Hello!
This is impossible to redirect a user to external site with post.
urllib and urllib2 can only help to fetch data, but not to redirect a
user.
So if you do not use ssl, you have to use hidden fields where you
should specify id and pin.
You can make payments much secure using hash algorithms. But your
payment provider must provide corresponding API.
I had near your problem in one project... And below is what have been
done.
First, a user fills in a form with general order information. Then,
this form is validated in my view. After that user is redirected to
order confirmation page on my site. Among submitted general order
information this page includes "Checkout" button and two hidden fields
(action url of the form is set to payment provider site). One hidden
field is all order info encoded with base64 function, and other field
is signature, which is a hash of secret key + order info. When the
user clicks "Checkout" he is sent to payment provider site. Then the
server decodes order info and checks signature. If that is ok, the
user fills payment info ... and so on...
This will protect from tampering data.
With regards,
Max.
(sorry if my English isn't very proper)
On May 29, 7:52 pm, M Godshall <michaelgodsh...@gmail.com> wrote:
> Based on everything that I've read on the subject the last few days,
> it sounds like it's impossible to redirect a user to an external url
> with POST data. If that's the case, I really need some help figuring
> out a secure solution to the following scenario:
>
> My client wants to use the secure payment form provided by their
> payment provider's website. Here's how the process should work:
>
> 1. User submits form with basic information (no personal data) on
> client site
> 2. Client site validates the data from the form
> 3. Add sensitive account credentials to data (id and pin so the
> payment provider can identify my client's account)
> 4. Send user to payment provider's secure https website with basic
> information and client account credentials
> 5. User fills out payment information on payment provider's website
>
> The documentation only shows examples of sending this data (client id
> and pin) as hidden fields in a form, posting directly to the
> provider's url, but they don't recommend that approach for production
> environments for obvious security reasons. Unfortunately, their
> documentation and tech support don't offer any secure alternatives, so
> hopefully the Django community will be able to offer better insight.
>
> I explored urllib/urllib2, but I couldn't figure out a way to direct
> the user to the payment providers secure web page along with the data
> mentioned above. I'm certainly not an expert with these tools, so if
> you're aware of a solution please point me in the right direction.
>
> As a point of reference, the following code will give you an idea of
> what I'm trying to accomplish:
>
> def select_payment(request):
> if request.method == 'POST':
> form = PaymentForm(request.POST)
> if form.is_valid():
> values = {...} #cleaned form data, add client id and pin
> data = urllib.urlencode(values)
> url = 'https://www.xxx.com'#payment providers website
>
> #Idea 1
> full_url = url + '?' + data
> return HttpResponseRedirect(full_url) #Successfully redirects
> with data, but exposes client data in url. Not good.
>
> #Idea 2
> response = urllib2.urlopen(url, data)
> the_page = response.read()
> return HttpResponse(the_page) #This actually shows the form from
> the payment provider's website with the data I sent, but it shows it
> in my client's url. Instead, I need to send the user to the payment
> provider's website with this data so they can fill out the form on a
> secure page. This seems like it should be possible since I can post
> data to the url and get a response this way.
>
> else:
> form = PaymentForm()
> return render_to_response('payments.html', {'form': form},
> context_instance=RequestContext(request))
>
> If I can't find a way to make this work, I'll have to setup an SSL
> certificate for my client and have them host the form, but I'd really
> like to avoid this if possible. A big thanks to everyone from the
> Django irc who has helped me with this already. Hopefully I'll find
> some closure soon.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
