How to pass transaction data parameters(like amount) through a form without <hidden> as this can be changed from the client console
Question
I have a website in which there is a form to enter user details when the user "Proceeds to checkout" after adding items to the cart. The order's item string and the amount are added in the form as -hidden- parameters so that they can go to the next page for php processing and finally getting updated in the database as an ORDER. Looking from a hacker's perspective, I can easily change the -ORDER/ cart- string as well as the -Amount- value to a less value in my client side "inspect element" and the changed values proceed in the next forms. What is the tactic to tackle this?
1 answers
solution1
0 ACCPTED 2015-12-14 19:51:00
The simplest solution is to use server-side session. This would store the amount on the server in a value that cannot be changed by the client. When you finalize the order, make sure they paid what they were supposed to. This would use a small amount of memory on the server.
Another option would be to use an HMAC. Calculate the HMAC of the various values in the order, and pass the HMAC through your payment system. Make sure the values in the order give you the same HMAC at the end of the transaction as the HMAC you generated earlier. This would use no memory on the server but require a little extra CPU time.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.