Hi,

I currently have a multi-step order form that I am working on.

I was told that inserting the $_SESSION values into hidden fields to send to the processor is not secure. so I was wondering how I can send them to a processor who works with HTTP posts without compromising data security.

I am currently sending it to Linkpoint's YourPay Connect Processor.

thanx in advanced for the help!

I don't have experience with this processor, but sending sessions in hidden form fields is usually "secure enough" (no guarantees). The receiving script should check that this session data in fact came from a form by using the superglobal arrays and came from the right referrer. I don't know of another way of passing along data.

You collect all your data via an insecure form on your own site and then want to post it to a secure form and you worry about security ?

The fact that your data is supplied via your site is unsecure, unless there is also an SSL key to be used with your form of course.

If the receiving end uses the HTTP protocol, it should be fin to post your data to it. And thus if you are too, then your security should be ok.

I am hosting the all those files with the form on a secure server...

do i have to do something special in the code to have it use the SSL key or is it automatically using it when the URL is loaded through https://?

Hi,

How to inserting $_SESSION value into hidden fields?
Thank you.

Originally posted by rody084
Hi,

I currently have a multi-step order form that I am working on.

I was told that inserting the $_SESSION values into hidden fields to send to the processor is not secure. so I was wondering how I can send them to a processor who works with HTTP posts without compromising data security.

I am currently sending it to Linkpoint's YourPay Connect Processor.

thanx in advanced for the help!

What i would do is insert session variables into a hidden field like so:

<input type=hidden value="<?php print($_SESSION['variable']); ?>">

Thanks everybody. :) :)
It work great. :)