Reputation: 4124
Secure correct money amount when people checkout?
I have a problem that i seems can't figure out properly. I got a website where you can pick some offer and buy it. The steps for this procedure is:
1) Customer pick offer (index.php) he like and proceed to (buy.php) page
2) At (buy.php) page he selects quantity and payment method
3) When customer presses buy he is redirected to (payment.php) where all data is verified again and doing some database recording. Payment.php page processes user to selected payment gateway (out of my website).
So the problem is that i can swap $_POST data from buy.php page to payment.php and payment page would think that data is correct.
Before i was simply checking if price that comes to payment page is one of allowed prices in my $array and i had no problems with this. But now i offer a discounts and i can not tell if amount coming in is indeed correct.
How usually all this is processed? I'm new to working with payments.
Thanks.
Upvotes: 1
Views: 298
Answers (2)
Reputation: 64419
The usual way payment providers do this, is the following.
- You have a form that will result in a POST array.
- add one field to this array with a hash. Make this hash from the string as follows:
- Define a secret string (some sort of a 'salt', but different)
- Sort all your POST keys alphabetically.
- Make a string like this:
- key=value.secretString.key2=value2.secretString ... etc
- hash the string and send it in the post.
- (do NOT send, show or reveal your secret string, obviously)
Now when you receive the POST, you can use your secret string to recreate the hash that should accompany it, and compare it to the hash you got (also in the post ofcourse, obviously don't hash that too). If it is equal, the values where not tampered with. If it isn't you should reject the payment.
Because you also include a date, a user/orderID etc in your post, it cannot be changed for the post of another order. Changing one of the values in the post would also mean the HASH has to be changed, but as the user can't create it, this will not do.
Upvotes: 2
Reputation: 15905
Try a db table of product id's with prices and a table of discounts with the amount (or percent). When the users submits an order, send the ids of products with their respective quantities along with the ids of any discounts to the payment script. Let it handle the final price calculation.
Upvotes: 2
Related Questions
- How do I safely perform money related calculations in PHP?
- PayPal amount tampering
- How to avoid amount tampering while integrating payment gateways?
- Is this a proper way to handle credit card payments?
- PayPal Secure way to process order
- How to secure data that needs to be used raw
- ideal Payment gateway issue with Amount
- Is working with money (decimal numbers) in PHP considered safe?
- How to keep PayPal variables secure
- php handling money and money values