Jump to content

Rest-based Card Clearence


anevins

Recommended Posts

Hello,

I'm trying to use a rest-based card clearence service, but I don't know how to pass the information through the URL without using the form action attribute.

 

I need to have a URL looking like this:

index.php?p=checkout?service=cardAuth&msg_id=3864&num_md5=e2740266aab85558996a9a87fc561c0e&amount=24.99&currency=GBP&api_key=739a720ade31ad2a14b30aa7b3a6b20e

 

But at the moment, I have a URL looking like this:

index.php?cardAuth=&title=Mr&fname=Alderton&sname=Arkie&ctype=mastercard&cnumber=5105105105105100&smonth=01&syear=07&fmonth=01&fyear=10&checkout=Check+Out

 

There's a few more problems;

- I can't get the card number to md5

- I don't know how to retreive a variable used in another file, which counts up the total amount due

 

Here's my PHP:

<h2>Please enter your details</h2>
<h3>All fields required</h3>
<div id="checkout">

<?php

if (isset($_GET['checkout'])){

$title = $_GET['title'];
$fname = $_GET['fname'];
$sname = $_GET['sname'];
$ctype = $_GET['ctype'];
$cnumber = md5($_GET['cnumber']);
$syear = $_GET['smonth'] . $_GET['syear'];
$fyear = $_GET['fmonth'] . $_GET['fyear'];
$service = $_GET['cardAuth'];
$amount = $_REQUEST[$total];
$msg = rand(1000,9999);
$api = 'd41d8cd98f00b204e9800998ecf8427e';


}

?>

<form method="get" action="index.php?p=checkout?<?php.'service='.$service.'msg_id='.$msg.'num_md5='.$cnumber.'amount='.$amount.'currency=GBP'.'api_key='.$api.?>">

<table>
<tr>
	<td><input type="hidden" name="cardAuth" value="<?php if (!empty($service)) echo $service; ?>" /></td>
</tr>
	<tr>	
		<td>
			Title:
		</td>
		<td>
			<select name="title" value="<?php if (!empty($title)) echo $title; ?>" >
				<option></option>
				<option>Mr</option>
				<option>Sir</option>
				<option>Ms</option>
				<option>Miss</option>
				<option>Mrs</option>
			</select>
		</td>
	</tr>
	<tr>
		<td>
			First Name:
		</td>
		<td>
			<input type="text" name="fname" value="<?php if (!empty($fname)) echo $fname; ?>"/>
		</td>
	</tr>
	<tr>
		<td>
			Surname:
		</td>
		<td>
			<input type="text" name="sname" value="<?php if (!empty($sname)) echo $sname; ?>"/>
		</td>
	</tr>	
	<tr>
		<td> </td>
	</tr>
	<tr>
		<td>
			Card Type:
		</td>
		<td>
			<select name="ctype" value="<?php if (!empty($ctype)) echo $ctype; ?>">
				<option>mastercard</option>
				<option>visa</option>
				<option>amex</option>
				<option>solo</option>
				<option>maestro</option>
				<option>jcb</option>
				<option>diners</option>
			</select>
		</td>
	</tr>
	<tr>
		<td>
			Card Number:
		</td>
		<td>
			<input type="text" name="cnumber" value="<?php if (!empty($cnumber)) echo $cnumber; ?>"/>
		</td>
	</tr>
	<tr>
		<td>
			Valid From:
		</td>
		<td>
			<select name="smonth" value="<?php if (!empty($smonth)) echo $smonth; ?>">
				<option>01</option>
				<option>02</option>
				<option>03</option>
				<option>04</option>
				<option>05</option>
				<option>06</option>
				<option>07</option>
				<option>08</option>
				<option>09</option>
				<option>10</option>
				<option>11</option>
				<option>12</option>					
			</select>
			<select name="syear" value="<?php if (!empty($syear)) echo $syear; ?>">
				<option>07</option>
				<option>08</option>
				<option>09</option>
				<option>10</option>
				<option>11</option>					
			</select>
		</td>
	</tr>
	<tr>
		<td>
			Expires End:
		</td>
		<td>
			<select name="fmonth" value="<?php if (!empty($fmonth)) echo $fmonth; ?>">
				<option>01</option>
				<option>02</option>
				<option>03</option>
				<option>04</option>
				<option>05</option>
				<option>06</option>
				<option>07</option>
				<option>08</option>
				<option>09</option>
				<option>10</option>
				<option>11</option>
				<option>12</option>					
			</select>
			<select name="fyear" value="<?php if (!empty($fyear)) echo $fyear; ?>">
				<option>10</option>
				<option>11</option>
				<option>12</option>
				<option>13</option>
				<option>14</option>					
			</select>
		</td>
	</tr>
	<tr>
		<td> </td>
	</tr>
	<tr>
		<td> </td>
		<td>
			<input type="submit" name="checkout" value="Check Out"/>
		</td>
	</tr>		
</table>

</form>
</div>

Link to comment
Share on other sites

md5: (reference: http://php.net/manual/en/function.md5.php)

$myNewEncryptedValue = md5('value you want to pass as md5');
echo "My md5 hash: ". $myNewEncryptedValue;

 

 

As for that value of something in a different file, not exactly sure i know what you mean by that. All depends on how that value is stored, generated, or whatever.

Link to comment
Share on other sites

In another file, I have the variable total which counts up the quantity and times' it by the price.

 $total += $qty*$row['price'];

 

Can I store that in a session so I can use it over multiple pages?

If so, how do I store it in a session?

Link to comment
Share on other sites

You can.. but keep in mind Sessions and Cookies are just as vulnerable as _GET and _POST they can be changed by a user should they really want to change it and know how.

 

Playing with money online is always a pain in the ass, cause people will exploit any medium they can to get your items for free.. So if your going to store a global total so to speak via a cookie, I would also store another cookie thats a md5 hash of the total running price you want, then sha1 encrypt that md5 with a salted value of your choice so that way you can always verify it as correct. Cause every place your going to call the running price from your going to want to rerun the md5, with the sha1 formula you concoct and double check no one is manipulating the data, where if they are throw out an error and handle it the way you see fit. Me personally I go over board on that concept, but playing with money is no joke either, you can lose a lot of it if someone place you right.. I usually md5 the dynamic variable, sha1 with one hardcoded value and then sha1 again with another hardcoded value. And sometimes I tie user information into that just to be doublely careful, better safe then sorry in my book when it comes to that.

Link to comment
Share on other sites

I needn't worry too much about security; this card clearence service is solely for academic purposes.

The testee will be entering user details from a set list of 18 different credit card accounts, which are dummy, not real.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.