make form fields using php

[123guy]

I am working on a registration system that sends data to a merchant to start a checkout page. the form submitted needs to include a userid and a passkey. I don't want to just use a hidden field to store these data as they are very sensitive info. I need to know if there is a way I can have these values as a php variable on a submission page, add these values to a submitted form, then submit this "new" form to the merchant. what is the best way to go about doing this???? any help is appreciated anytime I have tried searching for something like "create form fields using PHP" it returns on how to make a form field required using php.

[PaulRyan]

Are these values dynamic? Meaning, will they change depending on who submits the form?

[123guy]

no, it is a set id

[davidannis]

Why not submit the form to your own script that then uses curl to load the merchant page, including your special variables in the request?

[123guy]

I have heard of curl, but didn't know this was the purpose, could you send me a good place to get started?

[123guy]

ok, so I have found this

 

<?php
 
//create array of data to be posted
$post_data['ssl_merchant'] = 'xxx';
$post_data['ssl_user'] = 'xxxx';
$post_data['ssl'] = 'xxx';
$post_data['ssl_cardholder'] = $_SERVER["REMOTE_ADDR"];
$post_data['ssl_transaction'] = 'ccsale';
$post_data['ssl_show'] = 'true';
$post_data['ssl'] = $_POST['amount'];
$post_data['confirm'] = $_POST['confirm'];
 
//traverse array and prepare data for posting (key1=value1)
foreach ( $post_data as $key => $value) {
    $post_items[] = $key . '=' . $value;
}
 
//create the final string to be posted using implode()
$post_string = implode ('&', $post_items);
 
//create cURL connection
$curl_connection = 
  curl_init('xxx');
 
//set options
curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($curl_connection, CURLOPT_USERAGENT, 
  "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
 
//set data to be posted
curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_string);
 
//perform our request
$result = curl_exec($curl_connection);
 
//show information regarding the request
print_r(curl_getinfo($curl_connection));
echo curl_errno($curl_connection) . '-' . 
                curl_error($curl_connection);
 
//close the connection
curl_close($curl_connection);
 
?>

 

I have it filled in with correct info, but I need to know how to redirect it to the page it submitted to.  I have never worked with cURL before.  Any help here is appreciated!!!!!

[davidannis]

The more that I look at this the harder it gets. The problem I see with curl, my original idea (sorry), is that it returns the response to the server, not the browser. There is a project on sourceforge called snoopy that might be able to do it (I've seen a few hints at it but don't know enough to be sure). Another alternative would be to intercept the submit with Javascript, add the fields you want via Ajax and then POST the data to the merchant website.

[123guy]

ok, so I have kinda rephrased my question, maybe it will make more sense, or give a better idea as to what I am trying to acheive.

 

 so I have been trying forever to figure out a way to submit a shopping cart to a checkout page. The checkout page I can't modify, so I have to somehow submit a total, an accountid, and an accountpin to the checkout page from the shopping cart. I am trying to figure out how to do this securely. The integration guide just says to use hidden fields to hold this info....I think to myself "HELL NO"(excuse the language). I don't want to reveal my accountid and pin to a user or robot if the source of the page is viewed. I need to know if I can use php(since it is server side) or something that can hide info to add some fields after the form is submitted, then POST these to the checkout page while being directed to the checkout page(ruling out using cURL). Can anyone help me with this? thanks for any help

[PaulRyan]

I personally agree with DavidDannis, load the form without those credentials in. Then load the credentials via AJAX to the form.

 

A view source will not show the fields with your account pin etc in, an Inspect Element would do that, but the sort of people using your site probably wouldn't think of using that or even viewing the source.

[123guy]

you would hope no one would do this, but it has actually already happened to me

[123guy]

is there a way to submit a form strictly with php, like "fake" fields made in php, then this "fake" php form submits????

[123guy]

how secure would a predefined password field be?

[SurvivorZ]

http://www.askapache.com/php/sending-post-form-data-php-curl.html demonstrates how to submit POST forms via PHP and curl. 

[123guy]

but cURL does not allow for it to actually go to the submitted page, it can't go to a redirected page, it needs the page it specifically posted to.

[mac_gyver]

what payment gateway are you trying to use? knowing what it is would get you help specific to it.

[mac_gyver]

as a continuation of the above reply - a payment gateway method that requires you to put your account number and pin into the submitted data isn't intended to directly involve the visitor. it would be used where you securely accept the payment information on your site and you are securely submitting the payment information to the payment gateway.

 

the only way that i can think of where you could redirect the visitor to the payment gateway after you have securely submitted your account number and pin would be if the payment gateway sent you back a transaction code and you caused the visitor to redirect to the payment gateway checkout page with that transaction code as part of the request.