some1else

I'd agree...but they want the key in the email that gets sent by the cgi script, (I kinda agree w/ them that multiple emails is kinda...tacky), and more importantly into the database that that shopper cgi generates for them.  Also, if I CAN pull this off it will be quicker than building my own thing to do all this stuff, (email, database), that the shopper can do for me.  If I can't then maybe I'll take that road. (I'm going to put a sequential number generator somewhere that keygen will read to make keys unique.  That's gotta be a little divorced from the rest of the thing anyway, in case ppl in the office want to personally create a key they'll need access to that generator as well.  THAT isn't so hard, what I really don't understand is how to mask the POST input to the shopper CGI.)

I'm trying to use PHP to wrap the output of an HTML form before it goes into a precompiled C cgi script. Essentially, the company that I work for uses a purchased precompiled c program for their shopping cart.  This C program stores order information, and when an order is processed and approved, records the transaction and sends a template email to the customer with an invoice describing their purchase.  Since we're going to be selling a new software product soon, they've asked me to write a script into the website that will include License Keys to the product the customer has purchased along with all other data about the order.  The C program DOES have functionality for custom variables, but it they've all got to be neatly packaged and set up for the C code BEFORE the customer completes the order, and I don't want these values to be evident at that point, because a simple right click and View Source would expose the keys to a non-purchasing client. (I'm also going to mention in code a php file I'll call keyGen.php, which will have one method called gen that will read a string, (which I'll give from a cookie) and generate a key.  I realize that reading a cookie ain't a good way to do this, but I want to solve this problem first then I'll find a way around the cookie problem). So, what I'm thinking of doing is redirecting the Checkout button's form, which previously pointed to the C CGI script, to point to a PHP file, which I'll call Intercept.php, This php file will examine all the form's inputs, repackage them, then use putenv and passthru to call the C CGI with all the original form's variables as well as any new ones I want to create.  So essentially the code WAS <html> <form name=checkout method="post" action="/cgi-bin/shopper"> <input name="blah1"> <input name="blah2"> </form></html> and now I need <html> <form name=checkout method="post" action="intercept.php"> <input name="blah1"> <input name="blah2"> </form></html> and intercept.php as something like <?php     include "keyGen.php";     $keyVal = gen($_COOKIE['basket']);     $keyName = "PASSLicKey";     $toInclude = "http://www.notawebsite.com/cgi-bin/shopper";     $toArgue = $keyName."+".$keyVal;     if (sizeof($_POST) > 0) {         foreach ($_POST as $key => $value) {             if (strlen($toArgue) > 0) {         $toArgue .= "&";             }             $toArgue .= $key."+".$value;         }         putenv('REQUEST_METHOD=POST');         putenv('QUERY_STRING='.$toArgue);         passthru($toInclude);     }     else {         echo "<html><title>Error</title><body>An error has occured, form data corrupted or insufficent data supplied"</body></html>";     } ?> (This is a little bit of simplification but that is the basic functionality). I haven't been able to find many, (or any really), tutorials or details on wrapping a html form's output like this before sending it to its intended target.  Is this possible or is there something fundamentally undoable about what I'm trying to do here?  How secure do people think this would be?  Would simply running mozilla's internet debugger expose the POST variable and the key to somebody who isn't trying to purchase? Running this script doesn't produce any useful error messages or logs, but it doesn't produce a viable result either.  How does what I'm doing here look different to the C CGI than the data from the html form at the start?  I've read a lot about the need to protect CGI from malicous input, does the loop thru post then the pass to the shopper create any security holes that are not already there? (I realize that writing our own shopping cart might be a better solution, but time constraints and historical pressures mean that I need to make something work w/ the thing we got right now). Any help or information, (particularily examples of people passing html form data with php to another location, which I can't find) would be much appreciated.