I have a Django form, which sends the form data to an external source(to be more precise, it is a PayPal payment form). The user enters the price for the product, clicks on the button and the POST request is send to PayPal triggering the normal payment process.
Now I want to use OTP (like Google Authenticator) to validate each payment.
How should the validation be realized? I thought of several scenarios, but none of them is really satisfying:
Should I send the request first to my site, validate the OTP and then redirect the User to the PayPal site with the data via a POST request, coming with the request? Problem: POST requests are not meant to be redirected and I don't know, how to realize it in django.
Should I write JavaScript code, which sends an ajax request to my site, and "activates" the form on success? Problem: smarter users could just activate the form from the browser console, without sending the ajax request. Does anybody know some kind of activation trick in JavaScript, which is not "hackable"
I would be glad to hear some more solutions from you or some suggestions, how the solutions above could be realized without the problems mentioned.
EDIT - My Solution so far:
I have done a work around and split the form in two. The first form checks the OTP and sends the data to my internal django view. It also creates a model instance with an generated invoice, which can then be checked in the PayPal IPN routine. The second form is a PayPal payment form, which sends the POST request to PayPal. You can find the simplified code in the following Github-Gist:
https://gist.github.com/BloodyD/2cd15f38d0f666cf3a73
First method - normal redirection after POST:
I don't know why do You think that there shouldn't be any redirect after POST request? In django it happens all the time, without that each page refresh directly after adding something to database will trigger adding it one more time.
To redirect user into proper paypal page, you can just send HttpResponseRedirect instead of normal response when form is submitted with valid form data. If not, display some error messages.
2nd solution: using javascript.
You can send url to redirect to (paypal url) in AJAX response, so user won't be able to bypass this. Simply put some form submitted by AJAX, if it returns URL to redirect, just redirect user. If not, display error message.
Related
I have two different apps hosted under two different domains.
Once the user is logged in app 1 (hosted on aws) and click on the "my profile" button, he/she is redirected to a html page that contains an ajax form.
This ajax form makes a request to app 1's backend and the backend responds with a html form already filled with the infos needed to send the user logged to app 2 (hosted on IIS). This html response also contains a <script> tag with a .submit() function to automaticaly submit the form.
The ajax then place this html form inside a given <div> and the form is submited to app 2.
The problem is that the submition of the form is being blocked... I doesn't say why, but in the browser's Network tab, the status appears as "canceled".
I can imagine that the issue might be related to CORS, but I'm not sure since it doesn't give the cors error explicitly.
Also, it works when running app 1 in localhost.
Edit:
It seems that is not the form submition that is being blocked, but maybe the ajax request to the api asking for the form or the api response containing the form... I'm not sure.
At first, when the ajax request POST to the api, the Network tab shows this (image 1).
Then, when I get the canceled/blocked error, it shows this (image 2)
I am trying to make a sign up and login forms in a project that follows MVC pattern. So we can divide the process into 3 parts: 1- the front-end which is html,css and javascript. 2-Server-side which is PHP 3- database which is MySQL. The problem I have is that when I submit the form either Login or sign up I get a strange behavior that depend on the values i'm sending to the PHP code.
for the sign up process. when I submit the email and password the ajax request send successfully the data and the username and password are correctly inserted into the database, but the on success function is not called. and the page is refreshed.
for the login processes. consider we have an already existing user in database 'user1#gmail.com' and password '1234'. if I entered the correct username and password I get the same behavior as the signup the page is refreshed and on success function is not called and the correct behavior that should happen based on the following codes that it should overwrite the page with the response, but if I send the correct username and password field is empty the onsuccess function is called and write in the document the response 'Hello from login wrong'. In the codes I wrote document.write() function to show only the response but it's not for the real implementation.
There are multiple ways to stop your form from submitting during ajax processing, one easy solution is to change your submit button to a button.
You do this by changing:
type="submit"
to
type="button"
Short:
Is there a way to send POST data from a intermediate PHP page to another resultant page?
Long:
I have a page, let's say A.php where a form is present. The data is filled in the form, and send through POST to another page B.php
B.php checks the value and finds that the value entered is not correct (form validation). We redirect back to A.php with message "Invalid"
Right now I am sending data like this:
header("Location:A.php?msg=Invalid");
But I want to hide the msg part in URL from the user, by sending it in POST method or so.
I am not forced to use any particular method. This is just a project I am working on. So, please enlighten me.
So far I came to know that there is no way we can do that using header in PHP.
A better way to do this is to always post back to the same page. If there is an error you can then just display it without needing to redirect.
If there is no error then redirect to a results/response page.
The advantages of this are:
No need to send data that may be private through a redirect
If there was an error then refreshing the POST will continue to fail and will continue to only show the error message and allow the user to correct their mistake
If there was no error then the redirect will remove the POST operation and replace it with a new GET operation.
Refreshing the result page will not produce another POST operation, which might cause a problem with your data/database.
Example of what happens:
So first the browser sends a GET request for a.php.
On Form submission the browser sends a POST request for a.php.
If the code for a.php detects an error it just re-renders the same page with the form tags filled in with the POST values.
If the code for a.php does not detect an error then it does whatever it needs to do to save the data and then sends a redirect request for b.php.
The browser sends a GET request for b.php and removes the a.php from its history.
b.php displays some kind of thank you note or confirmation.
I have a form that submits to a POST action URL I don't have control over, which leaves server-side validation on that URL out of the question. I need to be able to pass a pen test with reCaptcha and am curious if the below scenario would work.
One idea I had was to do all the normal client-side reCaptcha validation using the callback response and then enabling the submit button via JS.
That button would preventDefault() to submit the form to a different PHP file (via ajax). That PHP file would perform proper server-side validation, then based on the response submit the form to the main post url on the success ajax response or not via the error response via JS.
I could also load the form without a POST URL then populate the URL in the DOM based on the success ajax response prior to JS submit.
Does anyone have any better ideas or other ways I can validate recaptcha server-side even if I don't have control over the main POST URL?
Or do you think that client-side only validation could pass a pen test?
Thanks in advance for any input.
I am building a movie recommended system. I want when a user login and rate a movie, the rating and movie name as well as user name will post to another page without going to that page automatically, i mean without pressing anything. How can I do that?
You can do that by executing an ajax request (after clicking the vote-button), which sends data (you can define the data to be what you want - rating, movie and user) to a php script that you will have to create.
the php script will read the posted data that the ajax has sent and can insert/update the database.
This way, the user will not be redirected. he won't even notice.
You can achieve this by using some kind of ajax requests triggered by vote event or callback.