验证支付金额与WorldPay的 [英] Validating payment amounts with WorldPay
问题描述
我们正在使用WorldPay的来处理分层会员制,为其支付金额差异取决于所选择的会员级别付款。
We are using WorldPay to process payments for a tiered membership system, for which the payment amount varies dependent upon the membership tier selected.
付款是通过邮寄的形式传递给WorldPay的从一些隐藏字段,其中包括:
The payment is passed to WorldPay via a form post from a number of hidden fields, including:
<input type="hidden" name="amount" value="295.00" />
实质上,表单通过POST提交WorldPay工作,并且用户遵循若干步骤来处理他们的付款。一旦完成,将用户重定向到指定的确认页。
Essentially, the form is submitted via POST to WorldPay and the user follows a number of steps to process their payment. Once complete, the user is redirected to a specified confirmation page.
这似乎是在WorldPay的接受的支付方式的典型。这里有一个明显的问题在这里,在该隐藏字段的值,可以很容易地与任何人篡改HTML的基本知识。形式,直接发布到WorldPay工作,所以我们必须在其中验证对会员级别的数量没有回发。
This appears to be the typical manner in which WorldPay accepts payments. There's an obvious issue here, in that the value of the hidden field could easily be tampered with by anyone with a basic knowledge of HTML. The form is posted directly to WorldPay, so we have no PostBack in which to validate the amount against the membership tier.
我们有能力验证时,付款通知是由路由通过确认页之前的处理程序回调返回给我们从WorldPay的付款金额的选项;不过,我想避免的情况下用户提交表单篡改的,支付不正确的数量和接收没有会员,则有联系公司有自己的钱回来了。
We have the option to validate the payment amount when a payment notification is returned to us from WorldPay by routing the callback through a handler before the confirmation page; however, I would like to avoid the situation where user submits a tampered form, pays the incorrect amount and receives no membership, then has to contact the company to have their money returned.
我们如何验证所提交的金额是否正确的之前处理付款?
How might we validate that the amount being submitted is correct before processing payment?
更新
它发生,我认为我们有另外一个问题,由此,即使我们验证表单后服务器端,有什么电子欺骗的形式直接邮寄给WorldPay的阻止恶意用户。
It has occurred to me that we have an additional problem whereby, even if we validate the form post server-side, there is nothing stopping a malicious user from spoofing the form post direct to WorldPay.
推荐答案
这是一个漏洞,实际上,它可以很容易地使用签名来解决。看看这个链接:
It is a vulnerability indeed, it can be solved easily using a signature. Check out this link:
的http://culttt.com/2012/07/25/integrating-worldpay-into-a-database-driven-website/
这个方法应该是更好的促进帮助页面上,太糟糕了。
This method should be better promoted on the help page, too bad.
这篇关于验证支付金额与WorldPay的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
