如何通过邮寄和ajax安全提交价格?
[英]How to securely submit a price via post and ajax?
问题描述
I'm making an extremely simple store in order to understand more about how payment can work (but it should really work. I will sell a few old books). 
我正在开设一家非常简单的商店,以了解有关付款方式的更多信息(但它确实可以工作。我将出售一些旧书)。 The 'store' is just a simple html list of products. “商店”只是产品的简单html列表。 The cart adds and removes them via javascript. 购物车通过javascript添加和删除它们。 Payment is via a stripe elements integration. 通过条纹元素集成进行付款。 The simplest way to do this is just to send the total from the shopping cart to a stripe charge object. 最简单的方法是将购物车中的总计发送到条纹收费对象。 My question is: what is the best way to send the price in the cart to the stripe charge object? 我的问题是:将购物车中的价格发送到条纹收费对象的最佳方法是什么? I'm worried specifically that people could manipulate the price before submitting, but I don't want to tie my super simple shop to a database if I can avoid it. 我特别担心人们会在提交之前操纵价格,但是如果可以避免的话,我不想将我的超级简单商店绑定到数据库。 Is my method secure enough for my purposes? 我的方法是否足够安全以达到我的目的? What better methods exist? 存在哪些更好的方法? More details: I have a payment form that runs a php action via a jquery ajax submission. 更多详细信息:我有一个付款表格,该表格通过jquery ajax提交运行php操作。 The ajax function gets the total from the html element $('#total') via jquery . ajax函数通过jquery从html元素$('#total')获取总数。 In the php document, I get the total from the $_POST array and charge it. 在php文档中,我从$_POST数组中获取总计并收费。 Is this ok? 这个可以吗? Is it otherwise stupid? 否则愚蠢吗? Or ok for a really small shop? 还是可以开一家很小的商店?
My demo is working, I'm just interesting in learning more about best practices. 我的演示正在运行,我对学习更多有关最佳实践的兴趣很有趣。 I googled 'send price from cart securely via ajax to php ' but didn't see anything that answered this question. 我在Google上搜索了“通过ajax从购物车安全地将价格发送到php ”,但没有发现任何答案。
<div id="total">72.00</div>
var total = parseFloat($('#total').text())*100;
$.ajax({
method: 'POST',
url: 'charge.php',
data: { stripeToken: token.id, stripeEmail: token.email, totalAmount: totalForm},
success: function(response) {
console.log(response);
},
})
$token = $_POST['stripeToken'];
$total = $_POST['totalAmount'];
try{
$charge = \Stripe\Charge::create([
'amount' => $total,
'currency' => 'chf',
'description' => 'Example charge',
'source' => $token,
]);
$charge_send = $charge->__toJSON();
$success_msg = 'Thank you for your purchase.';
echo json_encode(array('success' => $success, 'charge' => $charge, 'err' => $err));
}
It's working fine. 一切正常。 I just want it to be as secure as it should be for my purposes. 我只是希望它在达到我的目的的同时也要安全。
-> Thanks for the answers! ->感谢您的回答! I see folks think I should have a minimal database. 我看到人们认为我应该有一个最小的数据库。 @HTMHell : Is this because the price otherwise cannot be securely passed? @HTMHell:这是因为否则无法安全地通过价格吗?
1 个解决方案
解决方案1
0 2019-07-07 15:19:07
most of payment system included applications require to have user has been registered. 大多数包含支付系统的应用程序都要求已注册用户。 It shows summary of payment complete page after user clicked on submit button and user checked everything on page. 用户单击提交按钮并检查页面上的所有内容后,它显示付款完成页面的摘要。 you can go payment action when user has checked. 您可以在用户检查后进行付款操作。 it is nice to check payment with user ID. 最好使用用户ID检查付款。 user account has double checked with real payments methods are good. 用户帐户已仔细检查过,具有真实付款方式都不错。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.