Need to host secrete hash code out side the webspace?

vasuin

Hi guys
i have major problem with the project we are working on Can you please some one provide solution for the problem specified below
payment gate way has been integrated into that website by bank so they provided link ,entioned below to us and told us to integrate. after integrating that into website after the customer fills the form during check out they are able to tamper the price They are saying that is happening as secure hash secrete code is not stored out side the web space can you please some one read carefully about the mentioned stuff below and provide me with solution please

After clicking on Continue the below details are being posted to the VPC_PHP_3P_DO.php page.

The main issue here is that the VPC_PHP_3P_DO.php page is hosted in the web space and is incurred. This file contains the SecureHash code which should be stored outside of the web space. This is extremely important and must be stored securely
The page also has the same file name of which was provided in the sample code and in reality should not be used. It’s only supplied to show how the transaction is to be built.

As also shown below is the ‘vpc_Amount’ value (9999). As this value is the actual value that will be used in the transaction request, and as the MD5 hash routine has not yet taken place this value can be changed. Again any information displayed on the website should NOT be the actual information that is going to be used to generate the transaction. The transaction request needs to be generated outside of the web space.

traq

they're talking about storing the hash/files above the web root (e.g., your [FONT="monospace"]public_html/[/FONT] directory [directory name varies by host]), so they are accessible only to your server and are not available via the internet.

If you don't understand this concept, I'd strongly recommend hiring a developer that has more experience with ecommerce - you really don't want to be liable for losing people's money because of a shortcoming in your code.

vasuin

can you please tell me how that can be done? i have a developer having strong knowledge in php but stuck there please guide us to provide the solution

traq

I answered your specific question; I don't know how else to explain it.

On your server, a specific directory is your "root." for example,
[font="monospace"]http://www.example.com[/font]
might point to the directory
[font="monospace"]/home/users/domains/example_com/public_html/[/font]
(this depends on your host and server configuration, of course).

files in your root, and the directories below it, comprise your "website" and can be accessed via the internet.

files "above" your root -i.e., in [font="monospace"]example_com/[/font] and the directories above it- cannot be accessed via the web (unless there's something seriously wrong with your server configuration). They can be accessed (depending on privileges) by scripts on your server, and are usually managed via FTP, but no one can get those files by opening a browser and typing something like [font="monospace"]http://www.example.com/../some.file[/font].

If you want further help with getting this to work, you should hire someone - when you're dealing with financial transactions, you need a developer who is capable and directly involved, not uninformed advice based on a forum post.

vasuin

i understood what u have said the problem is not with server configuration they are using some hacking tool and able to tamper the price. To prevail that one they wanted us to host secure hash code out side the web space any ways many thanks for the information u have provided

cheers
vasu

leatherback

vasuin;10985757 wrote:
i understood what u have said the problem is not with server configuration they are using some hacking tool and able to tamper the price. To prevail that one they wanted us to host secure hash code out side the web space any ways many thanks for the information u have provided

cheers
vasu

Vasuin: Clearly you are using the wrong developer. This is NOT something you should be getting info on over a forum. If you cannot make it work, and your developer cannot make it work, it means you should not be working on this project. Bank interfaces are no joke.

Naturally, if people are hacking the code, it is not because the secure hash is stored within the root of the site; You do not place these sort of codes in the root, only because when your webserver / PhP processor fails, the code may become visible. However, as long as that is not the case, they should not be able to access the file, as long as you have worked properly. Appearently, you have not coded theis properly and the site is open to hackers.

Even something as simple as using global variables may lead to tempering with the price. So.. Unless the bank knows your code inside out, they cannot tell you what the solution is. Neither can we. For a secure transaction model you just need to have an experienced code, who know about keeping your code secure & organized.

If the application is open to altering prices, you can be sure there are other flaws too.

Get a better PhP developer in. Really.

vasuin

Thanks for the information you have provided even we did every thing right we have fixed what ever they asked us to do even we cannot able to view the page they are viewing and tampering they suggested us some things saying that might be the causes for tampering they dont know any thing of our program environment . if you have right solution can u please provide me.

traq

the "right solution" has been offered several times: hire a capable php developer.

trust me; I've done this before, and you don't want someone who can "make it work" - you need someone who knows how to do it. If you run into problems that "stump" you, then you don't know how to do it well enough. You will get yourself into trouble.

vasuin

How you have been? hope doing good Many thanks for providing solution for my problem we are working on that based on the idea you have generated to us can you please provide us solution for how to get rid off live form data in php

Many Thanks
Vasu

traq

vasuin;10985891 wrote:
How you have been? hope doing good Many thanks for providing solution for my problem we are working on that based on the idea you have generated to us

you are welcome. as you work, please keep in mind that my only suggestion was to hire someone who is fully qualified to do this sort of scripting. : )

vasuin;10985891 wrote:
can you please provide us solution for how to get rid off live form data in php

I'm sorry; I don't understand your question. What do you mean by "live form data"?