> I'm writing a small CF application for a customer. The concept > is quite simple. A visitor comes to the website and pays $10 > via an internet CC payments company. The payment of $10 allows > the customer to view a movie. > > The implementation seems to have a flaw. The internet CC payment > company provides a CGI which receives information via hidden > input fields. The hidden fields contains details identifying > who the payment is to be credited to, the amount and the > URL to call if the transaction is completed succesfully. > > I've been wondering how to clever people from simply calling > the sucessful transaction URL to view the movie, thereby > bypassing the CC payment transaction. > > All of the ways I've though of for preventing people directly > calling the succussful transaction URL have the problem that > they are easy to work around. > > I'd appreciate peoples input on the best approaches to > overcoming the problem using CF.
There's only one approach that will work in this case - you have to do the CGI transaction yourself, server-side. Only collect the data you need from the client, and use CFHTTP or an alternative to perform the actual transaction. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. ------------------------------------------------------------------------------ Archives: http://www.mail-archive.com/cf-linux%40houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_linux or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
