I'm trying to use PHP to wrap the output of an HTML form before it goes
into a precompiled C cgi script.
Essentially, the company that I work for uses a purchased precompiled c
program for their shopping cart. This C program stores order
information, and when an order is processed and approved, records the
transaction and sends a template email to the customer with an invoice
describing their purchase. Since we're going to be selling a new
software product soon, they've asked me to write a script into the
website that will include License Keys to the product the customer has
purchased along with all other data about the order. The C program
DOES have functionality for custom variables, but it they've all got to
be neatly packaged and set up for the C code BEFORE the customer
completes the order, and I don't want these values to be evident at
that point, because a simple right click and View Source would expose
the keys to a non-purchasing client.
(I'm also going to mention in code a php file I'll call keyGen.php,
which will have one method called gen that will read a string, (which
I'll give from a cookie) and generate a key. I realize that reading a
cookie ain't a good way to do this, but I want to solve this problem
first then I'll find a way around the cookie problem).
So, what I'm thinking of doing is redirecting the Checkout button's
form, which previously pointed to the C CGI script, to point to a PHP
file, which I'll call Intercept.php, This php file will examine all the
form's inputs, repackage them, then use putenv and passthru to call the
C CGI with all the original form's variables as well as any new ones I
want to create. So essentially the code WAS
<html>
<form name=checkout method="post" action="/cgi-bin/shopper">
<input name="blah1">
<input name="blah2">
</form></html>
and now I need
<html>
<form name=checkout method="post" action="intercept.php">
<input name="blah1">
<input name="blah2">
</form></html>
and intercept.php as something like
<?php
include "keyGen.php";
$keyVal = gen($_COOKIE['basket']);
$keyName = "PASSLicKey";
$toInclude = "http://www.notawebsite.com/cgi-bin/shopper";
$toArgue = $keyName."+".$keyVal;
if (sizeof($_POST) 0) {
foreach ($_POST as $key =$value) {
if (strlen($toArgue) 0) {
$toArgue .= "&";
}
$toArgue .= $key."+".$value;
}
putenv('REQUEST_METHOD=POST');
putenv('QUERY_STRING='.$toArgue);
passthru($toInclude);
}
else {
echo "<html><title>Error</title><body>An error has occured,
form data corrupted or insufficent data supplied"</body></html>";
}
?>
(This is a little bit of simplification but that is the basic
functionality).
I haven't been able to find many, (or any really), tutorials or details
on wrapping a html form's output like this before sending it to its
intended target. Is this possible or is there something fundamentally
undoable about what I'm trying to do here? How secure do people think
this would be? Would simply running mozilla's internet debugger expose
the POST variable and the key to somebody who isn't trying to purchase?
Running this script doesn't produce any useful error messages or logs,
but it doesn't produce a viable result either. How does what I'm doing
here look different to the C CGI than the data from the html form at
the start? I've read a lot about the need to protect CGI from malicous
input, does the loop thru post then the pass to the shopper create any
security holes that are not already there?
(I realize that writing our own shopping cart might be a better
solution, but time constraints and historical pressures mean that I
need to make something work w/ the thing we got right now).
Any help or information, (particularily examples of people passing html
form data with php to another location, which I can't find) would be
much appreciated.
