|
|
Posted by Aggelos on 03/21/07 11:02
Hello everyone,
I am trying to emulate sort of a Payment Gateway.
A user makes an order and then when he checks out he gets transfered
to the HTTPS page to enter his details.
At the moment I am storing the order in a temporary cart DB Table and
as a reference I use the Customer's ID
so I have
TABLE
Order_Temp
customerId | orderDateTime | ItemID
Once the order gets stored I redirect them using
header('Location:https://'.$url);
Now I have to pass some how in the HTTPS page the reference for the
order so my $url looks like:
https://www.paymentgateway.com/checkout.php?customerId=123
The problem with that is that I expose the Customer Id wich can easily
be changed to anything else.
What alternatives do i have ?
I though using post might be a sollution, BUT is it safe ? Can you
fake an id of a user when you post a form by injecting code? And how
easy is that ?
I was thinking of storing in the Temp_Order table the session_id and
then passing it thru the URL ? Is that safe ?
I just want to know if there is a standard practice of doing something
like that.
Thank you, and I really appreciate anyones times that is spend reading
my post :)
Regards.
Navigation:
[Reply to this message]
|