/    Sign up×
Community /Pin to ProfileBookmark

Passing values securely in PHP without using "hidden"

Copy linkTweet thisAlerts:
Oct 30.2008

Hey all.

This is the problem and I’ll try to be as clear as possible. I am trying to incorporate a credit card acceptor/merchant account into a client’s website but the “developer’s guide” they offer for instituting the mechanism is leaving me lacking in one respect.

I’ll be dealing with Virtual Merchant and I will have to pass certain variables, e.g. all known variables not input — username, password, acct #, etc. through the php form used to collect customer information and to perform the transaction.

I have been unsuccessful in finding a good reference for doing something like this (probably because I don’t know what to search for). The bank’s developer guide suggests writing these values into server side code to truly keep them hidden/secure, but I am very new to this.

Any help/info would be greatly appreciated!!

to post a comment
PHP

20 Comments(s)

Copy linkTweet thisAlerts:
@JustinOct 30.2008 — Are you trying to pass data between two servers without having it be sent by the user? Well I guess what you could do is have the server side code send the request to the other server then get a session id or something that you can sent the user before redirecting them to the next server. I don't know off hand, you could try a socket with post data and sent it that way. But that is only a guess or at least that is what I would start searching for.
Copy linkTweet thisAlerts:
@NogDogOct 30.2008 — The [url=http://php.net/curl]cURL functions[/url] are often used for this sort of thing (if, in fact, we are talking about server-to-server transactions).
Copy linkTweet thisAlerts:
@rothndauthorOct 30.2008 — Well, the bank that is setting up/providing the merchant account provides all of the coding to implement the payment acceptance except for transmitting the client's login information to their site.

Basically, the php will contain the form with necessary payment information. When the user clicks to purchase a specific purchase, they will be redirected through the bank's pages (this is the easy part). However, for the transaction to go through, the client's login username and password (at the very least) must be transmitted along with this information. So the bank's developer's guide examples use hidden form values to transmit this specific information, but obviously, I need to figure out how to make this information invisible to the ordinary person (so someone cannot view the login information through "view source"). The developer's guide mentions using server side code to accomplish this but that's where I get lost as I don't know anything about server side coding (I'm assuming that this is a separate file containing just those hidden form values of login information so they're not directly accessible through the web??)
Copy linkTweet thisAlerts:
@NogDogOct 30.2008 — A typical scheme would be to have the form submit to a script (presumably PHP in this case) on your site. Your script would then take the form data, do whatever validation you need/want to do first, and if OK, then take that data along with whatever other data the bank's server-side program wants, and send it to them via cURL, which ends up sending a HTTP transaction exactly like a browser would when it submits a form. The cURL code would then receive the HTTP response from the bank's script, and you would then have to parse it to determine if the transaction was accepted/rejected, then output the final results to the user.
Copy linkTweet thisAlerts:
@rothndauthorOct 30.2008 — Ok, if I'm understanding correctly (because I'm unfamiliar with the cURL function) you're referring to the "action" of the form. The form is actually optional with this setup. I can set the form up however I like or use the bank's ready-made. The action of the form will actually be their script. But, to get there the login information is needed to access their server. So that's what I'm trying to do is pass that login information (the rest of the info is/will be passed via POST/GET combination).
Copy linkTweet thisAlerts:
@NogDogOct 30.2008 — If you are going to have the HTML form submit to directly to the bank's server, then the only way you can get any required data to the bank is by having it in the form data. If it is not acceptable to have that data sent to the user's browser, then the only practical option I see is what I described above: having the form submit to a script on [i]your[/i] server, which then sends its own HTTP request (via cURL, sockets, whatever) to the bank's form-handler script and then captures and processes the result returned by that request.
Copy linkTweet thisAlerts:
@rothndauthorOct 30.2008 — Yep, sounds right. Do you have any info/resources for learning how to do this? I'm guessing the initial form would post to my form (my server) and then get the extra info and post to the bank's form. Is this the general layout?
Copy linkTweet thisAlerts:
@rothndauthorOct 30.2008 — Just had an idea...at the risk of sounding ignorant I'll post it anyway ?

What if:

I have the initial form to gather the required user info.

This form has the action of my first script (on my server) which has embedded html to contain another form with only the two hidden elements that I need.

This second form has the action of the bank's script to process the payment.

Is this possible? If so, will this hide the two hidden elements that I need hidden (at the least from source view)?

Thanks for being my sounding board today. I really appreciate it!
Copy linkTweet thisAlerts:
@JustinOct 31.2008 — That could work, but don't trust user input if you can. You can easily change hidden form elements. But if you don't mind using hidden elements, that is a decent method, but if you can use php to send it, that would be a better system.
Copy linkTweet thisAlerts:
@rothndauthorOct 31.2008 — Hi Justin --

I appreciate the info. I'll have to give it a shot.

However, apologies if I wasn't clear, but these two values that I'm trying to send are static values that will be hard-coded (they will not change I just need them in there to effectuate the payment -- the way it works apparently is that for the user to complete a transaction on the client's site, the clients account must open with the bank for the processing to occur -- this is what I am trying to pass in the hidden variables - the client's login info just to make the transaction -- that's why I want these two values hidden as much as possible also).

The other thing I wanted to ask was - what do you mean by "it's easy to change the hidden values"? From outside the site?

What I was thinking was --

main page:

form "buysomething" action "php1.php"

get the info

/form

my script:

html

form "hidedata" action "bankphp.php"

input hidden username

input hidden password

/form

/html

So -- do you think this could serve the purpose I'm looking for -- and -- do you think/know that this will not allow a view source on the "my script" page so the two hidden values stay hidden??

Thanks again. I greatly appreciate it!!!
Copy linkTweet thisAlerts:
@NogDogOct 31.2008 — Any hacker worth the name can look at the HTML source, and then set up something (using PHP and the cURL extension, for example ? ) to send his own spoofed form submission with whatever values he wants for the form post data. Therefore, if any such hidden fields (or even unhidden but non-editable ones) could cause a problem if someone changed their values, then you have potential security issues.
Copy linkTweet thisAlerts:
@svidgenOct 31.2008 — Is there any chance you're using authorize.net? If so, I can provide you with the some working code. If not, you might still be able to see an example of working code that does exactly what you're trying to do. Would you like me to post it?
Copy linkTweet thisAlerts:
@rothndauthorOct 31.2008 — Yes! Please post! It would at least get me thinking if nothing else.

I won't be using authorize.net, the bank the client is going through is using Virtual Merchant. Not surprisingly, I've found better documentation for authorize.net but what are you gonna do?!lol.

But yes, I'd appreciate it!
Copy linkTweet thisAlerts:
@svidgenOct 31.2008 — Alright, I'm attaching the relevant files.

[B][U]authorize.net.php[/U][/B]

This file is an include and contains the standard functions we used to initiate transactions between our server and authorize.net's.

[U][B]index.php[/B][/U]

This file does all the work for our party bookings. The irrelevant code has been snipped.

So, the client fills out the payment form shown in index.php, which posts to itself. When it senses that the payment form has been posted, it filters/checks the [I]_POST[/I] array, includes authorize.net.php, and calls [I]process_payment($_POST)[/I]. It then makes the necessary local database changes and reports to the client.

Keep in mind, the server you authenticate with (authorize.net in this case) is a financial institution, and while it's best not to send them bad authentication attempts, they're not likely going to [I]accidentally[/I] accept bad data. So, if you're form-checking functions aren't perfect, it's not the end of the world. Honestly, I'm not even sure this version of the file has a filtering function for the POST data--it wasn't meant to go live until it did, but my client likes to have things live, even when they're not finished ...

You may also notice some values being pulled from a $_SETTINGS array. This is an array compiled by an include which pulls the values from a database table. The details of how this data is stored is not likely important to you. The important thing is that you get an idea of what they represent--ask me if it isn't obvious for any of them.

Also, I did a quick check for sensitive information in these files--to the best of my knowledge, all of our sensitive information is stored in the settings database. Though, if anyone finds anything that they think should be private, [B]please let me know[/B] so I can do something about that ...

Let me know if this helps.

[upl-file uuid=58637818-6a89-401b-b38c-03e8410a873f size=4kB]authorize.net.zip[/upl-file]
Copy linkTweet thisAlerts:
@rothndauthorNov 01.2008 — Thanks for posting. I'm hoping you can sort of walk me through here to help in understanding.

Couple questions:

1. This one is more out of curiosity than anything...why is the form part of a subroutine? what is that accomplishing exactly?

2. The whole "posts to itself" thing is something I've never really understood. I see that it does and I'm guess the line "require_once('../includes/auth.php'); is what is finishing the routine.?

3. I see you use curl in the second script.. is this a requirement when dealing with https posts? What function is curl performing? And, an even more dumb question, is curl really something to download and have on the server as well (the website I found for it says "for download" but doesn't explain it very well)?

4. The authorize.net.php... is this your creation for it or was it the bank's recommendation for the form? Combo I'm assuming...

So authorize.net.php is doing most of the work. Is it actually posting to the bank's own script as well? Reason I ask is that I don't think I will have the bank's script, mine will just send the data to it (herein lies the problem with the login information).

So I'm thinking if I do something similar here it may work. I'd like your thoughts on this:

Create the payment form on it's own (only thing in first script). If you can explain this part to me...have it post to itself and do the include of the second form.

Then the second script set all the variables/whatnot that have to be posted to the bank's script and have the login info coded within their own variables in this second script.???

Do you think this would solve that problem of hiding the login info?
Copy linkTweet thisAlerts:
@rothndauthorNov 01.2008 — Another look..

So it appears that the global $_SETTINGS; contains all the sensitive info? So that's not a bad idea, where do you define it though? i.e. I assume this is itself an array that contains any and all info, but where did you define it to keep it hidden?
Copy linkTweet thisAlerts:
@svidgenNov 01.2008 — 1. This one is more out of curiosity than anything...why is the form part of a subroutine? what is that accomplishing exactly?[/QUOTE]
It allows me to more easily display it conditionally.
2. The whole "posts to itself" thing is something I've never really understood. I see that it does and I'm guess the line "require_once('../includes/auth.php'); is what is finishing the routine.?[/QUOTE]
When I say "it posts to itself," I mean to say, index.php does different things based on the GET/POST variables. So, the form posts to index.php with a GET or POST variable (don't remember which) that indicates what to do next. [I]auth.php[/I] is actually an include manages sessions and authentication--it's irrelevant to the task at hand.
3. I see you use curl in the second script.. is this a requirement when dealing with https posts? What function is curl performing? And, an even more dumb question, is curl really something to download and have on the server as well (the website I found for it says "for download" but doesn't explain it very well)?
[/QUOTE]Curl is a package that manages HTTP[s] connections. You'll also see that the script attempts to use the [I]http_post_data()[/I] function first.

4. The authorize.net.php... is this your creation for it or was it the bank's recommendation for the form? Combo I'm assuming...[/QUOTE]

I wrote the include based on sample lines from authorize.net.



So authorize.net.php is doing most of the work. Is it actually posting to the bank's own script as well? Reason I ask is that I don't think I will have the bank's script, mine will just send the data to it (herein lies the problem with the login information).[/QUOTE]

Index.php includes authorize.net.php, which makes an HTTPS request to authorize.net's servers. This is just how I would expect any CC authorization service to work.

So I'm thinking if I do something similar here it may work. I'd like your thoughts on this:

Create the payment form on it's own (only thing in first script). If you can explain this part to me...have it post to itself and do the include of the second form.

Then the second script set all the variables/whatnot that have to be posted to the bank's script and have the login info coded within their own variables in this second script.???[/QUOTE]

You can write a static form and have it post to a server-side script that entails the relevant steps from index.php. Though, I would still recommend just including the form as a function--if the user enters bad data, you want to easily be able to show them the form again, preferably with their previous entries pre-filled (aside from sensitive CC info).

So it appears that the global $_SETTINGS; contains all the sensitive info? So that's not a bad idea, where do you define it though? i.e. I assume this is itself an array that contains any and all info, but where did you define it to keep it hidden?[/QUOTE]

In all the files that need access to the settings, I include a file that reads the values in from a database and creates the $_SETTINGS array. Any functions that need access need to use the global keyword to gain access (scope issues).



Does that clear things up--I'm writing this with a bit of haste ... sorry.
Copy linkTweet thisAlerts:
@rothndauthorNov 01.2008 — I guess the things that are still a little confusing are the "includes". I'm just trying to determine exactly how that works. Maybe you can check my thinking for me: I would think that you have another page on the server with your sensitive info, a page that defines the SETTINGS array. Then this page is only called through the "includes" function/line. Is this correct? Or, is an "includes" page a different thing altogether?

I do understand the reasons for the subroutine and it posting to itself. I like that functionality. It appears, based on what I see on that page, that the order of things doesn't matter much. It seems like you have error checking first, then the first attempt to make the transaction, followed by the actual form...is that correct?
Copy linkTweet thisAlerts:
@raheemmDec 09.2008 — Hello Rothnd,

Were you able to figure out the solution to this? I am trying to do the same thing using Virtual Merchant. Thanks.

  • - Raheem
    • Copy linkTweet thisAlerts:
    @rothndauthorDec 09.2008 — Well, this hasn't been top priority on my list yet (client is delaying this for other things) but I'm working on something similar to what was explained above.
    ×

    Success!

    Help @rothnd spread the word by sharing this article on Twitter...

    Tweet This
    Sign in
    Forgot password?
    Sign in with TwitchSign in with GithubCreate Account
    about: ({
    version: 0.1.9 BETA 5.21,
    whats_new: community page,
    up_next: more Davinci•003 tasks,
    coming_soon: events calendar,
    social: @webDeveloperHQ
    });

    legal: ({
    terms: of use,
    privacy: policy
    });
    changelog: (
    version: 0.1.9,
    notes: added community page

    version: 0.1.8,
    notes: added Davinci•003

    version: 0.1.7,
    notes: upvote answers to bounties

    version: 0.1.6,
    notes: article editor refresh
    )...
    recent_tips: (
    tipper: @AriseFacilitySolutions09,
    tipped: article
    amount: 1000 SATS,

    tipper: @Yussuf4331,
    tipped: article
    amount: 1000 SATS,

    tipper: @darkwebsites540,
    tipped: article
    amount: 10 SATS,
    )...