CODEWITHSUNDEEP
javajavascriptxmlhttprequesthttp-posthttpurlconnection
AndrewB
AndrewB

Reputation: 323

xmlhttprequest to get encryption key + html form - what am I doing wrong

The final stage of my project is to connect my website to a bank payment gateway to allow people to buy things using credit cards but without storing any credit card data on my site. I've been on Google and stackoverflow and think I'm on the right track but am obviously doing something wrong.

The idea is that as the form opens an http-post happens which sends a set of parameters to the gateway which responds with a nice long encryption string which I use to submit the actual order. I'd appreciate some help here as I'm now quite stuck.

<form method="post" action="/A55D74/fwcdirect.nsf/encrypt?OpenForm&amp;Seq=1" name="_encrypt">
<input type="hidden" name="__Click" value="0" /><form action="https://encryption-gateway-url.e" method="post">
<script>
  var url = "valid-url"; 
  var params = "clientid=12&password=xyz&chargetype=Auth&currency=42&total=1.00";
  xmlhttp = new XMLHttpRequest(); 
  xmlhttp.open("post", url, true); 
  xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); 
  xmlhttp.send(params); 
  return xmlhttp.responseText;
</script>
<input type="hidden" name="returnurl" value="http://www.mywebsite.co.uk/"> 
<input type="hidden" name="merchantdisplayname" value="Website + Shopping cart">
<input type="submit" value="10.00">
</form>

9th April: I still haven't cracked the problem yet although am getting an error response from the gateway server, I'm currently exploring dojo which is looking very promising and as a bonus comes pre-installed with Lotus Notes client & server (Domino 8.5.1 has dojo 1.3.2).

Upvotes: 1

Views: 1147

Answers (2)

Alex K.
Alex K.

Reputation: 175926

My guess would be you are supposed to do this on the server, not in the client where same-origin policy prevents you from posting and reading data to a different domain.

I.e. The customer loads the final payment page; before its returned from your server you post your billing details to the the bank, get the encrypted response and append that as a hidden field in the form the user will actually submit for payment.

Its supposed to be a way to prevent users from messing about with the client/amount params, they should never see them at all.

(This looks like EPDQ, if so that's definitely what your supposed to do as I use it myself!)

Upvotes: 1

listen1984
listen1984

Reputation: 61

XMLHttpRequest is a callback method, so it means you should create a callback function to process the responseText.

e.g.

  var url = "valid-url"; 
  var params = "clientid=12&password=xyz&chargetype=Auth&currency=42&total=1.00";
  xmlhttp = new XMLHttpRequest(); 
  xmlhttp.open("post", url, true); 
  xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); 

  // add this line
  xmlhttp.onreadystatechange = callback

  xmlhttp.send(params); 

  // remove this line
  //return xmlhttp.responseText;

// add a new function
function callback(req, id) {  
    if(req.readyState == 4 && req.status == 200) {  
        alter(req.responseText);  
    }  
}

Upvotes: 0

Related Questions