I am trying to integrate payment gateway on my website. There are three courses each having different prices. I am passing the value of the amount and package to form.php and i have made the input fields to readonly but the user can still change the amount in inspect element and make it 0 and pass on the value and get the course for free. How can i stop user from changing the value? or is there any other way to pass the value? or encrypt it and then decrypt it again?
here is my code index.php
<div id="outer">
<div class="box">
<h4>Rs. 9,900/-</h4>
<ul>
<li>2-Days Classroom Training</li>
<li>E-Learning Course</li>
</ul>
<form action="form.php" method="post">
<input type="hidden" name="amount" value="9900" readonly="readonly">
<input type="hidden" name="package" value="basic" readonly="readonly">
<input type="submit" name="BUY NOW" value="BUY NOW">
</form>
</div>
<div class="box">
<h4>Rs. 11,900/-</h4>
<ul>
<li>4-Days Classroom Training</li>
<li>E-Learning Course</li>
</ul>
<form action="form.php" method="post">
<input type="hidden" name="amount" value="11900" readonly="readonly">
<input type="hidden" name="package" value="standard" readonly="readonly">
<input type="submit" name="BUY NOW" value="BUY NOW">
</form>
</div>
<div class="box">
<h4>Rs. 14,900/-</h4>
<ul>
<li>4-Days Classroom Training</li>
<li>E-Learning Course</li>
<li>5 Hours Personal Session With The Trainer</li>
</ul>
<form action="form.php" method="post">
<input type="hidden" name="amount" value="14900" readonly="readonly">
<input type="hidden" name="package" value="pro" readonly="readonly">
<input type="submit" name="BUY NOW" value="BUY NOW">
</form>
</div>
</div>
form.php
<body>
<?php
if (isset($_POST['amount']) && isset($_POST['package'])) {
$amount = $_POST['amount'];
$package = $_POST['package'];
}
?>
<div>
<table>
<form name="postForm" action="form_process.php" method="POST" >
<tr><td>txnid</td><td><input type="text" name="txnid" readonly="readonly" value="<?php echo $txnid=time().rand(1000,99999); ?>" /></td></tr>
<tr><td>amount</td><td><input type="text" name="amount" readonly="readonly" value="<?php echo $amount; ?>" /></td></tr>
<tr><td>firstname</td><td><input type="text" name="firstname" value="" /></td></tr>
<tr><td>email</td><td><input type="text" name="email" value="" /></td></tr>
<tr><td>phone</td><td><input type="text" name="phone" value="" /></td></tr>
<tr><td>Package</td><td><input type="text" name="productinfo" readonly="readonly" value="<?php echo $package; ?>"/></td></tr>
<tr><td colspan="3"><input type="hidden" name="service_provider" value="payu_paisa" size="64" /></td></tr>
<tr><td><input type="hidden" name="surl" value="http://localhost/payment/success.php" size="64" readonly="readonly" /></td></tr>
<tr><td><input type="hidden" name="furl" value="http://localhost/payment/failure.php" size="64" readonly="readonly" /></td></tr>
<tr><td><input type="submit" /></td><td><input type="reset" /></td></tr>
</form>
</table>
</div>
</body>
form_process.php
<script>
function submitForm() {
var postForm = document.forms.postForm;
postForm.submit();
}
</script>
</head>
<?php
if(!isset($_POST['firstname'])){header("location: form.php");}
// Change the Merchant key here as provided by Payumoney
$MERCHANT_KEY = "Bm2pCkYO";
// Change the Merchant Salt as provided by Payumoney
$SALT = "zqLhSo9FTL";
$firstname =$_POST['firstname'];
$email =$_POST['email'];
$phone =$_POST['phone'];
$productinfo =$_POST['productinfo'];
$service_provider =$_POST['service_provider'];
$amount =$_POST['amount'];
$txnid =$_POST['txnid'];
$productinfo =$_POST['productinfo'];
$surl =$_POST['surl'];
$furl =$_POST['furl'];
//$ =$_POST[''];
$hashseq=$MERCHANT_KEY.'|'.$txnid.'|'.$amount.'|'.$productinfo.'|'.$firstname.'|'.$email.'|||||||||||'.$SALT;
$hash =strtolower(hash("sha512", $hashseq));
?>
<body onload="submitForm();">
<div>
<h2>Payment Gateway Testing Sample</h2>
<table>
<tr><td>Transaction Id</td><td><strong><?php echo $_POST['txnid']; ?></strong></td><td>Amount: </td><td><strong>Rs. <?php echo $_POST['amount']; ?></strong></td>
</table>
<div >
<p>In this page we will genrate hash and send it to payumoney.</p>
<br>
<p>Please be patient. this process might take some time,<br />please do not hit refresh or browser back button or close this window</p>
</div>
</div>
<div>
<form name="postForm" action="https://sandboxsecure.payu.in/_payment" method="POST" >
<input type="hidden" name="key" value="<?php echo $MERCHANT_KEY; ?>" />
<input type="hidden" name="hash" value="<?php echo $hash; ?>"/>
<input type="hidden" name="txnid" value="<?php echo $_POST['txnid']; ?>" />
<input type="hidden" name="amount" value="<?php echo $_POST['amount']; ?>" />
<input type="hidden" name="firstname" value="<?php echo $_POST['firstname']; ?>" />
<input type="hidden" name="email" value="<?php echo $_POST['email']; ?>" />
<input type="hidden" name="phone" value="<?php echo $_POST['phone']; ?>" />
<input type="hidden" name="productinfo" value="<?php echo $_POST['productinfo']; ?>" />
<input type="hidden" name="service_provider" value="payu_paisa" size="64" />
<input type="hidden" name="surl" value="<?php echo $_POST['surl']; ?>" />
<input type="hidden" name="furl" value="<?php echo $_POST['furl']; ?>" />
</form>
</div>
</body>
success.php
<body>
<script>var time = 5;
setInterval(function() {
var seconds = time % 60;
var minutes = (time - seconds) / 60;
if (seconds.toString().length == 1) {
seconds = "0" + seconds;
}
if (minutes.toString().length == 1) {
minutes = "0" + minutes;
}
document.getElementById("time").innerHTML = minutes + ":" + seconds;
time--;
if (time == 0) {
window.location.href = "index.php";
}
}, 1000);
</script>
<div>
<h2>Payment Success</h2>
</div>
<div>
<?php
if(isset($_POST['status'])){
if($_POST['status']=="success"){
echo "<p>Payment Done Successfully.<br>Details Are Below.</p>";
echo "<p>Txn Id: ".$_POST['txnid']."</p>";
echo "<p>Name: ".$_POST['firstname']."</p>";
echo "<p>Email: ".$_POST['email']."</p>";
echo "<p>Amount: ".$_POST['amount']."</p>";
echo "<p>Phone No: ".$_POST['phone']."</p>";
echo "<p>Product Info: ".$_POST['productinfo']."</p>";
echo "<p>encryptedPaymentId: ".$_POST['encryptedPaymentId']."</p>";
}
}
?>
</div>
<div>Redirecting to home page in <span id="time"></span></div>
Advertisement
Answer
Never let the user send the price. Each course has an ID. Let’s assume this:
course 1, has ID = 1, price = 499, name = 2-Days Classroom Training
course 2, has ID = 2, price = 999, name = 4-Days Classroom Training
On your payment page, inside <forms> send only course_id = X.
On the PHP script which receives the request you know that course_id = X has price = Y… This is the price you will charge.
// index.php
<form action="form.php" method="post">
<input type="hidden" name="course_id" value="1" readonly="readonly">
<label>
2-days learning course
</label>
<input type="submit" name="BUY NOW" value="BUY NOW">
</form>
//form.php
if (isset($_POST['course_id']){
if ($_POST['course_id'] == 1){
$ammount = 499;
}
} else {
echo 'invalid request'; exit();
}