PHP passing html form input to precompiled CGI.

[some1else]

I'm trying to use PHP to wrap the output of an HTML form before it goes
into a precompiled C cgi script.

Essentially, the company that I work for uses a purchased precompiled c
program for their shopping cart.  This C program stores order
information, and when an order is processed and approved, records the
transaction and sends a template email to the customer with an invoice
describing their purchase.  Since we're going to be selling a new
software product soon, they've asked me to write a script into the
website that will include License Keys to the product the customer has
purchased along with all other data about the order.  The C program
DOES have functionality for custom variables, but it they've all got to
be neatly packaged and set up for the C code BEFORE the customer
completes the order, and I don't want these values to be evident at
that point, because a simple right click and View Source would expose
the keys to a non-purchasing client.


(I'm also going to mention in code a php file I'll call keyGen.php,
which will have one method called gen that will read a string, (which
I'll give from a cookie) and generate a key.  I realize that reading a
cookie ain't a good way to do this, but I want to solve this problem
first then I'll find a way around the cookie problem).


So, what I'm thinking of doing is redirecting the Checkout button's
form, which previously pointed to the C CGI script, to point to a PHP
file, which I'll call Intercept.php, This php file will examine all the
form's inputs, repackage them, then use putenv and passthru to call the
C CGI with all the original form's variables as well as any new ones I
want to create.  So essentially the code WAS


<html>
<form name=checkout method="post" action="/cgi-bin/shopper">
<input name="blah1">
<input name="blah2">
</form></html>


and now I need


<html>
<form name=checkout method="post" action="intercept.php">
<input name="blah1">
<input name="blah2">
</form></html>


and intercept.php as something like


<?php
    include "keyGen.php";
    $keyVal = gen($_COOKIE['basket']);
    $keyName = "PASSLicKey";
    $toInclude = "http://www.notawebsite.com/cgi-bin/shopper";
    $toArgue = $keyName."+".$keyVal;


    if (sizeof($_POST) > 0) {
        foreach ($_POST as $key => $value) {
            if (strlen($toArgue) > 0) {
        $toArgue .= "&";
            }
            $toArgue .= $key."+".$value;
        }
        putenv('REQUEST_METHOD=POST');
        putenv('QUERY_STRING='.$toArgue);
        passthru($toInclude);
    }
    else {
        echo "<html><title>Error</title><body>An error has occured,
form data corrupted or insufficent data supplied"</body></html>";
    }
?>


(This is a little bit of simplification but that is the basic
functionality).


I haven't been able to find many, (or any really), tutorials or details
on wrapping a html form's output like this before sending it to its
intended target.  Is this possible or is there something fundamentally
undoable about what I'm trying to do here?  How secure do people think
this would be?  Would simply running mozilla's internet debugger expose
the POST variable and the key to somebody who isn't trying to purchase?
Running this script doesn't produce any useful error messages or logs,
but it doesn't produce a viable result either.  How does what I'm doing
here look different to the C CGI than the data from the html form at
the start?  I've read a lot about the need to protect CGI from malicous
input, does the loop thru post then the pass to the shopper create any
security holes that are not already there?


(I realize that writing our own shopping cart might be a better
solution, but time constraints and historical pressures mean that I
need to make something work w/ the thing we got right now).


Any help or information, (particularily examples of people passing html
form data with php to another location, which I can't find) would be
much appreciated.

[xyn]

wouldn't it be easier to set-up a database table and when a client
purchases the product a Key Is generated auto and saved into the
database table, Like so..
nnnnn-nnnn-nnnn-nnnn
N = random number.

then sending that code to the member via e-mail? couldn't expose the key
to anyone else and would be aunique Key per buyer?

[some1else]

I'd agree...but they want the key in the email that gets sent by the cgi script, (I kinda agree w/ them that multiple emails is kinda...tacky), and more importantly into the database that that shopper cgi generates for them.  Also, if I CAN pull this off it will be quicker than building my own thing to do all this stuff, (email, database), that the shopper can do for me.  If I can't then maybe I'll take that road.

(I'm going to put a sequential number generator somewhere that keygen will read to make keys unique.  That's gotta be a little divorced from the rest of the thing anyway, in case ppl in the office want to personally create a key they'll need access to that generator as well.  THAT isn't so hard, what I really don't understand is how to mask the POST input to the shopper CGI.)