: I just saw your latest reply. I like money.
+++++ will do.
2. Put the addresses (not the private keys) into a database on your web server. There should also be a column indicating whether or not the address has already been used. You probably also want a column indicating whether the payment has been received. I had a mysql table for all of this.
+++++ ok, i'll put the public addresses into a mongodb and add a couple fields for used and paid etc, maybe even a notes field, timestamp, etc.
3. Each time someone orders something, randomly choose an unused address. This can be done with some basic php/mysql interaction.
+++++ i'll do it in nodejs. i love your random idea here too!
4. Mark the address as used and display it to the buyer. This should be done over https so that it is not visible to third parties. This is the only time the address will be sent from you to the buyer.
+++++ yep, @franky1 is on to something there with the "
" idea. how do we quickly show the qr and hopefully the "textual" address to the customer in a way that can't get snagged by google? there must be a form post first, which sends request to node or meteor or something, then that server side code generates the image server side with a random filename which then shows that image to the customer in a compiled file format such as jpeg or gif. a simple math problem instead of captchas would keep the bots out i think. hmmmf5. Here's the final and most problematic step. You should check for when the payment is made (with n>=0 confirmations) and mark it as paid in the database at that point. Here's how *not* to do it: Call a third party site like blockchain.info. If you call a third party, then you've leaked the address. You chould have bitcoind running on your server, but to watch an address you have to have the private key in the wallet. It's a terrible idea to have wallets with private keys on a web server (which is a real shame). You can encrypt the wallet with an extremely high entropy password and it's probably safe, but I wouldn't recommend it. I'll tell you what I did: I rented a separate server that only ran bitcoind (no apache), put the wallet in question with a very high entropy password on that server. I whitelisted that my webserver could ask about payments to certain addresses. (Well, what I did was a little more complicated, but I'm trying to give the idea.) You could also secretly just wait half an hour and then assume the payment was made. The buyer will probably assume you are waiting for confirmations. That's the technically easiest solution.
+++++ as bitaddress states on their bulk wallet page, the "bitcoin payment notification service" will be tough too since you are querying over the wire a specific address, essentially broadcasting that it's yours. i'd like to avoid bitcoind. a web service or blockchain style decentralized email address might just be the way to get automated notifications. this has got to be DUMB. a lot of my customers are mom and pop shop folks who know nothing about tech. but, if they know that they have to wait until they get the "notification" in some way, then they won't ship anything out till they know for sure it was paid for. this is a tough one indeed... hmmmf
PS: I just saw your latest reply. I like money.