Hello everyone,
I am trying to emulate sort of a Payment Gateway.
A user makes an order and then when he checks out he gets transfered
to the HTTPS page to enter his details.
At the moment I am storing the order in a temporary cart DB Table and
as a reference I use the Customer's ID
so I have
TABLE
Order_Temp
customerId | orderDateTime | ItemID
Once the order gets stored I redirect them using
header('Location:https://'.$url);
Now I have to pass some how in the HTTPS page the reference for the
order so my $url looks like: https://www.paymentgateway.com/check...customerId=123
The problem with that is that I expose the Customer Id wich can easily
be changed to anything else.
What alternatives do i have ?
I though using post might be a sollution, BUT is it safe ? Can you
fake an id of a user when you post a form by injecting code? And how
easy is that ?
I was thinking of storing in the Temp_Order table the session_id and
then passing it thru the URL ? Is that safe ?
I just want to know if there is a standard practice of doing something
like that.
Thank you, and I really appreciate anyones times that is spend reading
my post :)
Regards. 12  2046 
Aggelos wrote:
The problem with that is that I expose the Customer Id wich can easily
be changed to anything else.
Sign the ID number, and then check the signature at the other end. I posted
example code to do this a couple of months ago:
http://message-id.net/<2r************@ophelia.g5n.co.uk>
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
* = I'm getting there!
Thank you... I cannot get to the link but I hope I'll find a way to
get to your post... is it in the comp.lang.php ?
On Mar 21, 3:44 pm, Toby A Inkster <usenet200...@tobyinkster.co.uk>
wrote:
Aggelos wrote:
The problem with that is that I expose the Customer Id wich can easily
be changed to anything else.
Sign the ID number, and then check the signature at the other end. I posted
example code to do this a couple of months ago:
http://message-id.net/<2r0v64-o98....@ophelia.g5n.co.uk>
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
* = I'm getting there!
Aggelos wrote:
On Mar 21, 3:44 pm, Toby A Inkster <usenet200...@tobyinkster.co.uk>
wrote:
>Aggelos wrote:
>>The problem with that is that I expose the Customer Id wich can easily
be changed to anything else.
Sign the ID number, and then check the signature at the other end. I posted
example code to do this a couple of months ago:
http://message-id.net/<2r0v64-o98....@ophelia.g5n.co.uk>
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
* = I'm getting there!
Thank you... I cannot get to the link but I hope I'll find a way to
get to your post... is it in the comp.lang.php ?
(Top posting fixed)
Toby's suggestion is a good one. He just got the '<' and '>' in the
wrong place. Try:
<http://message-id.net/2r************@ophelia.g5n.co.uk>
And please don't top post.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Jerry Stuckle wrote:
Toby's suggestion is a good one. He just got the '<' and '>' in the
wrong place. Try:
<http://message-id.net/2r************@ophelia.g5n.co.uk>
http://message-id.net/<2r************@ophelia.g5n.co.uk>
works fine. (I ought to know, as I own message-id.net.)
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
* = I'm getting there!
Toby A Inkster wrote:
Jerry Stuckle wrote:
>Toby's suggestion is a good one. He just got the '<' and '>' in the
wrong place. Try:
<http://message-id.net/2r************@ophelia.g5n.co.uk>
http://message-id.net/<2r************@ophelia.g5n.co.uk>
works fine. (I ought to know, as I own message-id.net.)
Not for me it doesn't, Toby. Thunderbird tells Firefox to load it with
the extra chars.
Works fine as I had it.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
On Mar 22, 10:42 pm, Jerry Stuckle <jstuck...@attglobal.netwrote:
Toby A Inkster wrote:
Jerry Stuckle wrote:
Toby's suggestion is a good one. He just got the '<' and '>' in the
wrong place. Try:
<http://message-id.net/2r0v64-o98....@ophelia.g5n.co.uk>
http://message-id.net/<2r0v64-o98....@ophelia.g5n.co.uk>
works fine. (I ought to know, as I own message-id.net.)
Not for me it doesn't, Toby. Thunderbird tells Firefox to load it with
the extra chars.
Works fine as I had it.
Yes it works like Jerry had it :p
Thanks both of you though.
I think that I am not going to use that sollution though as you can
still decode it if you know the algorythm... what I do is create a
random seed which I store it in a DB with the id I want and then just
comparing that seed again with the database to get the id whenever I
need it.
So before I send the user to the Secure site I create the random
string, then redirect to the url setting the
https://www.paymentgateway.com/checkout.php?customerId=$randomString
and in the checkout.php script I select the record from the DB with
that random string returning the original customerId. This way it is
never visible to the possible "malicious" User.
Thanks.
Aggelos wrote:
On Mar 22, 10:42 pm, Jerry Stuckle <jstuck...@attglobal.netwrote:
>Toby A Inkster wrote:
>>Jerry Stuckle wrote:
Toby's suggestion is a good one. He just got the '<' and '>' in the
wrong place. Try:
<http://message-id.net/2r0v64-o98....@ophelia.g5n.co.uk>
http://message-id.net/<2r0v64-o98....@ophelia.g5n.co.uk>
works fine. (I ought to know, as I own message-id.net.)
Not for me it doesn't, Toby. Thunderbird tells Firefox to load it with
the extra chars.
Works fine as I had it.
Yes it works like Jerry had it :p
Thanks both of you though.
I think that I am not going to use that sollution though as you can
still decode it if you know the algorythm... what I do is create a
random seed which I store it in a DB with the id I want and then just
comparing that seed again with the database to get the id whenever I
need it.
So before I send the user to the Secure site I create the random
string, then redirect to the url setting the
https://www.paymentgateway.com/checkout.php?customerId=$randomString
and in the checkout.php script I select the record from the DB with
that random string returning the original customerId. This way it is
never visible to the possible "malicious" User.
Thanks.
Actually, it should be pretty safe if you make the seed long enough.
The only problem would be if someone could get access to your source
files and see the seed. But if they could do that, they could also see
any seed you use, along with the algorithm.
A sysadmin could do it, for instance. So could most hosting companies
(unless you have a colo). and if you can't trust your hosting company
you're in real trouble.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Jerry Stuckle wrote:
Not for me it doesn't, Toby. Thunderbird tells Firefox to load it with
the extra chars.
The "extra chars" (by which, I'm assuming you mean the angled brackets) are
*part* of the message ID. Note the Message-ID header of this message: it
starts with a '<' and ends with a '>'.
If you copy and paste the following URL into a browser (all of it,
including the angled brackets), you should see it works:
http://message-id.net/<2r************@ophelia.g5n.co.uk>
The following will also work http://message-id.net/2r************@ophelia.g5n.co.uk
but only because the PHP code at message-id.net is smart enough to
transparently add on the angled brackets. However, in the case of
Message-IDs that don't contain an at-sign (and some older newsreaders
would produce articles that didn't), the second URL wouldn't work, as
Message-ID.net uses the presence of either an at-sign or angled brackets to
detect if the URL contains a Message-ID.
Compare:
http://message-id.net/<anews.Aucbarpa.111> http://message-id.net/anews.Aucbarpa.111
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
* = I'm getting there!
Toby A Inkster wrote:
Jerry Stuckle wrote:
>Not for me it doesn't, Toby. Thunderbird tells Firefox to load it with
the extra chars.
The "extra chars" (by which, I'm assuming you mean the angled brackets) are
*part* of the message ID. Note the Message-ID header of this message: it
starts with a '<' and ends with a '>'.
If you copy and paste the following URL into a browser (all of it,
including the angled brackets), you should see it works:
http://message-id.net/<2r************@ophelia.g5n.co.uk>
The following will also work
http://message-id.net/2r************@ophelia.g5n.co.uk
but only because the PHP code at message-id.net is smart enough to
transparently add on the angled brackets. However, in the case of
Message-IDs that don't contain an at-sign (and some older newsreaders
would produce articles that didn't), the second URL wouldn't work, as
Message-ID.net uses the presence of either an at-sign or angled brackets to
detect if the URL contains a Message-ID.
Compare:
http://message-id.net/<anews.Aucbarpa.111>
http://message-id.net/anews.Aucbarpa.111
Hi, Toby,
Ah, but '<...>' has a meaning in usenet and email clients to be a
non-wrapping line - so you can put very long URLs and not have the wrap.
And Thunderbird takes the as a break. Effectively you have two pieces
here: http://message-id.net/
and 2r************@ophelia.g5n.co.uk
clicking before the '<' just takes one to message-id.net with no
parameters. Clicking between the '<' and '>' tries to send a message to 2r************@ophelia.g5n.co.uk.
So while it works when pasted into a browser, it doesn't from at least
one popular newsreader client. IMHO, it's not a good idea to use '<'
and '>' in message id's because they have special meanings.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Jerry Stuckle wrote:
IMHO, it's not a good idea to use '<' and '>' in message id's because
they have special meanings.
Yet, they have been mandated as part of Usenet Message-IDs since RFC 1036
came out twenty years ago. http://www.ietf.org/rfc/rfc1036.txt
| 2.1.5. Message-ID
|
[...]
| Message-ID's have the syntax:
| <string not containing blank or ">">
[...]
| The angle brackets are considered part of the Message-ID. Thus, in
| references to the Message-ID, such as the ihave/sendme and cancel
| control messages, the angle brackets are included.
[...]
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
* = I'm getting there!
Toby A Inkster wrote:
Jerry Stuckle wrote:
>IMHO, it's not a good idea to use '<' and '>' in message id's because
they have special meanings.
Yet, they have been mandated as part of Usenet Message-IDs since RFC 1036
came out twenty years ago.
http://www.ietf.org/rfc/rfc1036.txt
| 2.1.5. Message-ID
|
[...]
| Message-ID's have the syntax:
| <string not containing blank or ">">
[...]
| The angle brackets are considered part of the Message-ID. Thus, in
| references to the Message-ID, such as the ihave/sendme and cancel
| control messages, the angle brackets are included.
[...]
Toby,
That's true when viewing the message via usenet. However, you're link
views it through the http protocol - and that's a different story.
'<' and '>' are not valid characters in a link and must be escaped to
their hex equivalents (%3c and %3e, respectively). http://message-id.net/%3************...a.g5n.co.uk%3e
would be the correct link.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Toby A Inkster wrote:
Jerry Stuckle wrote:
>IMHO, it's not a good idea to use '<' and '>' in message id's because
they have special meanings.
Yet, they have been mandated as part of Usenet Message-IDs since RFC 1036
came out twenty years ago.
http://www.ietf.org/rfc/rfc1036.txt
| 2.1.5. Message-ID
|
[...]
| Message-ID's have the syntax:
| <string not containing blank or ">">
[...]
| The angle brackets are considered part of the Message-ID. Thus, in
| references to the Message-ID, such as the ihave/sendme and cancel
| control messages, the angle brackets are included.
[...]
BTW - the applicable rfc is 2396: http://rfc.net/rfc2396.html.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
================== This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Simon Wigzell |
last post by:
My client wants to have credit card information fields on his forms for his
website visitors to be able to buy his wervices by credit card. The credit
card info - Brand, number and expiry date will...
|
by: CHIN |
last post by:
Hi all.. here s my problem ( maybe some of you saw me on other groups, but i
cant find the solution !! )
I have to upload a file to an external site, so, i made a .vbs file , that
logins to...
|
by: khawar |
last post by:
here is my code that i am using to send the post to
verisign:
using System.Drawing;
using System.Data;
using System.Data.SqlClient;
using System.Data.OleDb;
using System;
using System.Web.UI;...
|
by: Beryl Small |
last post by:
Hi, I have a third party software that needs to send
information to an .aspx page for processing to communicate
with an SQL database. The software sends the information
something like this:
...
|
by: Chris Ashley |
last post by:
Is it possible to persist viewstate information between HTTP and HTTPS
(on the same page obviously)? Trying to get around writing some messy
state transfer code... it doesn't seem to work if I use...
|
by: Eric Sheu |
last post by:
Greetings,
I have been searching the web like mad for a solution to my SMTP problem. I
am using Windows Server 2003 and ASP.NET 2.0 w/ C# to send out e-mails from a
web site I have created to...
|
by: barrybevel |
last post by:
Hi,
I have a very small simple program below which does the following:
1) post a username & password to a website - THIS WORKS
2) follow a link - THIS WORKS
3) update values of 2 fields and...
|
by: =?Utf-8?B?V2FubmFiZQ==?= |
last post by:
We have a page that is loading very slow. There is not a lot of data, not a
lot of users are connected at the same time and the page does not produce an
error, so I am not sure where to start to...
|
by: nargis2009 |
last post by:
Hi,
I have been encountering problems with my web page which is supposed to send email, and wondered if anybody can help find error.
Initially I had all codes in one page and on click of...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
