Page 1 of 1
automatic redirect
Posted: Sat Nov 18, 2006 3:35 pm
by chas688
I'm using a card processing company that takes a bunch of hidden fields in a post along with a user's credit card to do their processing. Then, depending upon the outcome of the processing, the hidden field I send them contains a redirect url for approve and a redirect url for a decline.
However, when a user clicks submit, the form I use stays present, so it would be possible for a user to click the submit button more than once. What I was thinking about doing is having an intermediary page with an animated "processing transaction" gif or something and that acts as the form handler to the credit card processing company. If I am sending form data, and then do a redirect, will all my form data stay intact, even if I'm using an intermediary page? Further, is there a better way of doing this than I am thinking?
Any experience out there would be of great assistance.
Thanks,
Chas
Posted: Sat Nov 18, 2006 5:40 pm
by Ambush Commander
No. What I would do is use JavaScript to disable the button onclick.
Wish I could
Posted: Sat Nov 18, 2006 6:07 pm
by chas688
Thanks for the help.
I should have been a little more specific, though. I really do wish that all I had to do was that, but I need to process some of my own data before sending off the form to the card company, based on some of the information entered into the form (database inserts, validation, etc.)
The only way I was thinking was by using an intermediary php page that accepts the results of the post and then runs some scripts on the data and then sends it on again as post data to the processing company.
Yikes!!!
Pls. Help out if you have any ideas. I could use a javscript form.submit, I guess. Have you ever done this?
Thanks,
Chas
Posted: Sat Nov 18, 2006 6:09 pm
by Ambush Commander
Yes, you can do that too. Check our
cURL.
Posted: Sat Nov 18, 2006 6:12 pm
by Luke
Yup... I agree, cURL would definately be the way to go for that.
Re: Wish I could
Posted: Sat Nov 18, 2006 6:45 pm
by timvw
chas688 wrote:Thanks for the help.
I should have been a little more specific, though. I really do wish that all I had to do was that, but I need to process some of my own data before sending off the form to the card company, based on some of the information entered into the form (database inserts, validation, etc.)
If i understand it right that would mean that customers are sending their card info to you instead of the card company? I really don't think that i would be a happy customer in that case...
Gather all the info you need.. And then, only then, provide them a form that sends them to the cc company... Probably the cc company has it's own api so that you tell the cc company to where they customer should be directed after the payment was made....
Posted: Sat Nov 18, 2006 9:25 pm
by chas688
That's how it works, you're right. I use the processing company's API, etc and they do a redirect get. However, I need to do a lot of the validation on the site for valid number, valid date format, etc.
Plus, the client wants to have a multi-page form. I'm keeping everything in a session, but the whole form process is using SSL.
What I do is this:
first order form page posts to another page. All those $_POST["firstname"],etc. are converted into session variables as in:
Code: Select all
<?php
if (isset($_POST['street1']))
{
$street1 = $_POST['street1'];
$_SESSION['street1'] = $street1;
?>
That way, I can keep that information stored in session vars throughout the form filling process. Also, this allows me to pre-fil the previous pages of the multipage form if a user wants to go back. This is done like so:
Code: Select all
<?php
if (isset($_SESSION['anythingelse'])) {
$anythingelse = $_SESSION['anythingelse'];
session_unregister("anythingelse");
} else {
// use the default value
$anythingelse = "";
}
?>
I think what i've decided is to have a final confirmation page and then use the javascript button disable. That final page will mostly check to see if cc is valid and date is in the right format before passing it to the processing company. Does anyone have a problem with this method described above from a security standpoint? Keep in mind that the credit card information stored in a $_POST var will be called on that last confirmation page as the value of that hidden field to be passed to the credit card company.
Thanks,
Chas
Posted: Sun Nov 19, 2006 3:56 am
by timvw
chas688 wrote:
Does anyone have a problem with this method described above from a security standpoint? Keep in mind that the credit card information stored in a $_POST var will be called on that last confirmation page as the value of that hidden field to be passed to the credit card company.
Yes, I only want the credit card processing company to know my cc information.
(I'm aware that most customers couldn't care less who gets access to their cc information... At least, that's what seems to happen as soon as they see the icon of 'secured page' appear in their browser...)