encypting checkout form

[isaac_cm]

Hello,

I know there is alot of topics about encryption but I cant find out one suit what I want

 

I have a checkout form where buyer enter his/her info detail this form include hidden fields for the cart price, total, shipment , etc...

My big question here: how to encrypt the form data so when a slick user try to make a save as for the checkout page see only the encrypted data and cant modify any of the prices ?

 

 

if possible please tell me how to do it with MD5 I dont want to use third party like mcrypt coz I am sure my host vendor wont allowed

 

thanks

[boo_lolly]

i'd use an SSL certificate.

[utexas_pjm]

SSL will encrypt the HTTP requests.  This isn't the problem.  You need to store pricing information on the server.  Don't ever rely on anything coming from the client.  Maybe you could store this information in a session?

 

Patrick

[isaac_cm]

SSL is an expensive solution,

if the user save the page I want him to see encrypted data

[utexas_pjm]

SSL, no matter the price, won't solve your problem.  It is very bad practice to save state data in hidden fields, as they can easily be manipulated.  You need to figure out a way to store that data on the server.

[isaac_cm]

I have to use hidden fields, is there any other way ?

[Wuhtzu]

There sure is...

 

 

First of all you should use sessions to store information about the customer (e.g. $_SESSION['name'] = "Customers name", $_SESSION['cart'] = "the items") and always represent an item in the shop by it's unique ID. So the customer buy items like: 345, 678, 12 ect. and when it comes to calculating the price you can look up item no. 345 in the database and get the price...

 

Look at this tutorial:

 

http://www.thewatchmakerproject.com/journal/276/building-a-simple-php-shopping-cart

[isaac_cm]

I did all that, the problem is I use paypal as a gateway and I have to pass the total of the cart to paypal as a hidden field , from my knowledge someone could change that total then resend it to paypal this way he can buy product cost 500$ for only 0.01$

 

paypal force me to pass the info this way!!

[utexas_pjm]

There other, more secure, ways to POST variables than storing them client side as hidden fields.  Google search "PHP Curl".

 

Best,

 

Patrick

[isaac_cm]

I will try curl, but is there another "simpler" way

 

thanks

[isaac_cm]

hi again, I found a solution for this and I can keep using hidden fields please any body give me your opinion, I have to use hidden fields also because I use other third party tools for my shopping cart

 

//=========================== for code

<?php

$id=1;

$key=123;

$randKey="a$2**&kj1";

 

$token=sha1($id.$key.$randKey);

 

//do form stuff

echo "<input type='hidden' name='id' id='id' value='".$id."'>\n";

echo "<input type='hidden' name='key' id='key' value='".$key."'>\n";

echo "<input type='hidden' name='token' id='token' value='".$token."'>\n";

// end form stuff and page

?>

 

//======================= validate form

<?php

$randKey="a$2**&kj1";

$id=intval($_POST['id']);

$key=intval($_POST['key']);

$token=$_POST['token'];

 

$formValueHash=sha1($id.$key.$randKey);

if($token!=$formValueHash)

{

echo "Error validating data";

die();

}

// form token and re-created hash equals. Continue doing whatever you wanted

?>