Web Hosting Talk : Web Hosting Main Forums : Ecommerce Hosting & Discussion : How do you SAFELY pass hidden variables through merchant account payment screens?

[mrsurrey]

Hi everyone,

Please can you tell me how you prevent malicious manipulation of variables being passed through payment pages?

I'm setting up a jobsboard and need to send hidden variables through the payment screen (including job title, body text etc). Then if the payment is sucessful the hidden variables will be used by a script in the 'thankyou page' to insert the job advert's details into the database.

My question is how do you stop people just sending variables directly to the 'thankyou page' (without paying) to cause malicious postings (eg. spam) or alternatively getting free postings.

Thanks for any thoughts you have!

Kind Regards,


Stewart

[cdgcommerce]

My suggestion is to have your order page submit to an internal CGI on your server... then parse out any invalid information and do your error-checking on it - and the do a "behind the scenes" POST of the information to the gateway server.

If you code in Perl, you can use LWP::UserAgent libraries and if you code in PHP, you could use CURL. (Other programming languages have their own equivalents.)

The other thing that you can do is set a referring URL check on either your script and/or on the gateway side if this is allowed. However, the cleanest and most secure option is usually to go ahead and check everything internally before submitting it behind the scenes to the gateway.

Hope that info is helpful!

[mrsurrey]

Hi,

Thanks for your help, very interesting.

I'm familiar with php so i should be able to implement a referring url check. The suggestions for an internal CGI are a bit beyond my capabilities though! - if i just use a referring url checker exactly how safe is this? is it just a negligible risk?

i'm wondering whether or not to spend a couple of weeks learning how to use internal CGI and CURL or just settle for the referring url checker.

Thanks!

Stewart