cakephp data validation before posting remote form

Question

This one is really racking my brain: I need to post non-sensitive data to a third party payment gateway. I want to use the built in cakephp form validation which is working fine.

What i am doing is submitting the form to a local action which calidates the data and outputs any errors if there are any. Where i am stuck is trying to re-submit that post data to a remote url if there are no validation errors. The problem is that the browser must be redirected to the external url with the post data... I think i lost it about here i know this is probably not possible... My plan B is just using javascript for form validation and posting directly to the external url.. I looked into using curl but I need the browser to redirect/open the extrernal url. I s there a way to get curl to redirect the browser when posting to a url?

Answer 1

The only option I know of is using JavaScript.

If you wanted to just send data, there would be a number of options. But redirecting the user is a different story.

Your best bet might be to rethink why you want to send the user to a different site.

Answer 2

There are several routes you can go down for this, depending on your abilities and other business-related decisions.

My recommendation would be for you to use the AJAX validation methods to validate your data. Your server would then be used for validation (and you could store relevant details like invoice number, customer information, etc.) Once it validates you can have the page submit the form data to the 3rd party site. Note that it's likely you will run into some security related issues depending on how your security certificates (for SSL) are setup.

Another choice (one that I would consider a bit more secure) would be for your site to accept the data. If it doesn't validate, request fixes from the client (pretty basic Cake stuff here). If it does validate, you can then use libcurl to send the data to your 3rd party processor, forming each variable properly in the POST data in your request.

You're not going to be able to redirect the client with a POST payload. Either of the two options above would help you get the job done. I would personally use the second method, for the following reasons: 1) easier auditing / debugging (it's already in your server environment, etc.) 2) more secure - you can lock down your server better than client systems, 3) it seems cleaner to me (the client doesn't see connections going all over the place, etc.) and 4) you can modify and track requests as they pass through your system (respond appropriately to clients when the processor reports an error, etc.)

All in all, this is a doable thing. Does your 3rd party offer an API? You might look into that as well.

Answer 3

It's a little complicated to use CURL to redirect, but it's possible, and not terribly hard. It's even easier if you know specifically what URL to redirect to, or if you can build that redirect url. Here is an example curl call:

/usr/bin/curl -D "/tmp/0001"  -H "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)" -H "Cookie: key=value; key2=value2;" -H "Content-length: 89" -d "this=is&the=post&data=true" http://url.com/application.php

Let's walk through the command:

1. the -D will store any return headers into the file "/tmp/0001". From here you can parse out any redirects that you need to find. Just run something like grep Location /tmp/0001 to get the line with the location redirect header. That is if the app itself redirects. This is also where you parse out any cookies.
2. the -H is the header that you are sending to the server. You can post a Cookie: header if the page requires cookies. You may also need to generate the content length based on the data you post.
3. the -d is the data that you are posting to the application This is for an actual "POST".

Once you do your initial post and get that working, you simply call /usr/bin/curl again with the second url. Simply build the headers the way it should look for that second page, along with any cookies it sends you, and it should post as if it were a browser.

The results of the curl command will be the actual page, that you can log to some database for verification purposes.

I hope this helps.

Answer 4

If an extra step is okay in your application flow, you can easily do it like this, no Javascript needed:

1. User fills in form as usual.
2. Form is submitted to Cake action as usual and validated.
3. If validation is successful, you display an intermediate page with all the values in hidden or read-only form elements.
4. Submit sends the hidden form to the external site.

To the user you can present that intermediate page à la "Please confirm your data one last time, click 'Back' to change data or hit 'Submit' to submit it to an external site."