使用会话隐藏URL标头重定向参数
[英]Hide url header redirect parameters using session
问题描述
I have the following php code 
我有以下php代码
<?php
$token_cipherText=$_POST['tokenex_cipherText'];
$token=generateToken($tokenex_cipherText);
$merchantid="example";
$Password="example1";
$remoteIP='11.22.95.5';
$customerReferenceNo = $_POST['customerReferenceNo'];
$amount=$_POST['amount'];
$currencyCode='356';
$expiryMonth=$_POST['expiry_month'];
$expiryYear=$_POST['expiry_year'];
$securityCode=$_POST['cvv'];
$cardHolderName=$_POST['name_on_card'];
$cardType=$_POST['selectedRadioValue'];
if($cardType=='radio1')
{
$cardType='CC';
}
if($cardType=='radio2')
{
$cardType='DB';
}
$cardProvider=$_POST['ccType'];
if($cardProvider=='visa_electron')
{
$cardProvider='visa';
}
if($cardProvider=='mastercard')
{
$cardProvider='mc';
}
if($cardProvider=='maestro')
{
$cardProvider='maest';
}
if($cardProvider=='sbi_maestro')
{
$cardProvider='sbime';
}
$cardProvider=strtoupper($cardProvider);
$name=$cardHolderName;
$mobileNo=$_POST['mobileNo'];
$Email=$_POST['email'];
$merchant_id=$_POST['merchant_id'];
$sql=mysql_query("select * from card_token where token='$token'");
$numrows=mysql_num_rows($sql);
if($numrows==0)
{
$sql=mysql_query("insert into card_token value('','$token','$merchant_id',now())");
}
$sql=mysql_query("update payment_tools_transactions set token_id='$token', cardHolderName='$cardHolderName', cust_Email='$Email', mobileNo='$mobileNo', trans_type='$cardType', cardProvider='$cardProvider', trans_amount='$amount' where trans_refNo='$customerReferenceNo'");
$checksum = $merchantid."|".$_POST['amount']."|".$customerReferenceNo;
$checksum = hash('sha256', $checksum);
$data='tokenNo='.$token.'&securityCode='.$securityCode.'&cardExpiryMonth='.$expiryMonth.'&cardExpiryYear='.$expiryYear.'&cardHolderName='.$cardHolderName.'&transactionAmount='.$amount.'&paymentMode='.$cardType.'¤cyCode='.$currencyCode.'&customerReferenceNo='.$customerReferenceNo.'&cardProvider='.$cardProvider.'&name='.$name.'&mobileNo='.$mobileNo.'&email='.$Email.'&password='.$Password.'&amount='.$_POST['amount'].'&remoteIP='.$remoteIP.'&checkSum='.$checksum;
$encryption_key = "CE5D964";
$desEncryptedData = encryptText_3des($data, $encryption_key);
$desEncryptedData = urlencode($desEncryptedData);
$url='https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId='.$merchantid.'&data='.$desEncryptedData; //URL for CC authentication
header("location:$url");
An html form posts some values into this php and the above code is executed and using the header header("location:$url"); 一个html表单将一些值发布到此php中,并使用标header("location:$url");执行上述代码header("location:$url"); these parameters are redirected to $url='https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId='.$merchantid.'&data='.$desEncryptedData; 这些参数将重定向到$url='https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId='.$merchantid.'&data='.$desEncryptedData;
But the problem im facing is,the redirect url is exposed like https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId=example&data=********** 但是我面临的问题是,重定向URL像https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId=example&data=**********
Anyone can manupulate or easily get this values.Is there any way I can hide this parameteres by using sessions?Or is there any other way around to hide this url redirect parameters? 任何人都可以操纵或轻松获取此值。是否可以使用会话隐藏此参数?或者是否有其他方法可以隐藏此网址重定向参数?
Can someone help?I have been searching everywhere to find a solution but in vien :( 有人可以帮忙吗?我一直在到处寻找解决方案,但是vien :(
Solution : Sessions cannot be used here since we are redirecting to a third party website.So I used curl for posting my parameteres to the site 解决方案:由于我们正在重定向到第三方网站,因此无法在此处使用会话,因此我使用curl将参数发布到该网站
//Copy paste all the code till here...
$encryption_key = "CE5D964";
$desEncryptedData = encryptText_3des($data, $encryption_key);
$desEncryptedData = urlencode($desEncryptedData);
$url='https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId='.$merchantid.'&data='.$desEncryptedData;
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
//curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
$auth = curl_exec($curl);
if($auth)
{
header("Location:success.php"); //Redirect to a success page after payment.
exit;
}
1 个解决方案
解决方案1
0 2013-12-12 07:08:47
If paykml.com is part of your own site, then you can use $_SESSION vars. 如果paykml.com是您自己网站的一部分,则可以使用$_SESSION vars。 If you are posting to a 3rd party payment processing company, than security is based on how they have set this up and you cannot use $_SESSION vars. 如果您要发布到第三方付款处理公司,则安全性取决于他们如何设置此安全性,并且您不能使用$_SESSION vars。 I'd be concerned about the data input form that is passing the values to the form you have above. 我担心将值传递到上面的表格的数据输入表格。 If you are the one posting credit card info to the above form, you should be using SSL. 如果您是将信用卡信息发布到上述表格中的人,则应使用SSL。 $_SESSION is not going to help you. $_SESSION不会帮助您。 Take a look here for info on accepting credit card info on your site. 在此处查看有关在您的网站上接受信用卡信息的信息。
Using stream_context_create and fopen(). 使用stream_context_create和fopen()。 This code is adapted from here. 此代码从此处改编。 I have NOT tested this so do not know if it would work, but you could start here. 我尚未对此进行测试,因此不知道它是否可以工作,但是您可以从这里开始。
<?php
$options = array(
'http'=>array(
'method'=>"GET",
'header'=>
"Accept-language: en\r\n".
"Content-type: application/x-www-form-urlencoded\r\n",
'content'=>http_build_query(array("merchantId"=>$merchantid,'data'=>$data))
));
$context = stream_context_create($options);
$result = file_get_contents('http://paykml.com/PGCCDCToken/TokenPayment.jsp',false,$context);
?>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.