credit card processing

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
bluesman333
Forum Commoner
Posts: 52
Joined: Wed Dec 31, 2003 9:47 am

credit card processing

Post by bluesman333 »

I'm unclear on exactly how credit card processing will work.

To be compliant with credit card company regulations, you must provide users with a page to confirm the details of there order before submitting. But, how do you do this without storing the password somewhere?

You have a page that collects the credit card number and POSTs to a page to confirm. If you are not saving passwords anywhere, how do you then POST to the payment gateway?
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

Simple. Why you need to store anything in order to POST it? cURL may be of interest.
User avatar
bluesman333
Forum Commoner
Posts: 52
Joined: Wed Dec 31, 2003 9:47 am

Post by bluesman333 »

I am using curl to send the data to the payment gateway. But, how do I get the cc number to the script that sends to the payment gateway without saving to db?
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

You store whether they are logged in or not in a session. You never need to store a password at all anyway because you can compare hashes of it.
Begby
Forum Regular
Posts: 575
Joined: Wed Dec 13, 2006 10:28 am

Post by Begby »

Can't you confirm the details of the order *before* taking their credit card info?
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

bluesman333 wrote:I am using curl to send the data to the payment gateway. But, how do I get the cc number to the script that sends to the payment gateway without saving to db?
By adding a form which collects the cc details and posts to the processing script. User must enter the CC info just before the processing. Then you process and return status.
Rod
Forum Newbie
Posts: 3
Joined: Thu Jul 26, 2007 2:02 pm

Post by Rod »

I'm dealing with a similar problem.

I currently have a billing.php page which collects the user's credit card info. The submit button on billing.php submits this info to check_credit.php.

check_credit.php uses the post variables and curl to submit the payment to the credit card company and returns status.

Note that both billing.php and check_credit.php check a session variable called "current" to see if it contains "billing". If it doesn't, the script redirects the user to another page.

However, my concern is that check_credit.php can be executed while the user is on billing.php (i.e. by opening up another window and typing in http://.../check_credit.php.)

So I would like check_credit.php only be able to be access once the user has submitted his/her credit card info.

Any help is appreciated. Thanks! :)
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

you can write POST checking script in check_credit.php but this easy could be hacked so maybe adding session variable in billing.php is good idea.
Then just check the session variable and allow check_credit.php or deny
Rod
Forum Newbie
Posts: 3
Joined: Thu Jul 26, 2007 2:02 pm

Post by Rod »

miro_igov thanks for your reply :)

However, I'd prefer not to set a session variable in billing.php, because then the user just has to be on billing.php to access check_credit.php.

I'd like it for the user only to be able to access check_credit.php when the submit button is hit on billing.php.
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

then add a hidden field named __post with value 1 and on check_credit.php use

Code: Select all

if($_POST['__post']=='1') { // do the processing }
but this could be hacked
Rod
Forum Newbie
Posts: 3
Joined: Thu Jul 26, 2007 2:02 pm

Post by Rod »

Yes, as you say it could be hacked. Is there no completely secure way?

Thanks for ideas :)
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

Session. And another session variable in the cases when you want to go directly at check_credit.php
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Rod wrote:miro_igov thanks for your reply :)

However, I'd prefer not to set a session variable in billing.php, because then the user just has to be on billing.php to access check_credit.php.

I'd like it for the user only to be able to access check_credit.php when the submit button is hit on billing.php.
Just make sure you keep the session active from file to file. I oftentimes forget that not every PHP programmer uses sessions as often as a lot of us do, but I have sessions active on every page. Just keep the session up. It's the most secure method.
User avatar
bluesman333
Forum Commoner
Posts: 52
Joined: Wed Dec 31, 2003 9:47 am

Post by bluesman333 »

ole wrote:You store whether they are logged in or not in a session. You never need to store a password at all anyway because you can compare hashes of it.
I typed wrong. I meant to say save 'credit card number' not 'password' - big difference. Completely different issue. Allow me to explain again.

Lets say I want to have a page where I collect the credit card number. After collecting the number I want to allow the user to confirm the details before submitting the transaction to the payment gateway. What do I do with the credit card number while the user is on the confirmation page?

I'm using authorize.net as my gateway. I know that I can use transaction type AUTH_ONLY to authorize the credit card. I'm thinking that I can then do a PRIOR_AUTH_CAPTURE on the confirmation page, but I'm unsure of the results this will produce since I'm still using a test account and haven't been able to test this.

I'd like to know if it's possible to do AUTH_CAPTURE and be able to give the user a confirmation page.
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

You can use AUTH_ONLY and when you decide to CAPTURE the funds or refund the auth. Authorize.net has bunch of documentation about this.
Post Reply