Jump to content

Archived

This topic is now archived and is closed to further replies.

vdubdriver

PHP POST data?

Recommended Posts

Hi,
I'm designing a web store and I want to use Paypal, but with my own shopping cart. I want it to be secure as possible so; is there any way to send post data with php and not with html form code?

This is the code that paypal says to use. But someone could save the html and just change what the cost was and then submit the form.
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="you@youremail.com">
<input type="hidden" name="item_name" value="Item Name">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="amount" value="0.00">
<input type="image" src="http://www.paypal.com/en_US/i/btn/x-click-but01.gif" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>

Share this post


Link to post
Share on other sites
that would still echo out the html code. the problem is that paypal is on a different server, so there's no way you can fool proof your code. you have to make your script to keep track of what the cost is, and when you get the money from paypal, check to see if it matches. if not, then you would go from there - like, contacting the customer or paypal - something non-automated, seeing as how they are trying to scam you and all...

Share this post


Link to post
Share on other sites
Couldn't he take that html code and do some of this? :

[code]
<script type="text/javascript">document.write('\u003c\u0066\u006f\u0072\u006d\u0020\u0061\u0063\u0074\u0069\u006f\u006e\u003d\u0022\u0068\u0074\u0074\u0070\u0073\u003a\u002f\u002f\u0077\u0077\u0077\u002e\u0070\u0061\u0079\u0070\u0061\u006c\u002e\u0063\u006f\u006d\u002f\u0063\u0067\u0069\u002d\u0062\u0069\u006e\u002f\u0077\u0065\u0062\u0073\u0063\u0072\u0022\u0020\u006d\u0065\u0074\u0068\u006f\u0064\u003d\u0022\u0070\u006f\u0073\u0074\u0022\u003e\u000a\u003c\u0069\u006e\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003d\u0022\u0068\u0069\u0064\u0064\u0065\u006e\u0022\u0020\u006e\u0061\u006d\u0065\u003d\u0022\u0063\u006d\u0064\u0022\u0020\u0076\u0061\u006c\u0075\u0065\u003d\u0022\u005f\u0078\u0063\u006c\u0069\u0063\u006b\u0022\u003e\u000a\u003c\u0069\u006e\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003d\u0022\u0068\u0069\u0064\u0064\u0065\u006e\u0022\u0020\u006e\u0061\u006d\u0065\u003d\u0022\u0062\u0075\u0073\u0069\u006e\u0065\u0073\u0073\u0022\u0020\u0076\u0061\u006c\u0075\u0065\u003d\u0022\u0079\u006f\u0075\u0040\u0079\u006f\u0075\u0072\u0065\u006d\u0061\u0069\u006c\u002e\u0063\u006f\u006d\u0022\u003e\u000a\u003c\u0069\u006e\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003d\u0022\u0068\u0069\u0064\u0064\u0065\u006e\u0022\u0020\u006e\u0061\u006d\u0065\u003d\u0022\u0069\u0074\u0065\u006d\u005f\u006e\u0061\u006d\u0065\u0022\u0020\u0076\u0061\u006c\u0075\u0065\u003d\u0022\u0049\u0074\u0065\u006d\u0020\u004e\u0061\u006d\u0065\u0022\u003e\u000a\u003c\u0069\u006e\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003d\u0022\u0068\u0069\u0064\u0064\u0065\u006e\u0022\u0020\u006e\u0061\u006d\u0065\u003d\u0022\u0063\u0075\u0072\u0072\u0065\u006e\u0063\u0079\u005f\u0063\u006f\u0064\u0065\u0022\u0020\u0076\u0061\u006c\u0075\u0065\u003d\u0022\u0055\u0053\u0044\u0022\u003e\u000a\u003c\u0069\u006e\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003d\u0022\u0068\u0069\u0064\u0064\u0065\u006e\u0022\u0020\u006e\u0061\u006d\u0065\u003d\u0022\u0061\u006d\u006f\u0075\u006e\u0074\u0022\u0020\u0076\u0061\u006c\u0075\u0065\u003d\u0022\u0030\u002e\u0030\u0030\u0022\u003e\u000a\u003c\u0069\u006e\u0070\u0075\u0074\u0020\u0074\u0079\u0070\u0065\u003d\u0022\u0069\u006d\u0061\u0067\u0065\u0022\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0077\u0077\u0077\u002e\u0070\u0061\u0079\u0070\u0061\u006c\u002e\u0063\u006f\u006d\u002f\u0065\u006e\u005f\u0055\u0053\u002f\u0069\u002f\u0062\u0074\u006e\u002f\u0078\u002d\u0063\u006c\u0069\u0063\u006b\u002d\u0062\u0075\u0074\u0030\u0031\u002e\u0067\u0069\u0066\u0022\u0020\u006e\u0061\u006d\u0065\u003d\u0022\u0073\u0075\u0062\u006d\u0069\u0074\u0022\u0020\u0061\u006c\u0074\u003d\u0022\u004d\u0061\u006b\u0065\u0020\u0070\u0061\u0079\u006d\u0065\u006e\u0074\u0073\u0020\u0077\u0069\u0074\u0068\u0020\u0050\u0061\u0079\u0050\u0061\u006c\u0020\u002d\u0020\u0069\u0074\u0027\u0073\u0020\u0066\u0061\u0073\u0074\u002c\u0020\u0066\u0072\u0065\u0065\u0020\u0061\u006e\u0064\u0020\u0073\u0065\u0063\u0075\u0072\u0065\u0021\u0022\u003e\u000a\u003c\u002f\u0066\u006f\u0072\u006d\u003e\u000a')</script>
[/code]
does the same exact thing....
[a href=\"http://www.codehouse.com/webmaster_tools/html_encoder/\" target=\"_blank\"]http://www.codehouse.com/webmaster_tools/html_encoder/[/a]

Share this post


Link to post
Share on other sites
Are you really bent on using those hidden fields? It seems like it would be more secure to not have those; maybe try serializing an object/array somewhere (like a cookie/session) and unserializing it upon form submition?

Share this post


Link to post
Share on other sites
[!--quoteo(post=380336:date=Jun 5 2006, 03:33 PM:name=Buyocat)--][div class=\'quotetop\']QUOTE(Buyocat @ Jun 5 2006, 03:33 PM) [snapback]380336[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Are you really bent on using those hidden fields? It seems like it would be more secure to not have those; maybe try serializing an object/array somewhere (like a cookie/session) and unserializing it upon form submition?
[/quote]

Yea that's what I was wondeirng like, is there a way to submit variables to a page with PHP instead of html (the hidden fields).

Share this post


Link to post
Share on other sites
yeah localhost.. that's a great solution.. until the user disables javascript. and oh yeah, you can easily decode that.

Share this post


Link to post
Share on other sites
[!--quoteo(post=380356:date=Jun 5 2006, 08:13 PM:name=Crayon Violent)--][div class=\'quotetop\']QUOTE(Crayon Violent @ Jun 5 2006, 08:13 PM) [snapback]380356[/snapback][/div][div class=\'quotemain\'][!--quotec--]
yeah localhost.. that's a great solution.. until the user disables javascript. and oh yeah, you can easily decode that.
[/quote]

The best way is to charge the user to use your website then let them login and take all possable datails ok.


If you also used paypal ipn program and update the current users table as paid and time and date you can match aginst paypal ipn information.

As long as you got the time date and user info and match it to that user any other transactions will be free money.

Goto the paypal forum and read ok.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.