Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New to the CF scene
    Join Date
    Jul 2009
    Location
    Ireland
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Credit Card Processing

    I have recently been updating/improving a site for a company. I came across a part of their website that had a way of processing credit card details that just stood out to me as a security issue.

    Basically the system works by having an iFrame load from a different domain a https link which produces a form for the user to fill out and submit all their details. The details being personal information and credit card info.

    What stood out to my as the major issue here is that the page the iFrame was being loaded up on had itself no security put in place, it was not a https page but a standard http page.

    Am I wrong to think this is a backwards way of going about processing credit card details?

    Thanks in advance.

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    As long as the action="..." of the form was using https:// and was using the post method, the actual form data was sent over an encrypted connection. That is what counts.

    By making the form itself requested using a https:// request, you avoid the security pop-up messages concerning mixing a form that was requested using only http with a form submission that is over https. The actual pages on the server or in the browser are not secure/non-secure. It is the connection to the web server over which the data flows that is made secure when https/ssl is used.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    New to the CF scene
    Join Date
    Jul 2009
    Location
    Ireland
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    As long as the action="..." of the form was using https:// and was using the post method, the actual form data was sent over an encrypted connection. That is what counts.

    By making the form itself requested using a https:// request, you avoid the security pop-up messages concerning mixing a form that was requested using only http with a form submission that is over https. The actual pages on the server or in the browser are not secure/non-secure. It is the connection to the web server over which the data flows that is made secure when https/ssl is used.
    So would you advise making changes or leave it the way it is?

    I know people commonly look for the browser to display security information about the page they are on which this current set up does not do.

  • #4
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    2,958
    Thanks
    2
    Thanked 304 Times in 296 Posts
    While it sounds like the actual data is being sent over a secure connection, there is no indication of that to the visitor so the site could be loosing some visitors due to this.

    More specific details would help, but it sounds like an external shopping cart w/payment processing has been integrated into the HTML of an existing page rather than using a server side scripting language and going through the API (Application Programming Interface) of the payment processor. If the actual order details (including cost) is being sent through the existing form (as hidden fields), it is open to abuse because anyone could change the cost that is charged for any item.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #5
    New to the CF scene
    Join Date
    Jul 2009
    Location
    Ireland
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    While it sounds like the actual data is being sent over a secure connection, there is no indication of that to the visitor so the site could be loosing some visitors due to this.
    That is my main concern as my job is to essentially improve web traffic & sales on the site.

    Quote Originally Posted by CFMaBiSmAd View Post
    More specific details would help, but it sounds like an external shopping cart w/payment processing has been integrated into the HTML of an existing page rather than using a server side scripting language and going through the API (Application Programming Interface) of the payment processor. If the actual order details (including cost) is being sent through the existing form (as hidden fields), it is open to abuse because anyone could change the cost that is charged for any item.
    Well I can tell you its not a shopping cart, its related to insurance. You get a quote and then if your happy with the quote you can purchase the insurance at the cost of the quote. The whole process is autonomous within what the iFrame loads up. The webpage that contains the iFrame in question does not send any data to what is being loaded up.

    At the moment my fix has been to load the https link that the iFrame was loading up in its own pop up window, which then supplies to the browser its security information. It is also what competing sites using the same system have been doing.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •