1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 9:46 am May 1, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Final Security Questions

         

rob7591

10:55 pm on Jan 21, 2009 (gmt 0)

10+ Year Member



Hi,

I developed a checkout.php page for processing orders. I am using the IntelliPay gateway to authorize and charge my credit cards. I just want to go through some details to make sure everything is secure (before I make it go public and lose all my money because someone figures out how to beat it).

* My checkout page is linked to from my cart page, which is on regular HTTP.

* My cart page stores items in an object and this object is accessed from my checkout page.

* checkout.php Is on an https page (using a GoDaddy security encryption)

* I use curl to communicate with IntelliPay (are there any options that I should(n't) have?): 

$ch = curl_init('https://{intellipay website}');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "xmlrequest=$vxml");
$r = curl_exec($ch);

* My checkout page only allows the same billing/shipping address (at the moment--this might change once I figure out how to do it safely).

* My checkout page validates the user's First Name, Last Name, Address, City, State, Zip, Phone Number, and Email address. As well as the card number (being 16 digits) and that a Cardholder's Name, Expiration Date, and Cvv2 code are present. And calculates the total from the items in the $cart object.

* I then use curl to post an authorization request to ensure that the cvv2 code matches, and that the street address and zip code match the card's street and zip.

* If everything checks out, I send another immediate request to charge the card.

* I input the person's information into my database (name, address, email, phone, etc., no credit card info) -- They are told that I am storing this information.

* I email the buyer an electronic receipt containing the date, items ordered, total, the billing address, the last 4 digits of the credit card, and a confirmation that they will be notified when a tracking number is available.

* The checkout.php page displays pretty much the same information sent in the email, says thanks, and clears their cart.

Thank you very much in advance for helping.

coopster

9:19 pm on Jan 30, 2009 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



I just want to go through some details to make sure everything is secure

Are you looking for second opinions here, rob7591?

rob7591

1:35 am on Jan 31, 2009 (gmt 0)

10+ Year Member



Yes, I was hoping that someone with previous experience could take a look and make sure that there don't appear to be any security leaks or anything.

Sorry if I wasn't clear, I don't really have a particular question about anything, I guess I just need a proofreader.

coopster

3:29 pm on Jan 31, 2009 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



It looks as though you have thought it through fairly well to me. You don't specifically mention a privacy policy so you may want to confirm you have that base covered. Also, have a look at some of the threads in the library in the eCommerce forum here at WebmasterWorld. Here is a good starter with quite a few links in the last message that will help you dig deeper:
Trying to get PCI Compliance [webmasterworld.com]

rob7591

3:55 pm on Jan 31, 2009 (gmt 0)

10+ Year Member



Thank you very much. I'll definitely take a look at those links.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 9:46 am May 1, 2026