Re: Re: Session's across Domains...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/9/05 11:05 AM, Tony Di Croce wrote:
If the shopping cart on site A submits to the secure CC processing page on
site B, then the contextual data that describes the order (price, order
number) was actually communicated from A to B via a hop at the users browser
(likely via a hidden form field on site A). Thus it would need to be
encrypted and urlencoded (otherwise anyone could hit "View Source" and see
it all in plain text).

Is the price and order number sensitive enough to encrypt? Like we've already discussed, the order number will be considered invalid once it's been processed, so any subsequent attempts to use the order number will result in a failed transaction. If the order number includes sensitive information, however (such as the full credit card number or something), then you should rethink how you create your order numbers.

You also don't need to urlencode anything in a form field. When you submit the form, the browser handles the urlencoding for you. (If you were POSTing from a script, then, yes, you might need to urlencode it.)

As for the other question about POSTing on a redirect, it is possible through several different means, and if this is a route you want to take, I would suggest looking at PEAR::HTTP_Request, since it provides an easy to use API for this. I, however, don't think you'll need to do this (at least it doesn't sound like something that's necessary given what I know about your form).

--
Ben Ramsey
http://benramsey.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux