Re: [PHP] How do I POST data with headers make the browser follow?
basically what I am working on is integrating a step inbetween the checkout and the payment gateway processing. The cardholder information is checked for enrolment in the first step, if the cardholder is enrolled he will need to authenticate himself by password (this is where the 2nd page comes in) if the authentication is successfull he is forwarded to the 3rd page where the payment gateway processing takes place. It's like any other online payment integration i have done before but this time there is this extra step required due to Visa's and Mastercards new security feature. I didn't see an issue with passing this information along since it's already used in the verification of the cardholder which also requires the card number. I do require the payment info again on page 3 to pass it along to the payment gateway, but didn't want to store it on my end for that. What I gather from Richards answer earlier that the difference between $_POST, $_GET or $_COOKIE, $_SESSION is almost irrelevant, I might as well store the detail in a session to be able to use them on page 3 it seems. Are you storing people's credit card numbers locally - if so, why? It seems like you are using them to identify users? (if that's what I am to infer from I didn't see an issue with passing this information along since it's already used in the verification of the cardholder which also requires the card number. If you are, consider using email addresses instead. If you need to check whether someone already has an account with you or whatever, do it before you take their payment details and save yourself this bother. Or are you using 3d secure or similar, when the user has to enter their password/security code on the payment provider's website? That means you have to make 2 requests with the payment data, to different websites, is that right? One way around this might be to ask for the security code anyway at the first step, otherwise you are stuck with persisting the information locally. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do I POST data with headers make the browser follow?
On Sat, October 8, 2005 1:58 am, Ragnar wrote: What I gather from Richards answer earlier that the difference between $_POST, $_GET or $_COOKIE, $_SESSION is almost irrelevant, I might as well store the detail in a session to be able to use them on page 3 it seems. On a DEDICATED server, $_SESSION is probably not a horrible place to do this, if you really really really have to... On a SHARED server, $_SESSION is a HORRIBLE place to tuck this info -- Any other user on that server can troll through your session files for cc#s. BAD. I still fail to understand why you're bouncing the user around so much and turning something so simple into something so complicated. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do I POST data with headers make the browser follow?
Hi Richard, just to stop and everyone from getting a heart attack right this instant what I am doing with cURL and the multiple pages attempt is not much more scary than any other person leaves credit card info on form script you come across. The server that I am re-sending the data to is our own and I know what i am sending and where, so it's not like I am toying around sending peoples creditcard info to some dodgy location. So what's happening is nothing other than peoples data being re-sent by the server that belongs to us to a know and trusted source. Since the data comes in via the checkout form already it is not any less secure than usual. The main issue for me was that I did not want to store the credit card details for the second step of the processing. Anyway, to stop me lamenting and clear this up I am not passing credit card info around any places that are not verified or trustworthy and was merely looking for a way to pass this information along without having to store them on my end before the go across to the payment gateway. I'll have another look at what I could do differently in this case. Usually I wouldn't to deal with an issue like this as payment information would go straight to the payment gateway (handled there, processed there, stored there) but in this case there was an inbetween step, which I didn't know how to solve. Thanks for the input. --- Ursprüngliche Nachricht --- Von: Richard Lynch [EMAIL PROTECTED] An: Ragnar [EMAIL PROTECTED] Kopie: php-general@lists.php.net Betreff: Re: [PHP] How do I POST data with headers make the browser follow? Datum: Fri, 7 Oct 2005 15:56:09 -0500 (CDT) On Thu, October 6, 2005 4:52 am, Ragnar wrote: Everything you are trying to do with the cURL, multiple pages, and whatnot scares the bejesus out of me... Especially that you seem to be passing people's credit card numbers around in this manner. [shudder] -- NEU: Telefon-Flatrate fürs dt. Festnetz! GMX Phone_Flat: 9,99 Euro/Mon.* Für DSL-Nutzer. Ohne Providerwechsel! http://www.gmx.net/de/go/telefonie -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do I POST data with headers make the browser follow?
Hi Mark, basically what I am working on is integrating a step inbetween the checkout and the payment gateway processing. The cardholder information is checked for enrolment in the first step, if the cardholder is enrolled he will need to authenticate himself by password (this is where the 2nd page comes in) if the authentication is successfull he is forwarded to the 3rd page where the payment gateway processing takes place. It's like any other online payment integration i have done before but this time there is this extra step required due to Visa's and Mastercards new security feature. I didn't see an issue with passing this information along since it's already used in the verification of the cardholder which also requires the card number. I do require the payment info again on page 3 to pass it along to the payment gateway, but didn't want to store it on my end for that. What I gather from Richards answer earlier that the difference between $_POST, $_GET or $_COOKIE, $_SESSION is almost irrelevant, I might as well store the detail in a session to be able to use them on page 3 it seems. Is this what happens: 1. User enters payment data 2. XML check that payment data is OK 3. redirection to a page (on another site?), where for some reason the payment data is required again (why?). This sounds like a mixture of two ways of implementing online payments. Forgive me if I'm telling you what you already know, but in general I believe things work as follows: 1 The whole process from payment to verification takes place on the payment provider's server or 2. the whole thing takes place on your server, with some inline (XML in this case) communication with your payment provider to verify the card details. You seem to be doing a bit of both, or have I misunderstood? Why do you need the payment details on the third page? If you don't actually need them, then the security problem goes away, and you can use the session object or whatever to persist the customer data. Does this help? -- NEU: Telefon-Flatrate fürs dt. Festnetz! GMX Phone_Flat: 9,99 Euro/Mon.* Für DSL-Nutzer. Ohne Providerwechsel! http://www.gmx.net/de/go/telefonie -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do I POST data with headers make the browser follow?
The information that comes in from the first page is a creditcard form with the standard values (CCnumber, Expiry Date, Cardholder name etc). On page 2 an XMLrequest is done with a verification gateway (in this case to check for enrolment in 3D-Secure), the result for that I get back on the same page and no redirection needs to be done. However AFTER the enrolment check with the gateway I need to send the user along to the 3rd page, which is a URL that is provided by the verification process. So to get there, as I need to pass a heap of data to that 3rd page I can either use GET or POST, but since the amount of data is fairly big the only real option for this part seems POST. So it's not really about keeping the data persistent, it's more about the fact on how to push the user along correctly. Is this what happens: 1. User enters payment data 2. XML check that payment data is OK 3. redirection to a page (on another site?), where for some reason the payment data is required again (why?). This sounds like a mixture of two ways of implementing online payments. Forgive me if I'm telling you what you already know, but in general I believe things work as follows: 1 The whole process from payment to verification takes place on the payment provider's server or 2. the whole thing takes place on your server, with some inline (XML in this case) communication with your payment provider to verify the card details. You seem to be doing a bit of both, or have I misunderstood? Why do you need the payment details on the third page? If you don't actually need them, then the security problem goes away, and you can use the session object or whatever to persist the customer data. Does this help? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do I POST data with headers make the browser follow?
On Thu, October 6, 2005 4:52 am, Ragnar wrote: Everything you are trying to do with the cURL, multiple pages, and whatnot scares the bejesus out of me... Especially that you seem to be passing people's credit card numbers around in this manner. [shudder] I did see that there is a FOLLOWLOCATION option you can set in cURL when you do you request, and though wicked, just what I needed only to find out that it's not working (probably because I understand what it does wrong). Most definitely you mis-understood what it does. Here's what it REALLY does: Suppose when cURL loads up the URL you ask for, it gets this back: HTTP 302 Resource moved Location: http://example.com/new_location_for_it.htm If you have FOLLOWLOCATION set to 1, then cURL is just gonna go ahead and request the new Location: and get you the damn answer you asked for. If you have it set to 0, you only get back the output from the 302 page -- So you can figure out exactly what the server is doing, bouncing you around from page to page, with all these silly Location: headers, chewing up valuable HTTP connection resources, and basically putting a big server burden on whatever you are trying to get to. [Actually, if HTTP/1.1 is being used, and Keep-alive is working properly on all fronts, the burden is not so huge... But that's not a given for most servers/software today.] Pretty pretty please if anyone knows a solution for the above, let me know. So I don't have any answer for what you're trying to do, except to sit down and re-think all the bouncing around of data you're doing, and most importantly where/how the credit card numbers are being stored/transmitted, even in such temporary things as RAM, which is swapped to hard drive, which is susceptible to attack. On most shared servers, putting credit card info in SESSION data is Really Bad Idea (tm) as every other user on the shared system can troll through your session data with little to no effort. Oh, and I'd also like to add that the information I am trying to get to the 3rd page in the example is sensitive (Credit Card details etc.), so $_GET and $_COOKIE are out of the question. This statement alone makes me think that you believe that $_POST is somehow safer than $_GET and $_COOKIE. Please purge that idea right out of your head this instant. By the time you are on your PHP script, talking to some other server, the data you send to/from that other server, via GET, POST, or COOKIE is no more or less secure in any of the three. POST data from the browser is only 1/1th more secure than GET in that any idiot can see the Location URL and play with it, and it takes a tenth of a clue to do Save As.. and muck with the INPUT tags to change POST data... As an exercise, please try this yourself: Surf to some page that has a FORM on it. Save As... to your hard drive. Change the INPUT tags to whatever you think will cause interesting results on that server. Open that file in your browser and click on the Submit button. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How do I POST data with headers make the browser follow?
Hi guys/girls, I have to apologize if this issue has been discussed in detail before but I couldn't find anything obvious so far. What I need/want to do is to : 1. Take POST data from a form (no problem) 2. Do whatever i need to on the target page (no problem) 3. Pass some other data on to a 3rd page as a POST request. 4. Get the browser to follow to said 3rd page. All this is happening via SSL. So basically what i am trying to do is to fake whatever happens at a normal POST request that is handled by the browser. Now point 4. in my example above is giving me a massive headache, I have managed to pass data on to the 3rd page as POST quite comfortably using cURL but the browser doesn't follow (ie. the URL in the address bar remains unchanged). I did see that there is a FOLLOWLOCATION option you can set in cURL when you do you request, and though wicked, just what I needed only to find out that it's not working (probably because I understand what it does wrong). Pretty pretty please if anyone knows a solution for the above, let me know. Oh, and I'd also like to add that the information I am trying to get to the 3rd page in the example is sensitive (Credit Card details etc.), so $_GET and $_COOKIE are out of the question. ANY help would be appreciated. Kind regards, Ben -- 5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail +++ GMX - die erste Adresse für Mail, Message, More +++ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do I POST data with headers make the browser follow?
If the information is sensitive, why are you trying to fake a POST submission? A POST can be received from anywhere. SSL is just encrypting it, not verifying the client is the same. I would use session variables to store information you need to access from page to page. That way you can verify that you are talking to the same computer from the first two pages. On Oct 6, 2005, at 5:52 AM, Ragnar wrote: Hi guys/girls, I have to apologize if this issue has been discussed in detail before but I couldn't find anything obvious so far. What I need/want to do is to : 1. Take POST data from a form (no problem) 2. Do whatever i need to on the target page (no problem) 3. Pass some other data on to a 3rd page as a POST request. 4. Get the browser to follow to said 3rd page. All this is happening via SSL. So basically what i am trying to do is to fake whatever happens at a normal POST request that is handled by the browser. Now point 4. in my example above is giving me a massive headache, I have managed to pass data on to the 3rd page as POST quite comfortably using cURL but the browser doesn't follow (ie. the URL in the address bar remains unchanged). I did see that there is a FOLLOWLOCATION option you can set in cURL when you do you request, and though wicked, just what I needed only to find out that it's not working (probably because I understand what it does wrong). Pretty pretty please if anyone knows a solution for the above, let me know. Oh, and I'd also like to add that the information I am trying to get to the 3rd page in the example is sensitive (Credit Card details etc.), so $_GET and $_COOKIE are out of the question. ANY help would be appreciated. Kind regards, Ben -- 5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail +++ GMX - die erste Adresse für Mail, Message, More +++ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Brent Baisley Systems Architect Landover Associates, Inc. Search Advisory Services for Advanced Technology Environments p: 212.759.6400/800.759.0577 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do I POST data with headers make the browser follow?
1. Take POST data from a form (no problem) 2. Do whatever i need to on the target page (no problem) 3. Pass some other data on to a 3rd page as a POST request. 4. Get the browser to follow to said 3rd page. All this is happening via SSL. What the other people said about HTTP. It's time to look at this from another angle. Why do you need to process this data twice? What are you trying to do? Are you, perhaps, trying to make an online payment where you store the data locally (page 2), then perform some kind of credit check (page 3)? If so, would something like the following work? Page 1 - form post to page 2 Page 2: process form inputs, write to DB or whatever, communicate with page 3 as necessary (possibly using curl) and finally send a redirection header to the browser sending it to a success/failure page based on what page 3 told you -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How do I POST data with headers make the browser follow?
The information that comes in from the first page is a creditcard form with the standard values (CCnumber, Expiry Date, Cardholder name etc). On page 2 an XMLrequest is done with a verification gateway (in this case to check for enrolment in 3D-Secure), the result for that I get back on the same page and no redirection needs to be done. However AFTER the enrolment check with the gateway I need to send the user along to the 3rd page, which is a URL that is provided by the verification process. So to get there, as I need to pass a heap of data to that 3rd page I can either use GET or POST, but since the amount of data is fairly big the only real option for this part seems POST. So it's not really about keeping the data persistent, it's more about the fact on how to push the user along correctly. Hope that makes sense somehow. Thanks for the reply. --- Ursprüngliche Nachricht --- Von: Brent Baisley [EMAIL PROTECTED] An: Ragnar [EMAIL PROTECTED] Kopie: php-general@lists.php.net Betreff: Re: [PHP] How do I POST data with headers make the browser follow? Datum: Thu, 6 Oct 2005 08:57:02 -0400 If the information is sensitive, why are you trying to fake a POST submission? A POST can be received from anywhere. SSL is just encrypting it, not verifying the client is the same. I would use session variables to store information you need to access from page to page. That way you can verify that you are talking to the same computer from the first two pages. On Oct 6, 2005, at 5:52 AM, Ragnar wrote: Hi guys/girls, I have to apologize if this issue has been discussed in detail before but I couldn't find anything obvious so far. What I need/want to do is to : 1. Take POST data from a form (no problem) 2. Do whatever i need to on the target page (no problem) 3. Pass some other data on to a 3rd page as a POST request. 4. Get the browser to follow to said 3rd page. All this is happening via SSL. So basically what i am trying to do is to fake whatever happens at a normal POST request that is handled by the browser. Now point 4. in my example above is giving me a massive headache, I have managed to pass data on to the 3rd page as POST quite comfortably using cURL but the browser doesn't follow (ie. the URL in the address bar remains unchanged). I did see that there is a FOLLOWLOCATION option you can set in cURL when you do you request, and though wicked, just what I needed only to find out that it's not working (probably because I understand what it does wrong). Pretty pretty please if anyone knows a solution for the above, let me know. Oh, and I'd also like to add that the information I am trying to get to the 3rd page in the example is sensitive (Credit Card details etc.), so $_GET and $_COOKIE are out of the question. ANY help would be appreciated. Kind regards, Ben -- 5 GB Mailbox, 50 FreeSMS http://www.gmx.net/de/go/promail +++ GMX - die erste Adresse für Mail, Message, More +++ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Brent Baisley Systems Architect Landover Associates, Inc. Search Advisory Services for Advanced Technology Environments p: 212.759.6400/800.759.0577 -- 10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail +++ GMX - die erste Adresse für Mail, Message, More +++ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
