[thelist] authorize.net form submission

|| cira || cira at bork.hampshire.edu
Mon Nov 10 21:43:46 CST 2003


Hey all,

I have more of a "best practices" question rather than a scripting 
problem. FYI, I'm using the Advanced Integration Method (AIM) on 
authorize.net to make credit card based transactions. I'm writing the 
scripts in PHP.

For anyone who doesn't know how the process works, it goes something like 
this, very simplified:

1. Get user information through form over SSL.
2. Submit data to authorize using the POST method.
3. Receive and process data from authorize.net.

There is a minimum amount of data that you need to send to authorize to 
process a card. In my version of AIM, you must supply your authorize.net 
login ID, password, in addition to the card information.

The problem is, right now I have those values in hidden form fields:

<input type="hidden" name="loginID" value="myloginID">

This is not good. Any user could view source and see the sensitive info. 
Not what I want. I can only think of one way around this, and it's not the 
best, I feel like I'm missing something really easy. Sometimes the 
simplest solution is the last thing you're thinking of.

1) Submit the form to another PHP script where a second form resides. 
Using PHP, output the loginID, password and previous $_POST data into the 
form. Then submit the form automatically using JavaScript. After the JS 
submits the form to authorize, the user will be redirected to a 
confirmation / error page.

The problem with this method is that essentially if the user knew the name 
of the PHP script, they could still see the form vars, ADDITIONALLY, they 
would be able to see the all the credit card information! Also, it seems 
silly to have to create a second form and use JS to accomplish this.

I'm going on the assumption that you HAVE to submit the data to authorize 
using a form like this:

<form name="formname" method="post" 
action="https://secure.authorize.net/gateway/transact.dll">

Maybe there is a way to append the data to the $_POST array and submit 
that array to authorize without using a second form. So far, I have not 
come across any documentation stating otherwise.

I have tried googling for some help, and did a very quick search of the 
evolt list archives. There were a couple of authorize threads, but none 
seemed to address this problem.

Thanks in advance,
I just know I'm missing something simple.

-Samantha





More information about the thelist mailing list