How to transfer data to the payment system correctly:

Php language

at first they thought to use cUrl, so as not to shine all the data, but after sorting out with him, I realized that he would transfer the data, but he would not send me to the page where to pay further.

It turns out it is necessary to display the form on the page and specify all the parameters in it. How then to deal with secret words and other tokens? To form in advance? But even if you generate data, you can see in the form which payment system is being used and you can find out the encryption method from open sources. Can the intruder intercept the data, decrypt it? How to protect yourself in this case?

  • Correctly transfer the data to the payment system - as it is written in the documentation to the p. and her api. Say, with Robokassa or Assist, the user is redirected to the link containing the data for processing the account: order number, amount to be paid. A confirmation of payment comes from p. to the special URL of your site, with a digital signature, which must be checked, before you believe that “order 321 has been paid”. - Sergiks 2:49 pm
  • Thanks for the replies and comments. The question was rather how to transfer the data in the POST request without displaying it in the form on the site? Anton Dobkin correctly said about encryption and secret words. But I need to somehow pass this encrypted string in the request. How to do this, if you need to click on the link, this and there the user will continue to enter their account numbers, etc.? - kirjwuk

1 answer 1

Most payment systems use a data signature. You are given (or you yourself specify a certain key in the PS setup on its server). This key is known only to you and the server of the payment system; this key is NEVER transmitted in the request.

You show a form to the user, the user fills it and clicks the "send" button, then YOUR script checks the required fields and forms the query string to the PS server. Usually, the request is the values ​​of the fields filled by the user (amount, currency) + data of the seller (store name, ID, etc.) + signature.

The signature, for example, is md5 from all values ​​of the required fields and the secret key separated by a symbol: md5(fielfd1::field2::field3::secret_key) . The algorithm for obtaining the signature is described in the documentation for the PS

If the subscriber requests to forward the user to the subscriber server, to confirm the payment, then you create another form with hidden fields required for the transfer + signature. The form can be sent using JavaScript or you can add a "Confirm" button, which the user must click to confirm the payment.

A server accepting data from you also creates a signature using the same algorithm as you, using a secret key. The received signature is compared with the one that was sent in the request, if it does not match, the payment will not be completed. Also, the payment system can send you a "background" request to confirm the payment, which you must answer with a certain code.

If user redirection is not required, then you can send a request to the server using curl

There are payment systems that use personal SSL certificates to establish communication store <-> server PS.

This is an approximate description. Each PS has its own documentation in which the work algorithm and data verification algorithms are described.