need to hide an input value, but VAR rendering as string

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
seezee
Forum Newbie
Posts: 17
Joined: Thu Aug 05, 2010 9:59 am
Location: Oklahoma

need to hide an input value, but VAR rendering as string

Post by seezee »

I'm working on integrating a payment solution for a client, and the payment processor requires the value of 2 of the mandatory form fields to be inaccessible via view > source. I've cooked up an elaborate scheme in which the initial page is a form that doesn't contain the 2 fields, just the basic customer info (name, contact, donation amount). The submit action posts to a form handler that:
  1. Using a PHP Include, connects to a database to retrieve the 'protected' form values, specified by the primary key
  2. Fetches an array containing the 2 values (using a while loop)
  3. Posts the info from the 1st form
  4. Builds a new form containing the info from the 1st form, to which the 2 required fields are appended, but with empty values
  5. The PHP Include then prints a link to a .js file
  6. JS inserts the variables (specified in the PHP Include) in the form values
  7. The PHP Include is supposed to read the 2 variables and replace them with the output of the fetched array
  8. A JS onLoad would then submit the form to the payment processor
Other measures are also in place to keep the casual looker from seeing the output, but the main mechanism relies on this: if JavaScript is enabled, the 2nd form (the one with the goodies) submits before you have a chance to inspect the output or source code, or use a developer browser plugin to view it. If JavaScript is disabled, the variables never get inserted, thus the PHP doesn't write the output in the form values.

The problem is, once the JS inserts the variables, the PHP include has already run, and doesn't replace the variables with the data from the fetched array.

So question 1 is, how to get that working? I've tried breaking out the while loop and inserting it after the JavaScript; removing the JS document.ready, etc. but nothing seems to work.

Question 2 is, does PHP have a way to determine if the requesting browser has JavaScript disabled, so I could write something like:

Code: Select all

if (!JavaScript){
exit;
}
else {
$includeJS = '<script type="text/javascript" src="path/to/include.js"></script>';
}
And of course, if you know a better way to protect form values, I want to hear it.

Thanks,
buckit
Forum Contributor
Posts: 169
Joined: Fri Jan 01, 2010 10:21 am

Re: need to hide an input value, but VAR rendering as string

Post by buckit »

Who is your payment processor? usually you dont submit a form directly to your payment gateway. what you'll do is gather all of your information that needs to be sent and then send the data by posting it to the gateway via cURL.

in that case you would use your form to get whatever data the user needs to input... then when processing the form you use PHP to take those values as well as the other values (hidden ones) add them all to an array and cURL them to the gateway... then again using cURL you view the result sent back to you stating if the transaction is authorized or not.

this is how its done with Authorize.net and eProcessing Network (the only 2 I have ever dealt with).
User avatar
seezee
Forum Newbie
Posts: 17
Joined: Thu Aug 05, 2010 9:59 am
Location: Oklahoma

Re: need to hide an input value, but VAR rendering as string

Post by seezee »

It's TC integrations. I can't get too specific about their procedure due to the non-disclosure agreement, but this is on the web: Integration Guide
buckit
Forum Contributor
Posts: 169
Joined: Fri Jan 01, 2010 10:21 am

Re: need to hide an input value, but VAR rendering as string

Post by buckit »

You'll want to use curl and you'll want to use the mothod outlined on page 20. This is my personal opinion.

example on sending data:

Code: Select all


//build an array with the keys and values you want to submit... pulling the values from your form and/or a database
$an_array = array("MerchantID" => myMerchantID //get this from database or wherever
                           "RegKey" => myRegKey //get this from database or wherever
                           "Amount" => $_POST['amount'] //data from your html form
                           );

//convert the array into a postable format
foreach($an_array as $key => $val){
			$seperator = (isset($post_data)) ? "&" : "";
			$post_data .= $seperator.$key."=".$val;
		}


//send the data to the address url
$ch=curl_init("https://the Merchants post url");
curl_setopt($ch,CURLOPT_POST,1);
curl_setopt($ch,CURLOPT_POSTFIELDS,$post_data);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);

// get the response back from the url
$result = curl_exec($ch);


//now process that url to see what it says...
	parse_str($result, $result_array);

//check the result array you just created to see if the transaction was approved.        
if($result_array['Auth'] != 'Declined' && !empty($result_array['Auth'])){
        echo "Transaction Approved!";
}


this isnt going to be 100% accurate... you are going to need to read the documentation and do some testing... but hopefully this will be enough to get you going.
User avatar
seezee
Forum Newbie
Posts: 17
Joined: Thu Aug 05, 2010 9:59 am
Location: Oklahoma

Re: need to hide an input value, but VAR rendering as string

Post by seezee »

OK, read that section & did some local testing, after massaging your example code in my own inept way. :?

Question: wouldn't using cURL expose the sensitive fields via the browser address bar?

In any case, I'm sure I'll need to get on the phone with TC Integration to see if there's a sandbox I can test in further.

Thanks for donating the time & advice. Even though my way of doing it was wrong, it was a good exercise.
buckit
Forum Contributor
Posts: 169
Joined: Fri Jan 01, 2010 10:21 am

Re: need to hide an input value, but VAR rendering as string

Post by buckit »

Question: wouldn't using cURL expose the sensitive fields via the browser address bar?
No, cURL is part of PHP with is all run server side. it sends the post data via a https url (ssl cert) which means its being encrypted. so the server is sending it to the https address and getting the response back on the server... the browser doesnt see any thing at all that happens server side.
Post Reply