I am trying to integrate payment gateway on my website. There are three courses each having different prices. I am passing the value of the amount and package to form.php and i have made the input fields to readonly but the user can still change the amount in inspect element and make it 0 and pass on the value and get the course for free. How can i stop user from changing the value? or is there any other way to pass the value? or encrypt it and then decrypt it again?
here is my code index.php
JavaScript
x
<div id="outer"> <div class="box"> <h4>Rs. 9,900/-</h4> <ul> <li>2-Days Classroom Training</li> <li>E-Learning Course</li> </ul> <form action="form.php" method="post"> <input type="hidden" name="amount" value="9900" readonly="readonly"> <input type="hidden" name="package" value="basic" readonly="readonly"> <input type="submit" name="BUY NOW" value="BUY NOW"> </form> </div> <div class="box"> <h4>Rs. 11,900/-</h4> <ul> <li>4-Days Classroom Training</li> <li>E-Learning Course</li> </ul> <form action="form.php" method="post"> <input type="hidden" name="amount" value="11900" readonly="readonly"> <input type="hidden" name="package" value="standard" readonly="readonly"> <input type="submit" name="BUY NOW" value="BUY NOW"> </form> </div> <div class="box"> <h4>Rs. 14,900/-</h4> <ul> <li>4-Days Classroom Training</li> <li>E-Learning Course</li> <li>5 Hours Personal Session With The Trainer</li> </ul> <form action="form.php" method="post"> <input type="hidden" name="amount" value="14900" readonly="readonly"> <input type="hidden" name="package" value="pro" readonly="readonly"> <input type="submit" name="BUY NOW" value="BUY NOW"> </form> </div> </div>form.php
JavaScript
<body> <?php if (isset($_POST['amount']) && isset($_POST['package'])) { $amount = $_POST['amount']; $package = $_POST['package']; } ?><div><table> <form name="postForm" action="form_process.php" method="POST" > <tr><td>txnid</td><td><input type="text" name="txnid" readonly="readonly" value="<?php echo $txnid=time().rand(1000,99999); ?>" /></td></tr> <tr><td>amount</td><td><input type="text" name="amount" readonly="readonly" value="<?php echo $amount; ?>" /></td></tr> <tr><td>firstname</td><td><input type="text" name="firstname" value="" /></td></tr> <tr><td>email</td><td><input type="text" name="email" value="" /></td></tr> <tr><td>phone</td><td><input type="text" name="phone" value="" /></td></tr> <tr><td>Package</td><td><input type="text" name="productinfo" readonly="readonly" value="<?php echo $package; ?>"/></td></tr> <tr><td colspan="3"><input type="hidden" name="service_provider" value="payu_paisa" size="64" /></td></tr> <tr><td><input type="hidden" name="surl" value="http://localhost/payment/success.php" size="64" readonly="readonly" /></td></tr> <tr><td><input type="hidden" name="furl" value="http://localhost/payment/failure.php" size="64" readonly="readonly" /></td></tr> <tr><td><input type="submit" /></td><td><input type="reset" /></td></tr> </form></table></div></body>form_process.php
JavaScript
<script> function submitForm() { var postForm = document.forms.postForm; postForm.submit(); }</script></head><?php if(!isset($_POST['firstname'])){header("location: form.php");}// Change the Merchant key here as provided by Payumoney$MERCHANT_KEY = "Bm2pCkYO";// Change the Merchant Salt as provided by Payumoney$SALT = "zqLhSo9FTL"; $firstname =$_POST['firstname']; $email =$_POST['email']; $phone =$_POST['phone']; $productinfo =$_POST['productinfo']; $service_provider =$_POST['service_provider']; $amount =$_POST['amount']; $txnid =$_POST['txnid']; $productinfo =$_POST['productinfo']; $surl =$_POST['surl']; $furl =$_POST['furl']; //$ =$_POST['']; $hashseq=$MERCHANT_KEY.'|'.$txnid.'|'.$amount.'|'.$productinfo.'|'.$firstname.'|'.$email.'|||||||||||'.$SALT; $hash =strtolower(hash("sha512", $hashseq)); ?><body onload="submitForm();"><div><h2>Payment Gateway Testing Sample</h2><table><tr><td>Transaction Id</td><td><strong><?php echo $_POST['txnid']; ?></strong></td><td>Amount: </td><td><strong>Rs. <?php echo $_POST['amount']; ?></strong></td></table><div ><p>In this page we will genrate hash and send it to payumoney.</p><br><p>Please be patient. this process might take some time,<br />please do not hit refresh or browser back button or close this window</p></div></div><div> <form name="postForm" action="https://sandboxsecure.payu.in/_payment" method="POST" > <input type="hidden" name="key" value="<?php echo $MERCHANT_KEY; ?>" /> <input type="hidden" name="hash" value="<?php echo $hash; ?>"/> <input type="hidden" name="txnid" value="<?php echo $_POST['txnid']; ?>" /> <input type="hidden" name="amount" value="<?php echo $_POST['amount']; ?>" /> <input type="hidden" name="firstname" value="<?php echo $_POST['firstname']; ?>" /> <input type="hidden" name="email" value="<?php echo $_POST['email']; ?>" /> <input type="hidden" name="phone" value="<?php echo $_POST['phone']; ?>" /> <input type="hidden" name="productinfo" value="<?php echo $_POST['productinfo']; ?>" /> <input type="hidden" name="service_provider" value="payu_paisa" size="64" /> <input type="hidden" name="surl" value="<?php echo $_POST['surl']; ?>" /> <input type="hidden" name="furl" value="<?php echo $_POST['furl']; ?>" /> </form></div></body>success.php
JavaScript
<body> <script>var time = 5;setInterval(function() { var seconds = time % 60; var minutes = (time - seconds) / 60; if (seconds.toString().length == 1) { seconds = "0" + seconds; } if (minutes.toString().length == 1) { minutes = "0" + minutes; } document.getElementById("time").innerHTML = minutes + ":" + seconds; time--; if (time == 0) { window.location.href = "index.php"; }}, 1000);</script> <div> <h2>Payment Success</h2> </div> <div> <?php if(isset($_POST['status'])){ if($_POST['status']=="success"){ echo "<p>Payment Done Successfully.<br>Details Are Below.</p>"; echo "<p>Txn Id: ".$_POST['txnid']."</p>"; echo "<p>Name: ".$_POST['firstname']."</p>"; echo "<p>Email: ".$_POST['email']."</p>"; echo "<p>Amount: ".$_POST['amount']."</p>"; echo "<p>Phone No: ".$_POST['phone']."</p>"; echo "<p>Product Info: ".$_POST['productinfo']."</p>"; echo "<p>encryptedPaymentId: ".$_POST['encryptedPaymentId']."</p>"; } } ?> </div> <div>Redirecting to home page in <span id="time"></span></div>Advertisement
Answer
Never let the user send the price. Each course has an ID. Let’s assume this:
course 1, has ID = 1, price = 499, name = 2-Days Classroom Training
course 2, has ID = 2, price = 999, name = 4-Days Classroom Training
On your payment page, inside <forms> send only course_id = X.
On the PHP script which receives the request you know that course_id = X has price = Y… This is the price you will charge.
JavaScript
// index.php<form action="form.php" method="post"> <input type="hidden" name="course_id" value="1" readonly="readonly"> <label> 2-days learning course </label> <input type="submit" name="BUY NOW" value="BUY NOW"></form>//form.phpif (isset($_POST['course_id']){ if ($_POST['course_id'] == 1){ $ammount = 499; }} else { echo 'invalid request'; exit();}