Form autosubmit for online payment: bad practice?

Question

Context:

I have to add an online payment system, on a quite old PHP 4 website (Yay !). As usual, an external payment platform/gateway will be used.

After preparing an order on the website, that payment platform expects to be called with POST data, then displays its online payment page if everything is Ok.

Question:

Would it be a bad practice to autosubmit a form with a bunch of hidden fields, in order to switch to the payment platform?

It seems that I don't have the choice but I would like to know if someone sees a better way for that online payment platform integration.

Current workflow:

1. ... last ordering step: order summary
2. user clicks on "order" (that button is already part of a form which action is an internal page)
3. results page (generally: order successfully saved, will be quickly processed, etc.)

The new detailed workflow would be:

1. ... last ordering step: order summary
2. user clicks on "order" (that button is already part of a form which action is an internal page)
3. after existing internal processing, redirection to the "autosubmitted form" page
4. the autosubmit form submits itself (its action being the payment platform URL)
5. online payment...
6. result page

NB. I would add some "please click to order" button for users having Javascript disabled.

Thanks for any suggestions / thoughts. Or even telling that there should be no problem with this :)

Answer 1

Autosubmit a form with a bunch of hidden fields, in order to switch to the payment platform is ok. But you should pay much attention to security here, because intuder can modify those hidden fields.