Zubrag.com
July 16, 2019, 05:01:40 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: 'View Source' compromises security - is there a solution ?  (Read 12711 times)
Eddy_P
Chief Researcher - PPHC Study Group (Australia)
Newbie
*
Posts: 23



WWW
« on: May 23, 2007, 09:13:19 PM »

G’day
I am trying to make a secure form to send details to a gateway (so credit card transactions can be completed).
I need to pass certain information, and have done this via ‘hidden’ input, but when someone ‘views source’ all my details are on display.

eg. (extract from ‘confirm.php’ page via 'view source')…
<input type="hidden" value="654321" name="myCustomerID" />
<input type="hidden" value="2160" name="TotalAmount" />
<input type="hidden" value="TTD4456a " name="InvoiceDescription" />
<input type="hidden" value="mydomain.com.au/shop/download.php" name="returnURL" />

Not only is my business number displayed (eg. 654321), but the complete path to my ‘download’ page is seen too.

How do I pass these fields without the details being shown, included, nor printed on the ‘confirm.php’ page ?

I hope you can help me on this one. Thanks in advance, Eddy.

Idea ? ! Can the address and file bars be removed when the page loads – and would this solve the security dilemma ?

Logged

Evidence of TIME TRAVEL presented and examined WORLD BREAKING DISCOVERIES
husker
Newbie
*
Posts: 13


« Reply #1 on: May 24, 2007, 09:25:05 AM »

"hidden" types in forms is misleading - it is not very hidden is it  Roll Eyes

The best people to help you would be the gateway you need to send the info too?

Hopefully, they use https. Another alternative is encrypting on your end and send - but then they'll need to decrypt on their end and need to know the key.

cool example using pgp without https - its an email form, but the concept is the same.
Logged
zubrag
Administrator
Hero Member
*****
Posts: 788


WWW
« Reply #2 on: May 25, 2007, 05:18:51 AM »

PayPal has a feature where you can encrypt payment data, and View Source will only show encrypted data.

Which payment gateway you are using?
Logged
Eddy_P
Chief Researcher - PPHC Study Group (Australia)
Newbie
*
Posts: 23



WWW
« Reply #3 on: May 25, 2007, 09:01:23 PM »

If I were to purchase an SSL and place all my relevant files in the https folder, would this 'encode' and scramble the data when "view source" is shown ?
Logged

Evidence of TIME TRAVEL presented and examined WORLD BREAKING DISCOVERIES
zubrag
Administrator
Hero Member
*****
Posts: 788


WWW
« Reply #4 on: May 26, 2007, 03:20:27 AM »

If I were to purchase an SSL and place all my relevant files in the https folder, would this 'encode' and scramble the data when "view source" is shown ?
I doubt. Users will still be able to see non-encrypted page source in the browser. https will protect from those who analyze traffic (traffic between your browser and target site would be encrypted).
Logged
Eddy_P
Chief Researcher - PPHC Study Group (Australia)
Newbie
*
Posts: 23



WWW
« Reply #5 on: July 06, 2007, 07:55:59 PM »

Someone has mentioned using cURL, a server to server POST request using a PHP library.

What are they talking about ?
Logged

Evidence of TIME TRAVEL presented and examined WORLD BREAKING DISCOVERIES
zubrag
Administrator
Hero Member
*****
Posts: 788


WWW
« Reply #6 on: July 09, 2007, 08:53:26 AM »

Eddy, you can find more info about cURL here:

http://www.higherpass.com/php/Tutorials/Using-Curl-To-Query-Remote-Servers/
http://blog.mypapit.net/2006/02/sending-http-post-with-php-curl.html
http://www.wagerank.com/2007/how-to-submit-forms-with-php/
http://ua2.php.net/curl
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC