将敏感信息发送到HTTPS页面 [英] Sending sensitive information to an HTTPS page
问题描述
大家好,
我试图模仿支付网关的种类。
用户下订单然后当他结账时他会被转移
到HTTPS页面输入他的详细信息。
目前我将订单存储在临时购物车数据库表中并且
as参考我使用客户的ID
所以我有
表
Order_Temp
customerId | orderDateTime | ItemID
订单存储后,我使用
标题重定向它们(''位置:https://''。$ url);
现在我必须在HTTPS页面中传递一些关于
订单的引用,以便我的$ url看起来像:
https://www.paymentgateway.com/check...customerId=123
问题在于我公开了客户ID,可以轻松地将
更改为其他任何内容。
有哪些替代方案可以做什么?我有吗?
我虽然使用帖子可能是一个解决方案,但它是否安全?当你通过注入代码发布表单时,你可以伪造一个用户的身份吗?怎么这么简单呢?
我想在temp_Order表中存储session_id和
然后通过它传递给它网址?这样安全吗?
我只是想知道是否有标准做法做某事
那样。
谢谢你,我非常感谢任何人花时间阅读
我的帖子:)
问候。
url);
现在我必须在HTTPS页面中传递一些如何参考
命令所以我的
url看起来像:
https://www.paymentgateway.com/check...customerId=123
问题在于我暴露了客户我可以很容易地将
更改为其他任何内容。
我有哪些替代方案?
我虽然使用帖子可能是溶解,但是安全吗?当你通过注入代码发布表单时,你可以伪造一个用户的身份吗?怎么这么简单呢?
我想在temp_Order表中存储session_id和
然后通过它传递给它网址?这样安全吗?
我只是想知道是否有标准做法做某事
那样。
谢谢你,我非常感谢任何人花时间阅读
我的帖子:)
问候。
Aggelos写道:
问题在于我暴露了客户ID,可以轻松地获得
被改为其他任何东西。
签署ID号,然后检查另一端的签名。几个月前我发布了
示例代码:
http://message-id.net/<2r**** ********@ophelia.g5n.co.uk>
-
Toby A Inkster BSc(荣誉)ARCS
与我联系〜 http://tobyinkster.co.uk/contact
很高兴~HTML / SQL / Perl / PHP / Python * / Apache / Linux
* =我到了那里!
Hello everyone,
I am trying to emulate sort of a Payment Gateway.
A user makes an order and then when he checks out he gets transfered
to the HTTPS page to enter his details.
At the moment I am storing the order in a temporary cart DB Table and
as a reference I use the Customer''s ID
so I have
TABLE
Order_Temp
customerId | orderDateTime | ItemID
Once the order gets stored I redirect them using
header(''Location:https://''.$url);
Now I have to pass some how in the HTTPS page the reference for the
order so my $url looks like:
https://www.paymentgateway.com/check...customerId=123
The problem with that is that I expose the Customer Id wich can easily
be changed to anything else.
What alternatives do i have ?
I though using post might be a sollution, BUT is it safe ? Can you
fake an id of a user when you post a form by injecting code? And how
easy is that ?
I was thinking of storing in the Temp_Order table the session_id and
then passing it thru the URL ? Is that safe ?
I just want to know if there is a standard practice of doing something
like that.
Thank you, and I really appreciate anyones times that is spend reading
my post :)
Regards.
url);
Now I have to pass some how in the HTTPS page the reference for the
order so my
url looks like:
https://www.paymentgateway.com/check...customerId=123
The problem with that is that I expose the Customer Id wich can easily
be changed to anything else.
What alternatives do i have ?
I though using post might be a sollution, BUT is it safe ? Can you
fake an id of a user when you post a form by injecting code? And how
easy is that ?
I was thinking of storing in the Temp_Order table the session_id and
then passing it thru the URL ? Is that safe ?
I just want to know if there is a standard practice of doing something
like that.
Thank you, and I really appreciate anyones times that is spend reading
my post :)
Regards.
Aggelos wrote:
The problem with that is that I expose the Customer Id wich can easily
be changed to anything else.Sign the ID number, and then check the signature at the other end. I posted
example code to do this a couple of months ago:
http://message-id.net/<2r************@ophelia.g5n.co.uk>
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux
* = I''m getting there!
这篇关于将敏感信息发送到HTTPS页面的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
