0

I have searched a lot but didn't quite find what I am looking for. My scenario is, I am trying to add payment processing in my website. The gateway requires me to send POST data to a specific url (not part of my site). I don't want to use 

<input type="hidden" name="secret_key" value="somevalue" />
<input type="hidden" name="auth_key" value="othervalue" />
<input type="hidden" name="charge_total" value="345" />

as this can be manipulated easily. My question is can I grab the data in a php page, process it and send the required data using POST to the payment url without exposing it to the client end. Just to be sure, I would like the user to be actually redirected to that page as well, like it would when you submit the form.

I don't want to use AJAX as well, because that would mean exposing it to the client end.

Thanks.

EDIT: Just to be more elaborate, currently users fill the form, including radio buttons and text fields (along with my hidden fields). The form is submitted to the payment gateway hosted page, where they can confirm their choices and see the Merchant Name (me), which payment gateway determines using secret code. There, the users fill in their Card details and proceed on with payment and are shown the result of the transaction, which is sent back to my server in xml as well. Then they are redirected back to my website success/failure page.

Now, I would like to fetch those user supplied form items, append my custom data, and then submit those values to the gateway hosted page, and continue the rest of the process. Any help is highly appreciated.

Thanks again.

Improve this question
5
  • Make a database of temp data that runs off the clients IP address. Commented Jul 6, 2014 at 16:16
  • Note that the IPG almost certainly doesn't support this scenario (it may, but in my experience they do NOT). When they expect data to be posted to them AND a user to be present, they tend to expect the user to actually provide the POST data (that is, they cannot be sent separately, since the IPG won't make an effort to consolidate the two requests). Commented Jul 6, 2014 at 16:21
  • 1
    This kind of thing is done server-to-server, you don't redirect the client to another server with all your top secret data. Commented Jul 6, 2014 at 16:22
  • But I plan to get the data from the user as the form is submitted to my server, then combine it with my credentials, and then send the complete data to the gateway in one request (and redirect the user as well so they can see the receipt generated as a result of the transaction). Commented Jul 6, 2014 at 16:24
  • Unless it's a Hosted Order Page, in which case you DO redirect them, but usually in that case the IPG requires you to hash/encrypt the values and send that hash along with the user. Commented Jul 6, 2014 at 16:25

2 Answers 2

Reset to default
3

Use cURL to send the POST from the server: 

//set POST variables
$fields = array(
                  'secret_key' => urlencode('somevalue'),
                  'auth_key' => urlencode('othervalue'),
                  'charge_total' => 345
                );

//url-ify the data for the POST
foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
rtrim($fields_string, '&');

//open connection
$ch = curl_init();

//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL, 'https://www.yourgateway.com');
curl_setopt($ch,CURLOPT_POST, count($fields));
curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string);

//execute post
$result = curl_exec($ch);

//close connection
curl_close($ch);
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

will that actually take the user to respective page? or just return the result on the same page?
Yanky it's not a redirect, it's sends the data from the server and has nothing to do with the browser response.
But the receipt is generated by the Payment gateway server, and I would like the user to see the success/failure of the transaction using Gateway hosted page.
You need to decide if you're going to redirect the user to the gateway and let them handle the entire transaction process or if you want to keep your customer on your site. Your gateway will send back a response to your cURL request, which you can then use to update your database and send a response back to the browser with that same success/fail messaging.
Let me explain the current scenario a bit more. Users fill form (which includes my hidden fields) that has action attribute to the payment gateway. On the gateway hosted page, items are shown along with the total amount and the Merchant (using the secret code). Users fill in their card info and are shown a receipt. The gateway then sends the xml data back to my server. So I need to redirect them without exposing my data.
|
2

See my update below.

I think you can use php/curl examples here: http://curl.haxx.se/libcurl/php/examples/, especially http://curl.haxx.se/libcurl/php/examples/simplepost.html

<?php
//
// A very simple PHP example that sends a HTTP POST to a remote site
//

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL,"http://www.example.com/tester.phtml");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
            "postvar1=value1&postvar2=value2&postvar3=value3");

curl_exec ($ch);
curl_close ($ch); 
?>

It can be wrote into function likes this:

function sendPost($postURL, $post_string) {

// initiate curl object
$request = curl_init($postURL);

// set to 0 to eliminate header info from response
curl_setopt($request, CURLOPT_HEADER, 0);

// Returns response data instead of TRUE(1)
curl_setopt($request, CURLOPT_RETURNTRANSFER, 1);

// use HTTP POST to send form data
curl_setopt($request, CURLOPT_POSTFIELDS, $post_string);

// execute curl post and store results in $post_response
$post_response = curl_exec($request);

// Checks for Errors if needed
if (curl_errno($request) > 0)
{
        $_SESSION['curl_error'] = curl_getinfo($request);
}

curl_close ($request);

return $post_response;

}

$postURL is URL of your payment gateway

$post_string is your variables which match with format of payment gateway.

and you can parse the $post_response and take it values to show status to user. Of course, you know how to use var_dump or echo to see values of $post_response already

Improve this answer

4 Comments

About >> Let me explain the current scenario a bit more. Users fill form (which includes my hidden fields) that has action attribute to the payment gateway. On the gateway hosted page, items are shown along with the total amount and the Merchant (using the secret code). Users fill in their card info and are shown a receipt. The gateway then sends the xml data back to my server. So I need to redirect them without exposing my data. => You can allow user submit data to your server, then call CURL as I described. Gateway will send its page back to you. You will handle it and show result to users.
I would rather have them visit the hosted page, as opposed to me processing the page myself. If that makes sense?
To do that, I think you can add this directive which instructs CURL to load that URL: curl_setopt($request, CURLOPT_FOLLOWLOCATION, true); and user will visit that page.
Will definitely check that one out. Will let you know, if it works out.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.