I have the following php code
<?php
$token_cipherText=$_POST['tokenex_cipherText'];
$token=generateToken($tokenex_cipherText);
$merchantid="example";
$Password="example1";
$remoteIP='11.22.95.5';
$customerReferenceNo = $_POST['customerReferenceNo'];
$amount=$_POST['amount'];
$currencyCode='356';
$expiryMonth=$_POST['expiry_month'];
$expiryYear=$_POST['expiry_year'];
$securityCode=$_POST['cvv'];
$cardHolderName=$_POST['name_on_card'];
$cardType=$_POST['selectedRadioValue'];
if($cardType=='radio1')
{
$cardType='CC';
}
if($cardType=='radio2')
{
$cardType='DB';
}
$cardProvider=$_POST['ccType'];
if($cardProvider=='visa_electron')
{
$cardProvider='visa';
}
if($cardProvider=='mastercard')
{
$cardProvider='mc';
}
if($cardProvider=='maestro')
{
$cardProvider='maest';
}
if($cardProvider=='sbi_maestro')
{
$cardProvider='sbime';
}
$cardProvider=strtoupper($cardProvider);
$name=$cardHolderName;
$mobileNo=$_POST['mobileNo'];
$Email=$_POST['email'];
$merchant_id=$_POST['merchant_id'];
$sql=mysql_query("select * from card_token where token='$token'");
$numrows=mysql_num_rows($sql);
if($numrows==0)
{
$sql=mysql_query("insert into card_token value('','$token','$merchant_id',now())");
}
$sql=mysql_query("update payment_tools_transactions set token_id='$token', cardHolderName='$cardHolderName', cust_Email='$Email', mobileNo='$mobileNo', trans_type='$cardType', cardProvider='$cardProvider', trans_amount='$amount' where trans_refNo='$customerReferenceNo'");
$checksum = $merchantid."|".$_POST['amount']."|".$customerReferenceNo;
$checksum = hash('sha256', $checksum);
$data='tokenNo='.$token.'&securityCode='.$securityCode.'&cardExpiryMonth='.$expiryMonth.'&cardExpiryYear='.$expiryYear.'&cardHolderName='.$cardHolderName.'&transactionAmount='.$amount.'&paymentMode='.$cardType.'¤cyCode='.$currencyCode.'&customerReferenceNo='.$customerReferenceNo.'&cardProvider='.$cardProvider.'&name='.$name.'&mobileNo='.$mobileNo.'&email='.$Email.'&password='.$Password.'&amount='.$_POST['amount'].'&remoteIP='.$remoteIP.'&checkSum='.$checksum;
$encryption_key = "CE5D964";
$desEncryptedData = encryptText_3des($data, $encryption_key);
$desEncryptedData = urlencode($desEncryptedData);
$url='https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId='.$merchantid.'&data='.$desEncryptedData; //URL for CC authentication
header("location:$url");
An html form posts some values into this php and the above code is executed and using the header header("location:$url"); these parameters are redirected to $url='https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId='.$merchantid.'&data='.$desEncryptedData;
But the problem im facing is,the redirect url is exposed like https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId=example&data=**********
Anyone can manupulate or easily get this values.Is there any way I can hide this parameteres by using sessions?Or is there any other way around to hide this url redirect parameters?
Can someone help?I have been searching everywhere to find a solution but in vien :(
Solution : Sessions cannot be used here since we are redirecting to a third party website.So I used curl for posting my parameteres to the site
//Copy paste all the code till here...
$encryption_key = "CE5D964";
$desEncryptedData = encryptText_3des($data, $encryption_key);
$desEncryptedData = urlencode($desEncryptedData);
$url='https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId='.$merchantid.'&data='.$desEncryptedData;
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
//curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
$auth = curl_exec($curl);
if($auth)
{
header("Location:success.php"); //Redirect to a success page after payment.
exit;
}
If paykml.com is part of your own site, then you can use $_SESSION vars. If you are posting to a 3rd party payment processing company, than security is based on how they have set this up and you cannot use $_SESSION vars. I'd be concerned about the data input form that is passing the values to the form you have above. If you are the one posting credit card info to the above form, you should be using SSL. $_SESSION is not going to help you. Take a look here for info on accepting credit card info on your site.
Using stream_context_create and fopen(). This code is adapted from here. I have NOT tested this so do not know if it would work, but you could start here.
<?php
$options = array(
'http'=>array(
'method'=>"GET",
'header'=>
"Accept-language: en\r\n".
"Content-type: application/x-www-form-urlencoded\r\n",
'content'=>http_build_query(array("merchantId"=>$merchantid,'data'=>$data))
));
$context = stream_context_create($options);
$result = file_get_contents('http://paykml.com/PGCCDCToken/TokenPayment.jsp',false,$context);
?>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.