SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Guru
    Join Date
    Nov 2000
    Posts
    740
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Passing along a variable

    From my payment gateway, I have an amount variable passed across to an order completed page: mysite.com/ordercompleted.php?amount=50

    The code for the top part of this page is below:

    Code:
    <html>
    <head>
    <title>Order Completed</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <meta http-equiv="refresh" content="4;URL=http://www.mysite.com/ordertracked.php?amount=$amount">
    Will that code pass the amount variable across to ordertracked.php and if not what changes do I need?

    If I want to access the $amount variable on ordertracked.php, do I just use $amount in my php code or do I need to have some kind of code in the header to extract the amount value to store into a variable?

    Thanks,

    Jon

  2. #2
    Avid Logophile silver trophy
    ParkinT's Avatar
    Join Date
    May 2006
    Location
    Central Florida
    Posts
    2,332
    Mentioned
    192 Post(s)
    Tagged
    4 Thread(s)
    That value will be accessible as part of the GET array.
    Use a line like this to get the value:
    $theAmount = $_GET['amount'];
    Don't be yourself. Be someone a little nicer. -Mignon McLaughlin, journalist and author (1913-1983)


    Git is for EVERYONE
    Literally, the best app for readers.
    Make Your P@ssw0rd Secure
    Leveraging SubDomains

  3. #3
    SitePoint Evangelist Redivider's Avatar
    Join Date
    Nov 2003
    Location
    PA
    Posts
    465
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    $_GET['amount'] should give you the value of amount, or if you have register_globals on, $amount will work too.

    I'm not sure what else is going on in your code, but sending an "amount" variable in the URL doesn't seem like a good idea to me. GET variables are easily manipulated. Anyone who ends up on that page could change the amount to whatever they want. Depending on what the application is doing, that may not matter but it's usually better to send things like that as POST variables.

  4. #4
    SitePoint Guru
    Join Date
    Nov 2000
    Posts
    740
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    At that stage, payment has already been made so its not too important. So will GET always work or does that depend on how it was sent to the ordercompleted.php page?

    As for putting the GET command in, would my revised code look like this?

    Code:
     <html>
    <head>
    <title>Order Completed</title>
    <?php $theAmount = $_GET['amount']; ?>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <meta http-equiv="refresh" content="4;URL=http://www.mysite.com/ordertracked.php?amount=$amount">
    Last edited by Jon Lawrance; Oct 15, 2007 at 09:53.

  5. #5
    SitePoint Addict tbakerisageek's Avatar
    Join Date
    Sep 2006
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Redivider View Post
    $_GET['amount'] should give you the value of amount, or if you have register_globals on, $amount will work too.

    I'm not sure what else is going on in your code, but sending an "amount" variable in the URL doesn't seem like a good idea to me. GET variables are easily manipulated. Anyone who ends up on that page could change the amount to whatever they want. Depending on what the application is doing, that may not matter but it's usually better to send things like that as POST variables.
    POST data can also be edited before submitted. If there is something like this that you just can't avoid passing through POST or GET because you can't use a Session var because you pass it to another site, I like to create a token of it using some hashing function and checking the token of it again after you receive it back to make sure that it has not bee changed.

  6. #6
    SitePoint Enthusiast
    Join Date
    Feb 2005
    Posts
    62
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    not being a php whizz myself, but wouldn't it be better to store the value in a session variable, that way it would be invisible wouldn't it? The value would then stay constant for the duration of the session and you would also have the option to store the session data to a database.
    people in glass houses shouldn't walk around naked

  7. #7
    SitePoint Guru
    Join Date
    Nov 2000
    Posts
    740
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't have any control over how the variable is passed from my payment gateway.

    Is my revised code above correct?

  8. #8
    SitePoint Enthusiast
    Join Date
    Oct 2007
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jon Lawrance View Post
    I don't have any control over how the variable is passed from my payment gateway.

    Is my revised code above correct?
    Nope, not right. Your not using the variable declaration right there

    PHP Code:
    <html>
    <head>
    <title>Order Completed</title>
    <?php $theAmount $_GET['amount']; ?>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <meta http-equiv="refresh" content="4;URL=http://www.mysite.com/ordertracked.php?amount=$theAmount ">
    Try that.

    However, i very much doubt they are giving you the variable in a GET statement, try using this if that doesnt work.

    PHP Code:
    <html>
    <head>
    <title>Order Completed</title>
    <?php $theAmount $_REQUEST['amount']; ?>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    <meta http-equiv="refresh" content="4;URL=http://www.mysite.com/ordertracked.php?amount=$theAmount ">
    Think of $_REQUEST as both _POST, and _GET together


    If not tell me the company's name, i will take a look at their API and post back here

    I'm slightly concerned for your security here too For instance.. if i found this page here.. i could easily manipulate the URL and pretend i paid for one of your products, im not sure if this is just a notification page?

  9. #9
    SitePoint Guru
    Join Date
    Nov 2000
    Posts
    740
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That is very kind of you.

    The company is Secure Trading and is a credit card processing company.

    When I get to ordertracked.php, I presume I just use...

    PHP Code:
    <?php $theAmount $_REQUEST['amount']; ?>

    ...to be able to use the amount variable again, yes?

  10. #10
    SitePoint Enthusiast
    Join Date
    Oct 2007
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, sorry for the delay in posting... Was at College.

    Okay, yes that is right.

    Now, with the API of the Credit Card company i highly doubt they would be posting information to you without any other form of verification.


    Usaully API systems work were the user pays by credit card, the company processing the card then POST'S a request onto a specified page handler on your server, you would then check the IP of the host and confirm it. So it can only come from the companies machine.

    You would then have a second page were the user is redirected to when theyve paid. This means the user see's none of this going on, and is none the less wiser.

    However, i'm looking at what your trying to do as a problem, by sending the user with a GET parameter, they could easily manipulate it to amount=1000 or somewhat along those lines.

    Is this just a verification page? Will this be processed and send them the order?


    Just i don't want you going off, and getting attacked.
    Kieran Allen, 16 years old
    Full time PHP developer,
    With 5 years experience in web development.
    www.kieran.in .. my blog.

  11. #11
    SitePoint Guru
    Join Date
    Nov 2000
    Posts
    740
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I wont get attacked. The page just sends me an order confirmation to update a database.

  12. #12
    SitePoint Enthusiast
    Join Date
    Oct 2007
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ah, okay.
    Kieran Allen, 16 years old
    Full time PHP developer,
    With 5 years experience in web development.
    www.kieran.in .. my blog.

  13. #13
    SitePoint Addict tbakerisageek's Avatar
    Join Date
    Sep 2006
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jon Lawrance View Post
    I wont get attacked. The page just sends me an order confirmation to update a database.
    NEVER update a database directly from input sent to your server. You have to always sanitize and confirm the data that is coming to your server. Granted, only the payment Gateway knows the page to send data to, but that information would not be too difficult to acquire. You don't want people to be sending any data to your pages that would end up right in your database... This again leaves you open to SQL Injection attacks...


    EDIT:
    I apologize, I mis-read the quoted post. I thought that it said it only updates a database.... I'm not going to remove my original response, only because it is a message that can never be understated. I do recognize however that it is not the case for the quoted poster.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •