Solved

Programatically POST data securly

Posted on 2014-02-25
7
468 Views
Last Modified: 2014-03-04
My problem is related to a credit card processing service with a hosted form option but I will try to make my question more generic. In order to use the hosted form (credit card processing company hosts it, not me), I have to pass them three unique identifiers (IDs). Those IDs cannot be made public and so the company has told me to POST them programmatically. I have been given examples of cURL and HTTPwebRequest by their tech support. After pointing out cURL and an HTTPwebRequest would result in information being collected from their site and returned to mine leaving an end user still on my website, obviously not the desired effect if I am trying to use the company's hosted form, their tech support has stopped answering my questions.

Is there a way to POST data programmatically without it being readable (by readable I mean things such as JavaScript and/or hidden fields in a form) and end up on the page you are POST-ing to?
0
Comment
Question by:jaw0807
7 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 39887659
Who is it you are using?
0
 
LVL 52

Expert Comment

by:Scott Fell, EE MVE
ID: 39887728
In ASP you are using xmlhttppost   I have an example here http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/ASP/Q_28062945.html#a38982313.  In classic asp you first  have to build your post data as a string, then send it.  Your response will most likely be in xml format as well and you will need to parse the response.

<%
if request.form("credit_card_no")<>"" then
MerchNO="1234"
MyPin="abc"
credit_card_no="request.form("credit_card_no")
'  keep adding fields
theURL = "https://demo.myvirtualmerchant.com/VirtualMerchantDemo/process.do"

'now use xmlhttp post http://support.microsoft.com/kb/290591 to send data.  Any items you want hidden form people are in your variables and posted this way.

	DataToSend = "ssl_merchant_id =MerchNO& ssl_pin=MyPin&CC_NO=credit_card_no"
	dim xmlhttp 
	set xmlhttp = server.Createobject("MSXML2.ServerXMLHTTP")
	xmlhttp.Open "POST",theURL,false
	xmlhttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
	xmlhttp.send DataToSend
	Response.ContentType = "text/xml"
	Response.Write xmlhttp.responsexml.xml ' this is your response from the post but probably not used in your case
        Set xmlhttp = nothing




end if

%>

Open in new window


If you are using PHP, many of the gateways will have PHP libraries to make this easier for you.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39887729
Who are these people?!  Payment processing is a completely normal online transaction; it happens thousands of times per hour all over the internet.  Support representatives who stop answering your questions -- well, that is a giant red flag.  You're right to avoid them.

Please step back from the technical details and just tell us what you want to do.  Example: Are you selling products and you need to collect payment?  If we understand your business needs and your geopolitical situation we can almost certainly help you get a good footing.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39887732
The 'standard procedure' is for the user to fill out the form, send it to your site using HTTPS, and when you receive it, you use 'curl' to send the data and your api keys to the processor using HTTPS also.  You get the results back in the 'curl' procedure.  None of the 'secret' info is exposed that way.

Paypal's express checkout works pretty much the same way except that you have to kind of do everything twice.  The initial forms are on your site.  You pass the sale info along with the ID info to them using 'curl' thru HTTPS and when you get a positive response, then you send your customer to Paypal where they put up their payment form on their site.  When that's all done, they send the customer back to your site for confirmation.  It's a bit of a pain but I think the idea with Paypal is that it takes so many steps to do the transaction that it makes it impossible to 'hack' them with a single POST request.
0
 
LVL 52

Assisted Solution

by:Scott Fell, EE MVE
Scott Fell,  EE MVE earned 250 total points
ID: 39887755
It sounds like you are trying to use two different methods at the same time perhaps.  Using Authorize.net's example:

One option is to use their hosted form. The data never touches your server.  In this case, their server will post back to your server when the transaction is complete or fails but in a separate transaction. Or you would just get an email that the transaction processed.  When you say you have a hosted form, this is what I think of.
Simple
When they tell you there are several parameters you have to pass and not let it be made public, this is an advanced or direct post method where the form is hosted on your server, the customer enters data that passes through your server and the credit card and amount is sent to the gateway. The gateway sends back a code that will either be a yes or a code representing why it did not process.  With this type of transaction, you typically have an id number for the merchant, secret key, the credit card info, amount and a hash field (where you concatenate multiple fields together) and encrypt the hash field.  Some gateways are not requiring this anymore if you are sending over https.  
DirectPost
Which one of these methods are  you using?
0
 

Accepted Solution

by:
jaw0807 earned 0 total points
ID: 39891995
Turns out the answer to my question was no. I was not receiving a response from the credit card processing company because my query was making its way up the tech support chain. There is no way to POST programmatically in a one-way direction, cURL, httpwebrequests whether xml or not and other such communication tools work in two directions i.e. they receive a response. The end solution was to cURL the three unique identifiers receiving back a web form with which to embed on my page with an action submitting it back to the credit card processing company. Very similar to Scott Fell's Direct Post example from Authorize.net. The the credit card processing company just left that crucial piece of information out of their development guide.
0
 

Author Closing Comment

by:jaw0807
ID: 39902808
Thanks for the help and responses to the question.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A Change in PHP Behavior with Session Write Short Circuit (http://php.net/manual/en/book.session.php#116217) (Winter 2014)** With the release of PHP 5.6 the session handler changed in a way that many think should be considered a bug.  See the note …
What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now