Krakken
asked on
Post form variables to a website in a php header and then redirect.
I am building some custom shopping cart software and am interfacing with PayPal. To submit checkout data to PayPal, a bunch of hidden form variables need to be included and submitted to their checkout processor which will then display the items and allow the customer to pay in full. The problem is, the variables are available in plain text and should the customer wish, they can download the page offline, modify the HTML and submit it (it works, I have tried it on other big commercial sites). While it's easy to manually verify the data on my end to ensure the amounts charged and the amounts paid match up, I would feel better if there were some way to submit these form variables internally without anything being shown to the user.
Coming from a C++ background, I assume this can be done with sockets and directly sending a "POST" request to the receiving CGI but I would be interested to know if there is an easier way to do this.
Thanks.
Coming from a C++ background, I assume this can be done with sockets and directly sending a "POST" request to the receiving CGI but I would be interested to know if there is an easier way to do this.
Thanks.
Sidenote: As a general rule with web forms, keep in mind: Any information coming from the user CANNOT be trusted and MUST be checked at the server.
ASKER
I think you have misunderstood.
I am already using my own, custom built cart with HTTPS and Website Payments Standard (Pro offers me nothing more beneficial at the moment). I understand that I cannot trust the user and while there will be a manual verification, I still want to hide the form data that is submitted to paypal from the user's eyes as it contains modifiable data.
Here is an example to better explain what I want:
- User at "checkout.php" where the basket is visible.
- User clicks "Make Payment via PayPal" which internally calls "pay.php" on MY server.
- "pay.php" takes all the IDs from items in the user's basket and reads in pricing information from the internal database.
- It then sends a POST request to PayPal's checkout server using PHP code. (here is the problem)
- It changes the page header and loads into the PayPal website.
So from that example, all the user sees is them clicking "Make Payment via PayPal" and PayPal loads up with all the checkout items verified and submitted.
I want this to be __transparent__ to the checkout process.
I know that in C++ (primary language) you can do this by opening a socket connection to the PayPal website and creating a POST query manually (as the browser would). I am asking if there is an easier way to do this in PHP.
I am already using my own, custom built cart with HTTPS and Website Payments Standard (Pro offers me nothing more beneficial at the moment). I understand that I cannot trust the user and while there will be a manual verification, I still want to hide the form data that is submitted to paypal from the user's eyes as it contains modifiable data.
Here is an example to better explain what I want:
- User at "checkout.php" where the basket is visible.
- User clicks "Make Payment via PayPal" which internally calls "pay.php" on MY server.
- "pay.php" takes all the IDs from items in the user's basket and reads in pricing information from the internal database.
- It then sends a POST request to PayPal's checkout server using PHP code. (here is the problem)
- It changes the page header and loads into the PayPal website.
So from that example, all the user sees is them clicking "Make Payment via PayPal" and PayPal loads up with all the checkout items verified and submitted.
I want this to be __transparent__ to the checkout process.
I know that in C++ (primary language) you can do this by opening a socket connection to the PayPal website and creating a POST query manually (as the browser would). I am asking if there is an easier way to do this in PHP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Krakken: The answer to your "easier way" question is "no" - so you're on firm ground in closing this out. An example of the Post-to-PayPal processing is in their online docs for the Instant Payment Notification, where you have to take the data they posted to you, and post it back to them in order to read the VERIFIED response. Best regards, ~Ray
ASKER
=NerdsOfTech