CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion (Moderator: Donald Lobo) »
  • POST request validation
Pages: [1]

Author Topic: POST request validation  (Read 352 times)

jcm55

  • I post occasionally
  • **
  • Posts: 96
  • Karma: 14
POST request validation
January 18, 2014, 12:23:53 pm
I'm working on an extension that provides a page (we'll call it "BuildFrame"), along with a template that overrides BillingBlock.tpl.  The template has some javascript that makes an ajax POST to the BuildFrame page.

What is the right way to have the BuildFrame page validate that POSTs are coming from BillingBlock.tpl's ajax call and not elsewhere?  I suspect it involves qfKey and $_SESSION, but I'm not getting the details right.

Background:  The extension an alternate Authorize.Net payment processor extension that submits CC details from the user's browser directly to Authorize.Net using a hidden <iframe>.  This keeps the CC info totally away from the Civi instance/server, improving security and simplifying PCI compliance issues.  Similar to Stripe, but using Authorize.Net's gateway instead.  For a discussion on why this is worthwhile vs. just using Stripe, see here:

http://forum.civicrm.org/index.php/topic,31270.0.html

More details when I get the extension complete and somewhat tested.
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Developer Discussion (Moderator: Donald Lobo) »
  • POST request validation

This forum was archived on 2017-11-26.