Skip to content
Advertisement

Prevent users from changing amount charged on payment page

I am trying to integrate payment gateway on my website. There are three courses each having different prices. I am passing the value of the amount and package to form.php and i have made the input fields to readonly but the user can still change the amount in inspect element and make it 0 and pass on the value and get the course for free. How can i stop user from changing the value? or is there any other way to pass the value? or encrypt it and then decrypt it again?

here is my code index.php

<div id="outer">
        <div class="box">
            <h4>Rs. 9,900/-</h4>
            <ul>
                <li>2-Days Classroom Training</li>
                <li>E-Learning Course</li>
            </ul>
            <form action="form.php" method="post">
                <input type="hidden" name="amount" value="9900" readonly="readonly">
                <input type="hidden" name="package" value="basic" readonly="readonly">
                <input type="submit" name="BUY NOW" value="BUY NOW">
            </form>
        </div>
        <div class="box">
            <h4>Rs. 11,900/-</h4>
            <ul>
                <li>4-Days Classroom Training</li>
                <li>E-Learning Course</li>
            </ul>
            <form action="form.php" method="post">
                <input type="hidden" name="amount" value="11900" readonly="readonly">
                <input type="hidden" name="package" value="standard" readonly="readonly">
                <input type="submit" name="BUY NOW" value="BUY NOW">
            </form> 
        </div>
        <div class="box">
            <h4>Rs. 14,900/-</h4>
            <ul>
                <li>4-Days Classroom Training</li>
                <li>E-Learning Course</li>
                <li>5 Hours Personal Session With The Trainer</li>
            </ul>
            <form action="form.php" method="post">
                <input type="hidden" name="amount" value="14900" readonly="readonly">
                <input type="hidden" name="package" value="pro" readonly="readonly">
                <input type="submit" name="BUY NOW" value="BUY NOW">
            </form>
        </div>
    </div>

form.php

<body>
    <?php
        if (isset($_POST['amount']) && isset($_POST['package'])) {
            $amount = $_POST['amount'];
            $package = $_POST['package'];
        }
    ?>

<div>
<table>
    <form name="postForm" action="form_process.php" method="POST" >
    <tr><td>txnid</td><td><input type="text" name="txnid" readonly="readonly" value="<?php echo $txnid=time().rand(1000,99999); ?>" /></td></tr>
    <tr><td>amount</td><td><input type="text" name="amount" readonly="readonly" value="<?php echo $amount; ?>" /></td></tr>
    <tr><td>firstname</td><td><input type="text" name="firstname" value="" /></td></tr>
    <tr><td>email</td><td><input type="text" name="email" value="" /></td></tr>
    <tr><td>phone</td><td><input type="text" name="phone" value="" /></td></tr>
    <tr><td>Package</td><td><input type="text" name="productinfo" readonly="readonly" value="<?php echo $package; ?>"/></td></tr>
    <tr><td colspan="3"><input type="hidden" name="service_provider" value="payu_paisa" size="64" /></td></tr>
    <tr><td><input type="hidden" name="surl" value="http://localhost/payment/success.php" size="64" readonly="readonly" /></td></tr>
    <tr><td><input type="hidden" name="furl" value="http://localhost/payment/failure.php" size="64" readonly="readonly" /></td></tr>
    <tr><td><input type="submit" /></td><td><input type="reset" /></td></tr>
    </form>
</table>
</div>
</body>

form_process.php

<script>
    function submitForm() {
      var postForm = document.forms.postForm;
      postForm.submit();
    }
</script>
</head>
<?php 
if(!isset($_POST['firstname'])){header("location: form.php");}
// Change the Merchant key here as provided by Payumoney
$MERCHANT_KEY = "Bm2pCkYO";

// Change the Merchant Salt as provided by Payumoney
$SALT = "zqLhSo9FTL";


    $firstname =$_POST['firstname'];
    $email =$_POST['email'];
    $phone =$_POST['phone'];
    $productinfo =$_POST['productinfo'];
    $service_provider =$_POST['service_provider'];
    $amount =$_POST['amount'];
    $txnid =$_POST['txnid'];
    $productinfo =$_POST['productinfo'];
    $surl =$_POST['surl'];
    $furl =$_POST['furl'];


    //$ =$_POST[''];

    $hashseq=$MERCHANT_KEY.'|'.$txnid.'|'.$amount.'|'.$productinfo.'|'.$firstname.'|'.$email.'|||||||||||'.$SALT;
    $hash =strtolower(hash("sha512", $hashseq)); 

?>

<body onload="submitForm();">

<div>
<h2>Payment Gateway Testing Sample</h2>
<table>
<tr><td>Transaction Id</td><td><strong><?php echo $_POST['txnid']; ?></strong></td><td>Amount: </td><td><strong>Rs. <?php echo $_POST['amount']; ?></strong></td>
</table>
<div >
<p>In this page we will genrate hash and send it to payumoney.</p>
<br>
<p>Please be patient. this process might take some time,<br />please do not hit refresh or browser back button or close this window</p>
</div>
</div>

<div>
    <form name="postForm" action="https://sandboxsecure.payu.in/_payment" method="POST" >
        <input type="hidden" name="key" value="<?php echo $MERCHANT_KEY; ?>" />
        <input type="hidden" name="hash" value="<?php echo $hash;  ?>"/>
        <input type="hidden" name="txnid" value="<?php echo $_POST['txnid'];  ?>" />
        <input type="hidden" name="amount" value="<?php echo $_POST['amount'];  ?>" />
        <input type="hidden" name="firstname" value="<?php echo $_POST['firstname'];  ?>" />
        <input type="hidden" name="email" value="<?php echo $_POST['email'];  ?>" />
        <input type="hidden" name="phone" value="<?php echo $_POST['phone'];  ?>" />
        <input type="hidden" name="productinfo" value="<?php echo $_POST['productinfo'];  ?>" />
        <input type="hidden" name="service_provider" value="payu_paisa" size="64" />
        <input type="hidden" name="surl" value="<?php echo $_POST['surl'];  ?>" />
        <input type="hidden" name="furl" value="<?php echo $_POST['furl'];  ?>" />
    </form>
</div>
</body>

success.php

<body>
    <script>var time = 5;
setInterval(function() {
  var seconds = time % 60;
  var minutes = (time - seconds) / 60;
  if (seconds.toString().length == 1) {
    seconds = "0" + seconds;
  }
  if (minutes.toString().length == 1) {
    minutes = "0" + minutes;
  }
  document.getElementById("time").innerHTML = minutes + ":" + seconds;
  time--;
  if (time == 0) {
    window.location.href = "index.php";
  }
}, 1000);
</script>

    <div>
        <h2>Payment Success</h2>
    </div>

    <div>
        <?php 
            if(isset($_POST['status'])){
                if($_POST['status']=="success"){
                    echo "<p>Payment Done Successfully.<br>Details Are Below.</p>";
                    echo "<p>Txn Id: ".$_POST['txnid']."</p>";
                    echo "<p>Name: ".$_POST['firstname']."</p>";
                    echo "<p>Email: ".$_POST['email']."</p>";
                    echo "<p>Amount: ".$_POST['amount']."</p>";
                    echo "<p>Phone No: ".$_POST['phone']."</p>";
                    echo "<p>Product Info: ".$_POST['productinfo']."</p>";
                    echo "<p>encryptedPaymentId: ".$_POST['encryptedPaymentId']."</p>";
                }
            }

            ?>
    </div>
    <div>Redirecting to home page in <span id="time"></span></div>

Advertisement

Answer

Never let the user send the price. Each course has an ID. Let’s assume this:
course 1, has ID = 1, price = 499, name = 2-Days Classroom Training
course 2, has ID = 2, price = 999, name = 4-Days Classroom Training

On your payment page, inside <forms> send only course_id = X.

On the PHP script which receives the request you know that course_id = X has price = Y… This is the price you will charge.

// index.php
<form action="form.php" method="post">
    <input type="hidden" name="course_id" value="1" readonly="readonly">
    <label>
        2-days learning course
    </label>
    <input type="submit" name="BUY NOW" value="BUY NOW">
</form>


//form.php
if (isset($_POST['course_id']){
   if ($_POST['course_id'] == 1){
       $ammount = 499;
   }
} else {
    echo 'invalid request'; exit();
}
User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement