Hide url header redirect parameters using session

Question

I have the following php code

<?php

    $token_cipherText=$_POST['tokenex_cipherText'];
    $token=generateToken($tokenex_cipherText);  
    $merchantid="example";
    $Password="example1";
    $remoteIP='11.22.95.5';
    $customerReferenceNo = $_POST['customerReferenceNo'];
    $amount=$_POST['amount'];
    $currencyCode='356';

    $expiryMonth=$_POST['expiry_month'];
    $expiryYear=$_POST['expiry_year'];
    $securityCode=$_POST['cvv'];
    $cardHolderName=$_POST['name_on_card'];
    $cardType=$_POST['selectedRadioValue'];


       if($cardType=='radio1')
    {
        $cardType='CC';
    }
    if($cardType=='radio2')
    {
        $cardType='DB';
    }   


    $cardProvider=$_POST['ccType'];
    if($cardProvider=='visa_electron')
    {
        $cardProvider='visa';
    }
    if($cardProvider=='mastercard')
    {
        $cardProvider='mc';
    }
    if($cardProvider=='maestro')
    {
        $cardProvider='maest';
    }
    if($cardProvider=='sbi_maestro')
    {
        $cardProvider='sbime';
    }
    $cardProvider=strtoupper($cardProvider);

    $name=$cardHolderName;
    $mobileNo=$_POST['mobileNo'];
    $Email=$_POST['email'];
    $merchant_id=$_POST['merchant_id'];

    $sql=mysql_query("select * from card_token where token='$token'");
    $numrows=mysql_num_rows($sql);
    if($numrows==0)
    {
        $sql=mysql_query("insert into card_token value('','$token','$merchant_id',now())");
    }

    $sql=mysql_query("update payment_tools_transactions set token_id='$token', cardHolderName='$cardHolderName', cust_Email='$Email', mobileNo='$mobileNo', trans_type='$cardType', cardProvider='$cardProvider', trans_amount='$amount' where trans_refNo='$customerReferenceNo'");

    $checksum = $merchantid."|".$_POST['amount']."|".$customerReferenceNo;  
    $checksum = hash('sha256', $checksum);  
    $data='tokenNo='.$token.'&securityCode='.$securityCode.'&cardExpiryMonth='.$expiryMonth.'&cardExpiryYear='.$expiryYear.'&cardHolderName='.$cardHolderName.'&transactionAmount='.$amount.'&paymentMode='.$cardType.'&currencyCode='.$currencyCode.'&customerReferenceNo='.$customerReferenceNo.'&cardProvider='.$cardProvider.'&name='.$name.'&mobileNo='.$mobileNo.'&email='.$Email.'&password='.$Password.'&amount='.$_POST['amount'].'&remoteIP='.$remoteIP.'&checkSum='.$checksum;

    $encryption_key = "CE5D964";
    $desEncryptedData = encryptText_3des($data, $encryption_key);
    $desEncryptedData = urlencode($desEncryptedData); 

    $url='https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId='.$merchantid.'&data='.$desEncryptedData;    //URL for CC authentication   
    header("location:$url");

An html form posts some values into this php and the above code is executed and using the header header("location:$url"); these parameters are redirected to $url='https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId='.$merchantid.'&data='.$desEncryptedData;

But the problem im facing is,the redirect url is exposed like https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId=example&data=**********

Anyone can manupulate or easily get this values.Is there any way I can hide this parameteres by using sessions?Or is there any other way around to hide this url redirect parameters?

Can someone help?I have been searching everywhere to find a solution but in vien :(

Solution : Sessions cannot be used here since we are redirecting to a third party website.So I used curl for posting my parameteres to the site

//Copy paste all the code till here...
    $encryption_key = "CE5D964";
    $desEncryptedData = encryptText_3des($data, $encryption_key);
    $desEncryptedData = urlencode($desEncryptedData); 


    $url='https://payment.paykml.com/PGCCDCToken/TokenPayment.jsp?merchantId='.$merchantid.'&data='.$desEncryptedData; 
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_URL, $url);
    curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
    //curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
    $auth = curl_exec($curl);
    if($auth)
    { 
    header("Location:success.php"); //Redirect to a success page after payment.
    exit;
    }

yes you can store them in session/cookies and get them in redirected page easily. — Suresh Kamrushi, Dec 12 '13 at 06:43
Does it matter who visits that page? If it just needs to be accessed, why not run a `file_get_contents` on that? — Dave Chen, Dec 12 '13 at 06:44
thanks.but i havnt worked with sessions and i dont know the work flw.ca you help me out — , Dec 12 '13 at 06:44
check this: http://www.php.net/manual/en/reserved.variables.session.php — Suresh Kamrushi, Dec 12 '13 at 06:45

score 0 · Answer 1 · edited May 23 '17 at 12:03

0

If paykml.com is part of your own site, then you can use $_SESSION vars. If you are posting to a 3rd party payment processing company, than security is based on how they have set this up and you cannot use $_SESSION vars. I'd be concerned about the data input form that is passing the values to the form you have above. If you are the one posting credit card info to the above form, you should be using SSL. $_SESSION is not going to help you. Take a look here for info on accepting credit card info on your site.

Using stream_context_create and fopen(). This code is adapted from here. I have NOT tested this so do not know if it would work, but you could start here.

<?php    
$options = array(
  'http'=>array(
    'method'=>"GET",
    'header'=>
      "Accept-language: en\r\n".
      "Content-type: application/x-www-form-urlencoded\r\n",
    'content'=>http_build_query(array("merchantId"=>$merchantid,'data'=>$data))
));

$context = stream_context_create($options);

$result = file_get_contents('http://paykml.com/PGCCDCToken/TokenPayment.jsp',false,$context);

?>

edited May 23 '17 at 12:03

Community

1
1

answered Dec 12 '13 at 07:08

mseifert

5,390
9
38
100

paykml.com is a third party payment processing company.Byt I donthave issues sending data to the php which is onmy side.Its done using post.Its not exposed as well.And the creditcard number is tokenized in the html itself,so its sent to the php as a token,which we cannot decrypt,can be decrypted only by www.paykml.com/..But kml.com has in their doc to post the merchentid and data to their url.but im posting using header redirection.is there any other way to post data to their url from my php other than header redirect? – Dec 12 '13 at 07:37
[fsockopen](http://www.php.net/manual/en/function.fsockopen.php) is another way. You can see another example [here](http://thehungrycoder.com/general/how-to-submit-a-form-using-php-curl-fsockopen.html). The last link also talks about using curl, which is yet another option. Your best bet is to ask paykml.com for secure code examples. – mseifert Dec 12 '13 at 07:56
Yet another option is stream_context_create with either `fopen` or `file_get_contents`. I've added some untested code above to give you an example. See the php documentation for these functions for more examples. Google will also give you more examples. – mseifert Dec 12 '13 at 08:15
Ill update the full code.The php wont loads up,unfortunately.I will update the full php I tried – Dec 12 '13 at 08:19
I've updated my code and fixed the URL. I had left off the page. I also changed the fopen to file_get_contents based on an example [here](http://stackoverflow.com/questions/2445276/how-to-post-data-in-php-using-file-get-contents) – mseifert Dec 12 '13 at 08:25

Hide url header redirect parameters using session

1 Answers1