torinwalker Posted June 27, 2003 Posted June 27, 2003 While writing a new payment gateway module, I discovered on the Confirmation page that the page source (the form entry for the confirm button) contained the sensitive account information and payment method fields being passed to my payment gateway. This of course was completely unacceptable, and so I sought out a way to make the procedure more secure. I would really appreciate any suggestions for a BETTER approach: Instead of a direct post ala osCommerce's normal payment procedure, I rewrote the button's submit form to post to my own intermediate proxy page. This page, written entirely in PHP (thus invisible) contacts the payment gateway, receives the response, and uses cURL to post back to the checkout_success (success) or checkout_payment (fail). This additionally allows me to use the bank's XML gateway instead of the direct post gatway - it affords better security and a few other niceties over the DP method. The question remains though... am I going about this the wrong way? If there is another method that constrains itself to the normal osCommerce methodology, I would be glad to hear it. It would make my contribution amenable to those who need it. Torin... Quote
New 
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.