making sure user gets the same values when they refresh

Re: making sure user gets the same values when they refresh



[color=blue]
> I am new to PHP
>
> To get to that, the user has to go through a credit card verification
> script getpaid.php, which contacts the bank and confirms that the card
> has available funds[/color]

I hope you are not too new to PHP that you are fully aware of the security
implications of your work with this sort of application. I'm not trying to
be patronising, just pointing out that application security generally
requires experience, because you should be aware of all the things that
can go wrong or ways in which data can be faked. I hope that's not an
unfair comment.

[color=blue]
> The problem is that after the user gets the pin from display.php and
> refresh the page, the script will run again and as the value that has
> been sold first time has already been deleted, it will take the next pin
> number in the database and display it to the user again. That is
> something I don't want to happen. I want the user to get the same pin
> number that it got the first time every time they refresh the page.[/color]

The usual solution is to issue a header containing a 301 redirect to a new
page immediately the post transaction has been verified and completed. The
user won't even know that they're being redirected, but it guarantees that
pressing refresh won't repeat the transaction.

I don't have a working example to hand, but I hope this gives you enough
to go on.


Martin Lucas-Smith www.geog.cam.ac.uk/~mvl22


Senior Computing Technician (Web Technician)
Department of Geography, University of Cambridge (01223 3)33390

& Webmaster, SPRI
Scott Polar Research Institute, University of Cambridge

Re: making sure user gets the same values when they refresh

Martin Lucas-Smith <mvl22@cam.ac.u k> wrote in message news:<Pine.SOL. 4.44.0308271530 590.13210-100000@orange.c si.cam.ac.uk>.. .[color=blue][color=green]
> > I am new to PHP
> >
> > To get to that, the user has to go through a credit card verification
> > script getpaid.php, which contacts the bank and confirms that the card
> > has available funds[/color]
>
> I hope you are not too new to PHP that you are fully aware of the security
> implications of your work with this sort of application. I'm not trying to
> be patronising, just pointing out that application security generally
> requires experience, because you should be aware of all the things that
> can go wrong or ways in which data can be faked. I hope that's not an
> unfair comment.[/color]

Oh, yeah, I won't be dealing with the security stuff myself, I know
I'm not ready for it. I'll have the user redirected to my bank's
website and it will then process their credit card details and return
either yes or no to my script, which is rather ugly as my website and
banks website will have different designs, but I need real-time funds
deduction and i don't know if its even possible without involving the
bank, and I better go the safer way, as I only touched PHP two weeks
ago for the first time.
[color=blue][color=green]
> > The problem is that after the user gets the pin from display.php and
> > refresh the page, the script will run again and as the value that has
> > been sold first time has already been deleted, it will take the next pin
> > number in the database and display it to the user again. That is
> > something I don't want to happen. I want the user to get the same pin
> > number that it got the first time every time they refresh the page.[/color]
>
> The usual solution is to issue a header containing a 301 redirect to a new
> page immediately the post transaction has been verified and completed. The
> user won't even know that they're being redirected, but it guarantees that
> pressing refresh won't repeat the transaction.[/color]

Thanks, Martin, I'll work in this direction then.
[color=blue]
> I don't have a working example to hand, but I hope this gives you enough
> to go on.
>
>
> Martin Lucas-Smith www.geog.cam.ac.uk/~mvl22
> www.lucas-smith.co.uk
>
> Senior Computing Technician (Web Technician)
> Department of Geography, University of Cambridge (01223 3)33390
>
> & Webmaster, SPRI
> Scott Polar Research Institute, University of Cambridge[/color]

Re: making sure user gets the same values when they refresh



"droog" <pelmeshkin@hot mail.com> wrote in message
news:bc4396a3.0 308271623.2aacf d37@posting.goo gle.com...[color=blue]
> Martin Lucas-Smith <mvl22@cam.ac.u k> wrote in message[/color]
news:<Pine.SOL. 4.44.0308271530 590.13210-100000@orange.c si.cam.ac.uk>.. .

[snip]
[color=blue][color=green]
> > I hope you are not too new to PHP that you are fully aware of the[/color][/color]
security[color=blue][color=green]
> > implications of your work with this sort of application. I'm not trying[/color][/color]
to

[snip]
[color=blue]
> Oh, yeah, I won't be dealing with the security stuff myself, I know
> I'm not ready for it. I'll have the user redirected to my bank's[/color]

I think by security here Martin was also refering to the security of your
application as a whole.
You business is selling these "pins", so this data must be protected, you
challenge is to ensure
your script is secure in that is does not contain code that would allow an
attacker to compromise
your pin database or worse.

[color=blue]
> website and it will then process their credit card details and return
> either yes or no to my script, which is rather ugly as my website and
> banks website will have different designs, but I need real-time funds
> deduction and i don't know if its even possible without involving the[/color]

There is nothing wrong with this. I know some people comment that the change
in layouts scares
customers, well, I don't know, I haven't found this. But pushing the cc
processing onto a third-party
means the burden of protecting card numbers is not wholly on your shoulders,
it also means you may
not need an SSL on your site.

[snip]

Thanks,
Mark
---------------------------------------------------------------------------
Windows, Linux and Internet Development Consultant
Email: corporate@scrip tsmiths.com
Web: http://www.scriptsmiths.com
---------------------------------------------------------------------------
[color=blue][color=green]
> >
> >
> > Martin Lucas-Smith[/color][/color]
www.geog.cam.ac.uk/~mvl22[color=blue][color=green]
> > www.lucas-smith.co.uk
> >
> > Senior Computing Technician (Web Technician)
> > Department of Geography, University of Cambridge (01223[/color][/color]
3)33390[color=blue][color=green]
> >
> > & Webmaster, SPRI
> > Scott Polar Research Institute, University of Cambridge[/color][/color]

Re: making sure user gets the same values when they refresh


"droog" <pelmeshkin@hot mail.com> wrote in message
news:bc4396a3.0 308270122.21de9 e8a@posting.goo gle.com...[color=blue]
> hi group![/color]

[snip]
[color=blue]
> The problem is that after the user gets the pin from display.php and
> refresh the page, the script will run again and as the value that has
> been sold first time has already been deleted, it will take the next
> pin number in the database and display it to the user again. That is
> something I don't want to happen. I want the user to get the same pin
> number that it got the first time every time they refresh the page.
>[/color]

I might try something like this, if I understand correctly what you are
trying:

1. display.php
Purpose: select a PIN for user to purchase

Here you want to reserve one for the user, and maybe display it to him, but
if
the pin is a number, and this number is what you are selling, like the PIN
number of
mobile phone pre-paid vouchers here in South Africa, then you can;t display
it until he's paid!!
But you must reserve one.... so...

a) Generate a unique tag, *dont* rely on time(), remember two people could
make the purchase
at the same time, the server executing the code in the same second.
b) Write this unique tag to the record of the PIN that is free
c) use this as the transaction reference for your post to payment gateway
d) use cURL or something similar to initiate the POST to the banks payment
page, this
ensures you do not expose the transaction id (tag).

2 <bank step>

3 bank_callback.p hp
Purpose: Script the bank executes after success/failure of cc transaction

Here you check the banks response code, if it is failure, display "sorry,
you loose" page!
If its success:

a) make sure banks transaction reference exists in your pin database
b) if it does:
i) remove the pin record
ii) display the pin to the user
c) else, if not:
i) display an error of an invalid transaction, don't print transaction
id, etc, keep these things secret.
ii) write this to a log file _outside_ your document root, include the t
ransaction id and other information
so you can follow up on it later, it could be a valid problem for a
valid customer, or an attempt to
"hack" your site.


Thats the general idea, of course the actual implementations , etc depened on
the exact nature of your
product, which banking gateway you use, etc etc etc ad nauseum.

Thanks
Mark
---------------------------------------------------------------------------
Windows, Linux and Internet Development Consultant
Email: corporate@scrip tsmiths.com
Web: http://www.scriptsmiths.com
---------------------------------------------------------------------------

[snip]