• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • FREE webinar: What does a post IR35 reform CV look like? : Wed, Jul 28, 2021 7:15 PM - 8:15 PM BST More details here.

Odd CURL problem

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Odd CURL problem

    Ever since I switched to HTTPS I've had problems with using CURL to connect to Worldpay. Submit code here:

    if(isset($_POST['submitw']))
    {
    $ch = curl_init("https://secure-test.worldpay.com/wcc/purchase");
    curl_setopt ($ch, CURLOPT_HEADER, 0);
    curl_setopt ($ch, CURLOPT_POST, 1);
    curl_setopt ($ch, CURLOPT_POSTFIELDS, $urlstring);
    curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt ($ch, CURLOPT_REFERER, "https://www.mycrapsite.co.uk/checkout.php");
    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 0);
    $data = curl_exec ($ch);
    curl_close ($ch);
    }

    I thought it was not connecting to Worldpay but it is. What is happening is that my page (has an absolute) still shows and is overlaying it! If I check page source I can see the Worldpay page followed by my page. Never heard of two web pages merged into 1 before!

    Any ideas? Ta.
    bloggoth

    If everything isn't black and white, I say, 'Why the hell not?'
    John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

    #2
    The ape was reading his book.

    Normal service will be resumed once he's woken up.
    When the fun stops, STOP.

    Comment


      #3
      Looking through all the online CURLY crap, it looks like it isn't intended to post to and open the new page as if you are posting from a form. It is posting and then getting the response, ie the content of the page I want to redirect to.

      But in that case I can't understand why it always worked fine before I upgraded to https.

      Was neater before when I could use a single form and self post for all payment methods and method selection, didn't lose values on changing method.
      Last edited by xoggoth; 4 April 2019, 10:26.
      bloggoth

      If everything isn't black and white, I say, 'Why the hell not?'
      John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

      Comment


        #4
        Is the code you've pasted taken from inside your source Web page, or is it perl from your cgi-bin?


        Sent from my SM-T280 using Contractor UK Forum mobile app
        Don't believe it, until you see it!

        Comment


          #5
          Ta for reply. Former. Think it came from Worldpay docs and was working fine for years.

          Anyway, found a good easy method using self post, pass values to a new page with session and submit form on that page to Worldpay using jscript.

          PHP - Redirecting a form with POST variables

          Think this method must be used a lot, often seeing pages that say summit like "Click here if not redirected to...
          Last edited by xoggoth; 5 April 2019, 10:50.
          bloggoth

          If everything isn't black and white, I say, 'Why the hell not?'
          John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

          Comment


            #6
            Originally posted by xoggoth View Post
            Ta for reply. Former. Think it came from Worldpay docs and was working fine for years.

            Anyway, found a good easy method using self post, pass values to a new page with session and submit form on that page to Worldpay using jscript.

            PHP - Redirecting a form with POST variables

            Think this method must be used a lot, often seeing pages that say summit like "Click here if not redirected to...
            Yeah, as stated by yourself curl just makes a web request and indeed you're actually looking to post the user, with some data, elsewhere. Thus you probably do want a form.

            However, your PHP examples are ancient and insecure. You shouldn't be using $_POST or $_GET in PHP code, and if you do for some reason, you need to be validating and escaping your input, which your example isn't doing.

            The form example is using htmlspecialchars but I'm not convinced this is adequate, though I haven't written PHP in years.

            Backing up a second. Modern PHP should be using a framework and composer to install packages. With composer, you can download the worldpay library to take care of this crap without needing to get into messing with curl directly.

            GitHub - Worldpay/worldpay-lib-php: PHP Library for Worldpay REST API

            Wonderfully, worldpay lib examples are also grabbing from $_POST, so use a framework. Symfony, High Performance PHP Framework for Web Development. I suspect you're going to decide this is too much work, but you're gonna get hacked doing what you're doing.

            Comment


              #7
              No answer came the stern reply from the ape.

              I wonder if he knows more about div and grad.
              When the fun stops, STOP.

              Comment


                #8
                The form example is using htmlspecialchars but I'm not convinced this is adequate, though I haven't written PHP in years
                Cheers. Only had a quick look so far but I can't see anything online suggesting a problem with post if htmlspecialchars is used. I also apply length limits to values taken on my form. Since the values are being passed to Worldpay, i would expect them to protect against any dodgy data.

                The WP code, which I've looked into already, and Symfony do look like too much work, given that this is a tiny family company with negligible profits, more of a hobby really. Ta for the tips though, I will have a look at improvements.
                bloggoth

                If everything isn't black and white, I say, 'Why the hell not?'
                John Wayne (My guru, not to be confused with my beloved prophet Jeremy Clarkson)

                Comment


                  #9
                  Originally posted by xoggoth View Post
                  Cheers. Only had a quick look so far but I can't see anything online suggesting a problem with post if htmlspecialchars is used. I also apply length limits to values taken on my form. Since the values are being passed to Worldpay, i would expect them to protect against any dodgy data.

                  The WP code, which I've looked into already, and Symfony do look like too much work, given that this is a tiny family company with negligible profits, more of a hobby really. Ta for the tips though, I will have a look at improvements.
                  I dunno, try posting the following from a user point of view.

                  PHP Code:
                  phpinfo(); die(); 
                  If that works, it means an attacker could probably curl and exec a reverse shell. Basically you're handing out RCEs. This obviously all depends where you get the variables from, if they're generated by your script, and not actually user input, then the issue is less valid.

                  You want to be using functions like preg_match within php to validate input, as opposed to (as well as) doing it in javascript. Apologies if this is stuff you already know, just a tad worried from your original post.

                  Comment


                    #10
                    Even if you use a framework like Symfony, it's still getting POSTed data from $_POST, because that (and the other special vars) is how PHP provides access to the contents of the HTTP request. As I recall, Symfony just applies some extra sanitation to it and restructures it in some way to make it easier to use within the context of your application, but it's still coming from $_POST.

                    Fun fact: when I was at Yahoo! (over a decade ago now) we used Symfony and PHP, but Y! had its own internal build of PHP which had a bunch of extra sanitation built into the construction of $_POST and the others. The raw versions, equivalent to normal PHP, were available under different names (something like $_POST_RAW and so on), but any code which accessed them had to have prior written approval, undergo a special code review by senior Paranoids (the name for Y!'s security specialists), and have the Paranoids' written signoff and be fully documented before it could be put into production.

                    Also, one day I was having a problem with a Symfony setup, and it so happened the creator of Symfony had been hired by Y! and had just been flown to London for an internal conference we were having. So he came to my desk and sorted it all out for me there and then

                    (Another speaker knocking around the department that day was Rasmus Lerdorf, the creator of PHP.)

                    Anyway, to get back to the matter at hand: as you say, if you're just grabbing stuff from $_POST and sending it along to WorldPay via CURL, it should be all right as they'll have their own checks and balances. You might want to do a bit of sanity checking on it before passing it through just to avoid annoying them, but it'll probably be OK

                    Comment

                    Working...
                    X