Posted by Ben Ramsey on 11/10/11 11:31

On 11/9/05 11:05 AM, Tony Di Croce wrote:
> If the shopping cart on site A submits to the secure CC processing page on
> site B, then the contextual data that describes the order (price, order
> number) was actually communicated from A to B via a hop at the users browser
> (likely via a hidden form field on site A). Thus it would need to be
> encrypted and urlencoded (otherwise anyone could hit "View Source" and see
> it all in plain text).

Is the price and order number sensitive enough to encrypt? Like we've
already discussed, the order number will be considered invalid once it's
been processed, so any subsequent attempts to use the order number will
result in a failed transaction. If the order number includes sensitive
information, however (such as the full credit card number or something),
then you should rethink how you create your order numbers.

You also don't need to urlencode anything in a form field. When you
submit the form, the browser handles the urlencoding for you. (If you
were POSTing from a script, then, yes, you might need to urlencode it.)

As for the other question about POSTing on a redirect, it is possible
through several different means, and if this is a route you want to
take, I would suggest looking at PEAR::HTTP_Request, since it provides
an easy to use API for this. I, however, don't think you'll need to do
this (at least it doesn't sound like something that's necessary given
what I know about your form).

--
Ben Ramsey
http://benramsey.com/

[Back to original message]