php form submission

[wclew]

I have an html form that is submitted to a php page. Along with the form variables I would like to post a couple of hidden variables, but I don't want these hidden variables to be seen by viewing the source of the page. One thought I had was to submit the form to the php page and have the hidden variables on the php page and then have it automatically submit itself with all the variables to another php page. I am very new to php, is this possible? Or I am open to any better suggestions.
Thanks in advance,
Dennis

[OSFan]

What would be in the hidden variables?

If they are static, i.e. always the same, why not just put them straight into the PHP script?

[wclew]

The variables would contain credit card vendor information that must be submitted to their php page. That is why I would like our php page to automatically submit itself to the vendor's php page. Is this possible? Like in Javascript where you place a submit() funtion in the onload event handler for the page.
Thanks,
Dennis

[Shanti]

I am a newbie to PHP, but i am quite familiar with Web programing (asp mainly) i had to do almost the same thing you are facing right now, i had 2 options to do this.

1 .- use the Hiden field to send the ID of the client so i could get the rest of the info from the database after i submit the form then send it to the vendor.

2 .- the other one was to send fake info onto those hiden fields and then reconbine them on the submit page (something like using TRIM and SPLIT on ASP)

lets say you have a credit card number you want to hide, well you could make this number from lets say 10 numbers and scramble it to like 100 or so but keeping the "right" numbers on strategic places so you then use split or trim or other commands that i am sure are available on PHP to remake this info, sounds complicated but its not.

i mean unless people know your "algo" they will have a very hard time figuring out what your real info is under those hiden numbers

personally i ended up using number 1 since the information was static, but the second option is better for information that is not as static.

gee i hope i explained myself and i hope i was of any help :)

sorry for my bad english ;)

[OSFan]

I think the question is that:

You have a form on your website for credit card info?
This form must be submit to the gateway company who will verify the payment?
You need to put certain info in the form about you, hidden, but you dont want it to be seen?

One way I can think around this is to submit to a local php page which contains the variables, then you'd have to manually open a socket connection to the other server, and manually form a HTTP Header and body for the POST request.

Is the stuff in the hidden fields so secret its worth the bother?

[redcircle]

session variables may be your solution.

www.php.net/session

this will allow you to save information on the server and be able to access the information from page to page without the user even knowing that it exists. The only thing that references it is a unique session id. What is in that session id is unknown.

If you need some more help let me know I can explain more but the php docs should be enough to give you an idea.

[wclew]

Yes OSFan, you've got it right. That is exactly how I am proceeding with it, I was just hoping there was an easier way that I didn't know about. I don't know if it's actually worth the trouble either, but that's what the customer wants.
Thanks,
Dennis

Quote:

Originally Posted by OSFan

I think the question is that:

You have a form on your website for credit card info?
This form must be submit to the gateway company who will verify the payment?
You need to put certain info in the form about you, hidden, but you dont want it to be seen?

One way I can think around this is to submit to a local php page which contains the variables, then you'd have to manually open a socket connection to the other server, and manually form a HTTP Header and body for the POST request.

Is the stuff in the hidden fields so secret its worth the bother?

[lutenegger]

I have never done this but it should be possible and relatively simple. You could use a dynamically generated javascript include. Which would "write" your hidden input statements to the page only if it was coming from the correct referring page. That way the info would never show up in the source, nor would someone be able to download it directly from the server.

That being said I would try to convince the client that this is pointless. I've developed a number of custom ecomm. solutions and the merchant info thats tranferred to a gateway is pretty much useless except for its intended purpose. Do they think it will be exploited in some way?

[wclew]

We eventually ended up using a different vender that the customers felt more comfortable with. I'm not sure why they were so concerned about that. Thanks.

Quote:

That being said I would try to convince the client that this is pointless. I've developed a number of custom ecomm. solutions and the merchant info thats tranferred to a gateway is pretty much useless except for its intended purpose. Do they think it will be exploited in some way?

[httpman]

wclew

To keep as close as possible from your initial request, you could use an "autosubmit" feature in the second PHP page (the page that adds confidential information into hidden fields).
This is easily achieved via an "onload" parameter in the <body> tag of the page :

<body onload="self.document.formname.submit()">

where "formname" is the name of your form.
This will automatically submit the form after the page is fully loaded, means : after your PHP script have got the card number from the incoming form, and put it in the new form together with your confidential information.

JP

[wclew]

Thanks JP, that was one option I had considered. I had 2 problems though, I wasn't sure if php handled an onload event in the body tag and secondly the client was still unsure that the 2nd page couldn't be intercepted right before the triggering of the onload event. I didn't think that would be a problem but I couldn't convince them of that. I'm just glad we've moved on. ;) Take care.

Quote:

Originally Posted by httpman

wclew

To keep as close as possible from your initial request, you could use an "autosubmit" feature in the second PHP page (the page that adds confidential information into hidden fields).
This is easily achieved via an "onload" parameter in the <body> tag of the page :

<body onload="self.document.formname.submit()">

where "formname" is the name of your form.
This will automatically submit the form after the page is fully loaded, means : after your PHP script have got the card number from the incoming form, and put it in the new form together with your confidential information.

JP

[redcircle]

The onload event is Javascript not php.

[wclew]

I didn't think php had an onload event, I thought tht was simply Javascript. Again, the client was not conivinced that the page could not be intercepted though.