diff options
| author | Marcello Stanisci <marcello.stanisci@inria.fr> | 2017-03-27 16:04:14 +0200 |
|---|---|---|
| committer | Marcello Stanisci <marcello.stanisci@inria.fr> | 2017-03-27 16:04:14 +0200 |
| commit | 326904f79fa985771b558ece2f0c3b329c3cab12 (patch) | |
| tree | b01849c3fe3fdd79df848354b79fc96d65a8ffe1 /php | |
| parent | 35bb07dd0c1298d156ffe95061ef44315926e74c (diff) | |
| download | merchant-frontend-examples-326904f79fa985771b558ece2f0c3b329c3cab12.tar.gz merchant-frontend-examples-326904f79fa985771b558ece2f0c3b329c3cab12.tar.bz2 merchant-frontend-examples-326904f79fa985771b558ece2f0c3b329c3cab12.zip | |
security check on php payment.
Diffstat (limited to 'php')
| -rw-r--r-- | php/order.php | 2 | ||||
| -rw-r--r-- | php/pay.php | 13 |
2 files changed, 12 insertions, 3 deletions
diff --git a/php/order.php b/php/order.php index aa77b3e..bc6d824 100644 --- a/php/order.php +++ b/php/order.php @@ -41,7 +41,7 @@ 'timestamp' => "/Date(" . $now->getTimestamp() . ")/", 'fulfillment_url' => - url_rel("/fulfillment.php"), + url_rel("/fulfillment.php?order_id=$order_id"), 'pay_url' => url_rel("/pay.php"), 'refund_deadline' => diff --git a/php/pay.php b/php/pay.php index e5bd268..25b2d6a 100644 --- a/php/pay.php +++ b/php/pay.php @@ -10,9 +10,18 @@ return; } // Get coins. - $body = file_get_contents('php://input'); - $response = post_to_backend("/pay", json_decode($body)); + $body = json_decode(file_get_contents('php://input')); + + if ($_SESSION["order_id"] != $body->order_id){ + echo build_error($response, + "Mismatch between the product ordered and the one attempted to be paid", + 406); + return; + } + + $response = post_to_backend("/pay", $body); http_response_code($response['status_code']); + if (200 != $response['status_code']){ echo build_error($response, "Could not send payment to backend", |