Answer the question
In order to leave comments, you need to log in
D
D
Diman Suvorkin2018-02-25 21:05:00
Diman Suvorkin, 2018-02-25 21:05:00
How to avoid GET parameter spoofing?
Good afternoon! There is a site where payment is linked to Yandex Money. After a successful payment, a redirect occurs to the controller (I use the Yii2 framework), which records through the model that the order has been paid. Parameters are passed to it via GET. Well, they can be changed. How to avoid it? Or maybe I'm doing it all wrong?
2 answer(s)
@webinar
So there, before the redirect, there is a post request to avisoURL , and here it is possible to check everything and write it down, in no case should you do this when redirecting. Or give a link to the project, I will be a regular customer)))
@SagePtr
M
Maxim Timofeev, 2018-02-25 @webinar
After a successful payment, a redirect occurs to the controller (I use the Yii2 framework), which records through the model that the order has been paid.
So there, before the redirect, there is a post request to avisoURL , and here it is possible to check everything and write it down, in no case should you do this when redirecting. Or give a link to the project, I will be a regular customer)))
S
SagePtr, 2018-02-25 @SagePtr
If the request came from a payment system, then there should be a hash field. How exactly it is formed, see the documentation from the payment gateway you are using, but there, in addition to the parameters, a secret word is always used, known only to you and the payment gateway, so if you change at least one parameter or at least one character in the secret word, then the hash will not converge and request can be considered fake.
Similar questions
S
I
A
A
W
WEBIVAN2012-08-13 19:28:04
Is it possible to change $_SERVER['REQUEST_URI'] in PHP via .htaccess?
2Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question