0

I'm trying to submit data to WorldPay's payment gateway. I'm currently doing this (successfully) by building up a query string (payment ID, amount, customer details, etc) and concatenating them to WorldPay's base url, like so:

https://secure-test.worldpay.com/wcc/purchase?instId=12345&testMode=100&amount=999

...and the doing a standard Response.Redirect([above_url]).

This works as intended, but I'm concerned that exposing this information in the query string is likely to encourage people to attack it (e.g changing the "amount" key to, say, "1"!).

WorldPay's examples only go as far as providing a basic HTML form, but since the data is POSTed using this method, the above concern is never an issue. Unfortunately I'm required to do some pre-processing (order status updates, etc) BEFORE redirecting the user to WorldPay to complete the payment, so I'm left wondering if this can be done programmatically?

I suspect I'm trying to do exactly the same as this question: Programmatically redirect the user to WorldPay's site, passing all the necessary payment details - without exposing the query string values.

Is this possible?

4

1 に答える 1

0

WorldPay サポートが解決策を提供してくれました。彼らのソースを掘り下げると、husnain_sys が示唆していたことを実行していることがわかります。

            var formBuilder = new StringBuilder();
        formBuilder.AppendLine("<html><head>");
        formBuilder.AppendLineFormat("</head><body onload=\"document.{0}.submit()\">", formName);
        formBuilder.AppendLineFormat("<form name=\"{0}\" method=\"{1}\" action=\"{2}\" >", formName, Method.ToString(), Url);
        for (int i = 0; i < _inputValues.Keys.Count; i++) {
            formBuilder.AppendLineFormat("<input name=\"{0}\" type=\"hidden\" value=\"{1}\">", 
                HttpUtility.HtmlEncode(_inputValues.Keys[i]), HttpUtility.HtmlEncode(_inputValues[_inputValues.Keys[i]]));
        }
        formBuilder.AppendLine("</form>");
        formBuilder.AppendLine("</body></html>");

        _httpContext.Response.Clear();
        _httpContext.Response.Write(formBuilder.ToString());
        _httpContext.Response.End();

これはまだ私にはハックのように見えますが (確かにリダイレクトは JS 経由で行う必要はありませんか?)、まあまあ - うまくいきます! みんなありがとう。これが他の誰かに役立つことを願っています。

于 2015-02-06T19:34:35.957 に答える