0

I am making a payment process/checkout system where a user is required to go through 3 separate pages (chooseplan.php -> payment-details.php -> confirm.php) before the checkout information is sent to paypal.

Already in the first page (chooseplan.php) a user is required to pick a pricing plan, and that is being posted to payment-details.php in a form, such as:

<input type='hidden' name='plan' value='enterprise'>

From the payment-details.php I am retrieving it by $_POST to do validation and later drop it in an input tag again, just to be able to post it in a form (again) to the last page: confirm.php.

I was wondering if there is another way of storing this variable, rather than constantly reposting it, validating and creating another input field on every page it goes through. I would prefer not seeing the variable in the url (GET). Also, without javascript or session.

Improve this question
7
  • 1
    Proper way is to store the Plans in DB, and then on first stage get them from DB and place it in the select box or what ever form element you are using. But you have to only send the id of your plane in the form. On second page, get ID, and then again pick the data from DB to display to user and hence on third page. You cant do it with the posting it to all other pages, you have to do it either by posting using form, or including it in url ($_GET). Commented Feb 4, 2014 at 11:52
  • Your idea is pretty vulnerable because if you post it into the html markup again, the user can modify it. In general you should never use things for calculations which come from the html. Maybe - just maybe - you could write it into a text file and store the value there, or you use a database for that case ... but ive never used something liek that and cant think of a good way to do it. Commented Feb 4, 2014 at 11:52
  • 1
    no. Your options are cookies, session vars and storage Commented Feb 4, 2014 at 11:56
  • @altafhussain I never said I didn't have a database, you are missing the question. I am doing all the necessary vulnerability checks. Commented Feb 4, 2014 at 11:56
  • Session variables are better than cookies Commented Feb 4, 2014 at 11:56

2 Answers 2

Reset to default
1

You can use a cookie, although they are easily modified by the client (but so is form data).

setcookie("plan", "plan id?", (time() + 3600));  /* Expires in 1 hour. */

You can then retrieve the plan like so:

echo $_COOKIE["plan"];
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

That's exactly my dilemma, things can easily modified by the user. Both cookies, get and form data. Even sessions are subject to hijacks. Is there absolutely no other way?
@DaveCameron Session hijacking is unlikely, and easy to protect against with https. Why dont you want to use sessions, which are the obvious answer to problems like this?
@DaveCameron it is your job to make sure a session will not be hijacked (e.g. through XSS). So I would go with session data and use a secure connection.
0

Sessions are the best way to go, but if you want to increase the security of the whole transaction, you can generate a token based on the data already selected, then keep that token on the session or a database.

Then you have two options, one is sending the token with the new form, including the hidden fields and on the way back, compare the token with the one you already have, if it's different, then something happened and you abort; if the same, you generate again the token with the hidden data and compare it to the token saved, if it's not the same, you abort. The second option is only sending the data, without the token and saving one step.

Of course all the steps to generate a secure token have to be taken.

On each page you will generate a new token based on the new information.

I hope I explained myself clearly enough with all the back and forth.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.