Hey Guys,

I have a quick question. I want to make sure I am doing this right, according to my understanding of the PHP manual. Here's my question:

If I have an "address" input field for my form and a user inputs their address and then this information is passed to other php files to validate then sent to authorize.net... would this be the correct way to do it?

<input name="address" type="text"  size="40" maxlength="60" value="<? print $_REQUEST['address']; ?>">
Member Avatar
diafol

avoid $_REQUEST if possible as it picks up all matter of data besides form (post) variables. This form could be compromised via the querystring, e.g.

http://www.example.com/formhandler.php?address=mybadstring

If you're passing data to a third party site which sounds as though it's processing payment - your data must be secure.

Yeah that makes sense. So how would you go about this?

avoid $_REQUEST if possible as it picks up all matter of data besides form (post) variables. This form could be compromised via the querystring, e.g.

http://www.example.com/formhandler.php?address=mybadstring

If you're passing data to a third party site which sounds as though it's processing payment - your data must be secure.

Member Avatar
diafol

The site you're passing info to should have a heap of info on this. I couldn't begin to tell you which fields / level of security req'd.

Perhaps I got the wrong end of the stick, actually, thinking about it. As your form isn't passed directly to the 3rd party and hasn't undergone any validation - perhaps not too much of a problem. Forms aren't immune from 'cloning'/spoofing either, so the problem doesn't disappear with the use of $_POST as opposed to $_REQUEST. Some think that using $_SERVER variables can detect a bogus form, but I think http headers can be spoofed too.

Anyway, I'm beginning to ramble... check out the vendor's site for advice.