.net c#使用WorldPay验证付款金额

Validating payment amounts with WorldPay
2021-09-15
  •  译文(汉语)
  •  原文(英语)

我们正在使用WorldPay来处理会员制系统的付款,该系统的付款金额取决于所选会员制级别.

该付款通过表格中的多个隐藏字段传递到WorldPay,其中包括:

<input type="hidden" name="amount" value="295.00" />

本质上,该表单是通过POST提交给WorldPay的,并且用户遵循许多步骤来处理其付款.完成后,用户将被重定向到指定的确认页面.

这似乎是WorldPay接受付款的典型方式.这里有一个明显的问题,因为任何具有HTML基本知识的人都可以轻易地篡改隐藏字段的值.该表格直接发布到WorldPay,因此我们没有"回传"来根据会员级别验证金额.

当付款通知从WorldPay返回给我们时,我们可以选择通过在确认页面之前通过处理程序路由回叫来验证付款金额;但是,我想避免用户提交被篡改的表格,支付不正确的金额并且没有获得会员资格,然后不得不联系公司以退还其款项的情况.

处理付款之前,我们如何验证提交的金额正确无误?

更新

在我看来,我们还有另外一个问题,即使我们在服务器端验证表单发布,也无法阻止恶意用户欺骗直接发布到WorldPay的表单发布.

速聊1:
您是否尝试过中间页?
速聊2:
解决过程1

确实,这是一个漏洞,可以使用签名轻松解决.查看此链接:

http://culttt.com/2012/07/25/integrating-worldpay-into-a-database-driven-website/

应该在帮助页面上更好地推广此方法,这太糟糕了.

速聊1:
谢谢尼克-很好找到!看起来正是我们所需要的.
解决过程2

我能想到的一种解决方案是捕获form标签的submit:

<form id="myForm" onsubmit="return validatePayment();">

然后创建如下所示的JavaScript文件:

var isValidAmount = false;

function validatePayment() {
    if (isValidAmount) { return true; }

    // in here you want to issue an AJAX call back to your server
    // with the appropriate information ... I would recommend using
    // jQuery and so it might look something like this:
    $.ajax( {
        type: "POST",
        url: url,
        data: { amount: $("#amount").val(), someotherfield: somevalue },
        success: function(data, textStatus, jqXHR) {
            // set the flag so that it can succeed the next time through
            isValidAmount = true;

            // resubmit the form ... it will reenter this function but leave
            // immediately returning true so the submit will actually occur
            $("myForm").submit();
        },
    });

    // this will keep the form from actually submitting the first time
    return false;
}
速聊1:
我不确定这是否解决了我的问题-用户可以简单地关闭Javascript,然后立即将表单发布到WorldPay,WorldPay的系统再合适不过了.

We are using WorldPay to process payments for a tiered membership system, for which the payment amount varies dependent upon the membership tier selected.

The payment is passed to WorldPay via a form post from a number of hidden fields, including:

<input type="hidden" name="amount" value="295.00" />

Essentially, the form is submitted via POST to WorldPay and the user follows a number of steps to process their payment. Once complete, the user is redirected to a specified confirmation page.

This appears to be the typical manner in which WorldPay accepts payments. There's an obvious issue here, in that the value of the hidden field could easily be tampered with by anyone with a basic knowledge of HTML. The form is posted directly to WorldPay, so we have no PostBack in which to validate the amount against the membership tier.

We have the option to validate the payment amount when a payment notification is returned to us from WorldPay by routing the callback through a handler before the confirmation page; however, I would like to avoid the situation where user submits a tampered form, pays the incorrect amount and receives no membership, then has to contact the company to have their money returned.

How might we validate that the amount being submitted is correct before processing payment?

Update

It has occurred to me that we have an additional problem whereby, even if we validate the form post server-side, there is nothing stopping a malicious user from spoofing the form post direct to WorldPay.

Talk1:
Have you tried having an intermediate page?
Solutions1

It is a vulnerability indeed, it can be solved easily using a signature. Check out this link:

http://culttt.com/2012/07/25/integrating-worldpay-into-a-database-driven-website/

This method should be better promoted on the help page, too bad.

Talk1:
Thanks Nick - good find! This looks like it's exactly what we need.
Solutions2

One solution I can think of is this, capture the form tag's submit:

<form id="myForm" onsubmit="return validatePayment();">

and then create that JavaScript file that looks like this:

var isValidAmount = false;

function validatePayment() {
    if (isValidAmount) { return true; }

    // in here you want to issue an AJAX call back to your server
    // with the appropriate information ... I would recommend using
    // jQuery and so it might look something like this:
    $.ajax( {
        type: "POST",
        url: url,
        data: { amount: $("#amount").val(), someotherfield: somevalue },
        success: function(data, textStatus, jqXHR) {
            // set the flag so that it can succeed the next time through
            isValidAmount = true;

            // resubmit the form ... it will reenter this function but leave
            // immediately returning true so the submit will actually occur
            $("myForm").submit();
        },
    });

    // this will keep the form from actually submitting the first time
    return false;
}
Talk1:
I'm not sure that this solves my problem - a user could simply switch off Javascript and the form post would be made immediately to WorldPay, whose system would be none the wiser.
转载于:https://stackoverflow.com/questions/15544633/validating-payment-amounts-with-worldpay

本人是.net程序员,因为英语不行,使用工具翻译,希望对有需要的人有所帮助
如果本文质量不好,还请谅解,毕竟这些操作还是比较费时的,英语较好的可以看原文

留言回复
我们只提供高质量资源,素材,源码,坚持 下了就能用 原则,让客户花了钱觉得值
上班时间 : 周一至周五9:00-17:30 期待您的加入