Passing information via PHP for a payment platform

Question

I have a service based company and a website entirely created with Dreamweaver. It does not have a cart and no service we sell is exactly the same price so it would not make sense to include one.

My bank provided me with a payment gateway to automate payments and allow clients to select their own currency but it is built for a website with a cart or a database.

So I am trying to find a solution which:

1 - allows me to ask for the clients details

2 - asks the client to confirm the amount they are due to pay (which needs to be between 0 and 10000 euros, no dots, comas or space allowed and 2 decimals included)

3 - confirms their name and the amount filled in the form on a separate page (their terminal does not show the amount to be paid so I want to confirm this to the client)

4 - sends the correct information to the payment terminal

5 - returns to our website to confirm the payment has gone through

6 - sends me an email with all the information filled in by the client and that the payment has been approved.

Here is the code provided by the bank

<form action="https://hpp.prueba.santanderelavontpvvirtual.es/pay" method="POST">
<input type="hidden" name="MERCHANT_ID" value="<?=$merchantid?>">
<input type="hidden" name="ORDER_ID" value="<?=$orderid?>">
<input type="hidden" name="ACCOUNT" value="<?=$account?>">
<input type="hidden" name="CURRENCY" value="<?=$curr?>">
<input type="hidden" name="AMOUNT" value="<?=$amount?>">
<input type="hidden" name="TIMESTAMP" value="<?=$timestamp?>">
<input type="hidden" name="DCC_ENABLE" value="1">
<input type="hidden" name="SHA1HASH" value="<?=$sha1hash?>">
<input type="hidden" name="HPP_LANG" value="EN">
<input type="hidden" name="AUTO_SETTLE_FLAG" value="1">
<input type="hidden" name="MERCHANT_RESPONSE_URL" value="tpv-mailer.php">
<input type="Submit" value="Pay by credit card on a Secure Website">
</form>

I am new to php, the documentation the bank sent me is not clear at all so I have been stuck on this issue for a while.

I have the form requesting data from the client thought POST working and the payment system works (although it only charges the same amount) but I cannot seem to find the code to pass the $amount filled in by the client to "> on the bank gateway without breaking the hash.

I was thinking maybe of sending this information by url or creating a session. Does anyone have experience with this and can help me?

Thank you so much in advance!

@LasVegasCoder everything you said in your comment is incorrect — John Conde, Oct 07 '17 at 15:51

score -1 · Answer 1 · answered Oct 07 '17 at 14:53

This is how I would go about it:

Start from scratch with your own multi-step form (since you want to confirm their name and amount).
POST the form to a PHP script via jQUery AJAX.
In your PHP script validate every single field. Remember that the client can send anything, so you want to make sure they wrote an actual amount for example.
Prepare the POST request that you'll be sending to your bank's API endpoint from your PHP script. Use the fields the user submitted (after validating them) and generate any others that you might need, for example the timestamp and return URL.
Send this POST request to your bank.
Read their response.
Process their response, e.g. send back a JSON to your jQuery AJAX function with information on what to do next, such as which page to redirect to. This is where you can also configure PHP to send you that notification email.

You don't have to use AJAX but by doing it this way you can show a nice "Processing..." view to your client if you so desired.

You'll need to fully understand all the parameters that your bank is requesting, for example where the $sha1hhash is coming from. If they have poor documentation then there are always alternative such as:

PayPal: https://developer.paypal.com/docs/api/
Stripe: https://stripe.com/docs/api

That said, if you're running the company and are new to PHP as you've mentioned, you might want to consider hiring a professional to do it for you. It's worth the investment.

Thank you for your prompt response. I was hoping for an easier solution than using AJAX and I do not want to change the payment platform (PayPal takes a huge commission...). The other parameters work fine, I just need a way to get clients to fill in the $amount really. But I think hiring someone might be a good option if I cannot solve this. — NinilieM, Oct 07 '17 at 16:07
You can skip jQuery AJAX then and use a normal form submit (submitted to your PHP script). The key is that you have a middle step in this whole process, so that you can allow clients to specify any amount they want, you validate that and then you send it on to your bank's API. — Optimae, Oct 07 '17 at 16:12
Start with a simple form that you POST to `payment.php` for example. In `payment.php`, read the submitted values using `$_POST`. Run any validation you want on those values and then create a POST request to your bank (`https://hpp.prueba.santanderelavontpvvirtual.es/pay`). Here's an example on how to do the last bit: https://stackoverflow.com/questions/5647461/how-do-i-send-a-post-request-with-php — Optimae, Oct 07 '17 at 16:32
Thank you I am going to try it out and hopefully this or your previous solutions works! — NinilieM, Oct 07 '17 at 16:59

score -1 · Answer 2 · answered Oct 07 '17 at 19:37

After spending all day and trying to learn about PHP I found the solution to my problem. As I could not find any documentation online answering this question, I would like to share it if anyone needs it one day:

First you need to create a 3 step php form:

The First page is a standard form which asks information from my client, filters it and cleans it up
It redirects to the second page which acts as a mailer and collects the info. In the header, it sends the information collected to me by email then it calls the payment gateway. In the body, it sums up the information previously sent and gives the client a link to the gateway
the third page is the gateway response. It lets the client know of any error or thanks them for the booking and resends me an email with the booking confirmation.

The piece of code I needed was:

Page 1: ask for the amount due which is saved as $charge

On page 2: in header:

$amount=$_REQUEST['charge'];

in body - to show the amount to be paid:

<?php
$FIRSTNAME=$_REQUEST['firstname'];
$LASTNAME=$_REQUEST['lastname'];
$CHARGE=$_REQUEST['charge'];
echo <<<TEXT
<h3 style="text-align:left;padding-left:1em">Hello, $FIRSTNAME $LASTNAME, balance is $amount euros</h3>
TEXT;
?>

The payment platform seems to be working and the amount is now decided by the client without access to a database.

Look up XSS, for starters. If you don't know what it is already, and you're dealing with financial information, I'd recommend hiring someone for this project. — ceejayoz, Oct 08 '17 at 16:18

Passing information via PHP for a payment platform

2 Answers2