On 11/9/05 11:05 AM, Tony Di Croce wrote:
If the shopping cart on site A submits to the secure CC processing page on site B, then the contextual data that describes the order (price, order number) was actually communicated from A to B via a hop at the users browser (likely via a hidden form field on site A). Thus it would need to be encrypted and urlencoded (otherwise anyone could hit "View Source" and see it all in plain text).
Is the price and order number sensitive enough to encrypt? Like we've already discussed, the order number will be considered invalid once it's been processed, so any subsequent attempts to use the order number will result in a failed transaction. If the order number includes sensitive information, however (such as the full credit card number or something), then you should rethink how you create your order numbers.
You also don't need to urlencode anything in a form field. When you submit the form, the browser handles the urlencoding for you. (If you were POSTing from a script, then, yes, you might need to urlencode it.)
As for the other question about POSTing on a redirect, it is possible through several different means, and if this is a route you want to take, I would suggest looking at PEAR::HTTP_Request, since it provides an easy to use API for this. I, however, don't think you'll need to do this (at least it doesn't sound like something that's necessary given what I know about your form).
-- Ben Ramsey http://benramsey.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
