Re: [PHP-DB] E-Commerce - Integrating Sessions With Charging Processes That rePOST
- Original Message - From: Fotwun [EMAIL PROTECTED] To: Jason Wong [EMAIL PROTECTED]; Fotwun [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, August 21, 2001 4:24 AM Subject: RE: [PHP-DB] E-Commerce - Integrating Sessions With Charging Processes That rePOST How, code wise do I retreive the session data from the session id. Also, another response below said HTTP_REFERRER is not secure. So how do people who use this type of payment gateway secure the script it redirects to. All of the data it sends is form data, so once somebody new what script it redirects to, and what form data it posts, it would be quite easy for them to authorize their own charges in my opinion. Basically the info that the customer provides when clicking on the buy button needs to be processed by you (ie stored into a session) then passed, along with a return URL, on to the payment gateway. The return URL (say confirm.php) displays confirmation of whether or not the transaction succeeded. I am assuming the following: You have a page which collects the customer info (say order.php). When they submit this, the info is processed by another page (say buy.php) which also passes the form info to the payment gateway. order.php = There is nothing special about this. All it needs is that the form action is set to buy.php buy.php === ## Store the form info into some session data ## ## NB. I tend to name my form elements like : form[name], form[address], form[phone] etc. ## This way it becomes very easy to process like so: session_register(form); This will store form[name], form[address], form[phone] etc into the session data. The session-id can be gotten by: $session_ID = session_id(); Now all the remains is to POST the form data (form[name], form[address], form[phone] etc) and return URL to the payment gateway. Construct the return URL: ## this is just an example, alter to taste: $ret_URL = http://www.mydomain.com/confirm.php?sid=$session_ID;; Now POST this along with form data to the payment gateway. I haven't a clue how to do this, maybe use CURL library? NB If the payment gateway accepts GETs then its just a simple matter of tacking the form data and return URL onto the the URL of the gateway and sending an HTTP redirect header. Something like: header(Location: http://payment.gateway.com/payment.cgi?name=$form[name]address=form[address ]phone=$form[phone]returnURL=$ret_URL) Hopefully after the gateway has done its stuff it will redirect back to your confirmation page. confirm.php === To retrieve the session-id just do: session_id($session_ID); To get your session data: session_register(form); echo Name: $form[name]; NB all the above is untested :) regards -- Jason Wong Gremlins Associates www.gremlins.com.hk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP-DB] E-Commerce - Integrating Sessions With Charging Processes That rePOST
- Original Message - From: Fotwun [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 20, 2001 1:40 PM Subject: [PHP-DB] E-Commerce - Integrating Sessions With Charging Processes That rePOST Hi, I have basically seen and used two methods for integrating credit card gateways into PHP code. The first method is one that opens a socket to the gateway server and sends the data from within the code. The second is where FORM data is posted to a https URL with the URL is should send the response back to, with the confirmation code, etc. [snip] Because the clients order id that is generated will be stored as a session, I need a way to reference the order ID and confirmation code that is returned by the posted data from the gateway, against the session data to start inserting the data into the DB if it was a successful charge. You can store the session-id in the return URL. regards -- Jason Wong Gremlins Associates www.gremlins.com.hk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP-DB] E-Commerce - Integrating Sessions With Charging Processes That rePOST
How, code wise do I retreive the session data from the session id. Also, another response below said HTTP_REFERRER is not secure. So how do people who use this type of payment gateway secure the script it redirects to. All of the data it sends is form data, so once somebody new what script it redirects to, and what form data it posts, it would be quite easy for them to authorize their own charges in my opinion. I think the more I think about this, the POST/REDIRECT type of gateway is pretty hooky. I would like someones input who actually uses this type of gateway and how it is secured and how they maintain their sessions that correlate to that broswer. I think I just need to find a company with more reasonable rates that allow direct socket authorization. Any recommendations on that? -Original Message- From: Jason Wong [mailto:[EMAIL PROTECTED]] Sent: Monday, August 20, 2001 12:43 PM To: Fotwun; [EMAIL PROTECTED] Subject: Re: [PHP-DB] E-Commerce - Integrating Sessions With Charging Processes That rePOST - Original Message - From: Fotwun [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 20, 2001 1:40 PM Subject: [PHP-DB] E-Commerce - Integrating Sessions With Charging Processes That rePOST Hi, I have basically seen and used two methods for integrating credit card gateways into PHP code. The first method is one that opens a socket to the gateway server and sends the data from within the code. The second is where FORM data is posted to a https URL with the URL is should send the response back to, with the confirmation code, etc. [snip] Because the clients order id that is generated will be stored as a session, I need a way to reference the order ID and confirmation code that is returned by the posted data from the gateway, against the session data to start inserting the data into the DB if it was a successful charge. You can store the session-id in the return URL. regards -- Jason Wong Gremlins Associates www.gremlins.com.hk -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP-DB] E-Commerce - Integrating Sessions With Charging Processes That rePOST
Hi, I have basically seen and used two methods for integrating credit card gateways into PHP code. The first method is one that opens a socket to the gateway server and sends the data from within the code. The second is where FORM data is posted to a https URL with the URL is should send the response back to, with the confirmation code, etc. I traditionally use PG for situations of e-commerce, mainly because of transactions. I like the first method better, because I feel it is more secure, seemless, and less chance for errors to occur (either user induced, or other problems). I like being able to store all of the required data in sessions (rather than adding to the DB at each step) and then making all of the transactional queries at the end of the credit card charging process. The problem I face is that all of the companies I've researched that allow direct socket integration seem to charge quite a bit more in general than those that use the POST/REDIRECT method of charging. So, if anyone knows of a reliable and affordable company that allows socket integration, that would solve the problem best. However, because of budget issues, I may need to use one of these cheaper companies, who ultimately use the POST/REDIRECT method. My questions are how do you securly, reliably, and seemlessly integrate sessions within that type of gateway. Because once the form data is posted to the credit card gateway, it redirects (posts response data) back to the script of your choice. However, in my experience, the sessions are not restored/recognized until the browser is refreshed on the client side (through the use of JavaScript) to get the server to recognize the request as coming from your user, rather than the as a post from the gateway. I don't want to have to deal with getting sloppy and adding additional refreshes/java script if thats the only way to do it. If I were to merely have the code generate a form based on hidden tags and have javascript auto-form submit, then I would open to security problems, because I could no longer restrict the script the gateway respondes to by an HTTP_REFFER. Because the clients order id that is generated will be stored as a session, I need a way to reference the order ID and confirmation code that is returned by the posted data from the gateway, against the session data to start inserting the data into the DB if it was a successful charge. Any ideas...? Maybe there's a quick solution out there I am just overlooking. The solution would be easy if I wasn't inserting all of my data at the end of the process based on the session data. But this is how the code is has to work, so what do you all think, how should I deal with this? Thanks, FT -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]