Preventing people from saving pages, changing code and executing locally?

jonno946

Hi there...

A couple of things really...

I am in the process of making a shopping cart for my website.

I am using worldpay as my payment gateway.

Firstly, as some of you well know, with worldpay, the final payment details are handed to worldpay using hidden <.form.> variables.

How can i prevent people saving this file locally, changing costs etc... and executing them, in the hope of getting items at a cheaper cost?

I have tried using javascript to submit the form page onload, however, this is still not bullet proof. Any further ideas how to do this?

Also, what is the best way of doing this for internal scripts?

Would $_server["HTTP_REFFERER"] be any use, or is there a better way?

Thanks

Jonno.

laserlight

Firstly, as some of you well know, with worldpay, the final payment details are handed to worldpay using hidden <.form.> variables.

You may need to elaborate.

How can i prevent people saving this file locally, changing costs etc... and executing them, in the hope of getting items at a cheaper cost?

What does worldpay say about this?
There are ways to secure such things, but they tend to rely on say, digital signatures or some form of authentication.

Would $_server["HTTP_REFFERER"] be any use, or is there a better way?

HTTP_REFERER can be spoofed.

drawmack

use curl to submit the page then you never even display the form with the hidden fields to the user.

jonno946

Intresting... can you explain curl a bit more? What is the basic syntax for this?

I have checked out php.net but all seems a bit over my head!

Laser > What is the best way of doing this then if http_refferer can be spoofed?

Thanks

Jonno

MarkR

You can't do it.

There are other ways too.

Checking the referer will not help, as people can fake that.

Or consider a malicious user using a proxy server which changes all your hidden fields into text fields?

Or consider the user who uses the Javascript console to disable or modify bits of your Javascript on the fly?

You just can't do it.

Your best bet is to get the people processing the orders to compare the price on the Worldpay confirmation with the price charged by the shop (which should be stored in a DB, file or email).

If they are different, then they can contact the customer directly explaining that there is a problem.

In practice it doesn't usually happen. I know shops which have worked this way for years and not had people try to defraud them.

Mark

drawmack

Originally posted by jonno946
Intresting... can you explain curl a bit more? What is the basic syntax for this?

[man]curl[/man]

Read the user comments on here they are very insiteful.

Really the only way to get to know curl is to play with it. Write some scripts that use it. It is one of the most powerful extensions for php. Basically it lets you write a script that acts as a browser. Here is an example from a project I just did:

Let's say you have protected pages on your site. If the user is not logged in you want them to see the login screen but you don't want them to see a different url in their address bar. Now let's say your login script is located at http://www.example.com/login.php. You would code this, using curl, like this:

<?php
if(array_key_exists('user_id',$_COOKIE)) {
    if(!checkValidUser($_COOKIE['user_id']) {
        $ch = curl_init('http://www.example.com/login.php');
        curl_exec($ch);
        curl_close($ch);
        die();
    } //end if
} //end if
?>

MarkR

Using Worldpay's form-based service, you are not allowed to programmatically submit requests to it.

If they discover you are doing so, they will probably close the account.

There are a number of pieces of text on Worldpay's site that they insist users see, and they also won't allow you to do a redirect from the success page.

The way of detecting problems, is to set up a callback from Worldpay which sends a message BACK to your site.

Your code can read the parameters, and compare it with the amount of money on that particular order. If they are different, you can then flag an error, send email etc.

So you can't stop people modifying the hidden fields, but you can effectively detect if someone has done so.

Mark