Validating a form on a webpage that someone saves to their desktop 4

[CMcC]

Hi all.

I have been racking my brain trying to figure out how to validate a form on a saved page (user saved the page to their desktop) where the dynamic variables are then saved as static variables?

I am using outdated ASP classic, and I have to work with old Fox 2.o and Visual Fox data.

Basically a DLL is built that creates a string and I perform an "execute" function that returns a string that must be parsed off into variables.

Set mytest = Server.CreateObject("webrepay.taxcalc")
buffer = mytest.execute(cmd)

I include a results page which I can then utilize the variables from the

 %>
<!--#INCLUDE file="resultshow.asp"-->
<%

From the resultshow page, the user can click a button that will take the amount due -echeckdue - (which changes monthly) and this button would send the user data to a third party processor.

echeckbtnmsg =  " Pay $" + cstr(echeckdue) + " by eCheck (includes $.50 cent processing fee*)"


  <form method='post' action= '[URL unfurl="true"]https://swp.paymentprocessor.com/co/default.aspx'>[/URL]
          <input type='hidden' name='pg_api_login_id' value='il3bB78B1A'/>
          <input type='hidden' name='pg_merchant_data_1' value='<%=taxyear%>'/>
          <input type='hidden' name='pg_merchant_data_2' value='<%=addyear%>'/>
          <input type='hidden' name='pg_merchant_data_3' value='<%=timedate%>'/>
          <input type='hidden' name='pg_wallet_id' value='Property Tax'/>
          <input type='hidden' name='pg_billto_postal_name_company' value=''/>
          <input type='hidden' name='pg_continue_url' value='[URL unfurl="true"]http://www.mysite.org/general/onlinepay.shtml'/>[/URL]
          <input type='hidden' name='pg_total_amount' value='<%=echeckdue%>'/>
          <input type='hidden' name='pg_consumer_id' value='<%=plainparcel%>'/>
          <input type='hidden' name='pg_consumerorderid' value='<%=plainparcel%>'/>
          <p align="center">
            <% if echeck <> "" then %>
            <input name="BtnSUBMIT" onsubmit = 'return checkit(parcelnodash)' type=SUBMIT value='<%=echeckbtnmsg%>' />
            <% end if %>
          </p>
        </form>

The problem is when a user saves the webpage to their desktop, the amount "Echeckdue" may be more than what is saved on the client computer. The 'checkit()' function does not seem to fire and the user is taken to the third party processor with the wrong amount that is now due.

When I look at the source behind the form on the saved page, this is what I see:

<form method="Redirect" onsubmit="checkit(parcelnodash)" action="[URL unfurl="true"]https://swp.paymentprocessor.net/co/default.aspx"><table[/URL] cellspacing="0" cellpadding="0" border="0"><tbody><tr><td align="right" width="300"></td><td align="left" width="200"><input type="hidden" name="pg_api_login_id" value="il3bB78B1A">
<input type="hidden" name="pg_merchant_data_1" value="2013">
<input type="hidden" name="pg_merchant_data_2" value="2013">
<input type="hidden" name="pg_merchant_data_3" value="1/3/2014 4:50:55 PM">
<input type="hidden" name="pg_wallet_id" value="Tax">
<input type="hidden" name="pg_billto_postal_name_company" value="">
<input type="hidden" name="pg_continue_url" value="[URL unfurl="true"]http://www.mysite.org/general/onlinepay.shtml">[/URL]
<input type="hidden" name="pg_total_amount" value="474.39">
<input type="hidden" name="pg_consumerorderid" value="R2519305AG080B">
<input type="hidden" name="pg_consumer_id" value="R2519305AG080B">
</td></tr><tr><td align="right" width="300"></td><td align="left" width="200"><input type="SUBMIT" value="Continue to Pay by eCheck Now"><br></td></tr></tbody></table></form>

So what I need the function to do is take the static value of "pg_total_amount" value="474.39" and go back and re-query the data through the execute function above and test whether the new value is the same as the old. If not, I need to stop them from submitting the values to the third party processor.

I cannot seem to get this to work.
It always goes to the 3rd party processor with the wrong amount.
Here is the checkit function

<%
Function checkit(account)
 
 dim mytest
 dim buffer
 dim ok2pay
 dim whatisdue
 dim whatshows

Set mytest = Server.CreateObject("webrepay.taxcalc")
buffer = mytest.execute(s)
ok2pay = mid(buffer,1557,1) 'ok2pay
whatisdue = Mid(buffer,293,11) * .01  '' newest value to pay 
whatshows = amountdue                 '' amountdue is original variable parsed off the buffer with value of what is due
if ok2pay = "T" then                  '' right time of year to pay
     intCompare = StrComp(whatisdue, whatshows, vbTextCompare)
     If intCompare = 0 Then
        checkit = true
      Else
	checkit = false
      End If
else
 checkit =  false
end if
if checkit = false then
  response.redirect("[URL unfurl="true"]http://www.mysite.org/dev/payresult.asp?txtAccountID="[/URL] & account)
end if

End Function
 %>

Any suggestions as to make this happen? I would really like to make the page un-saveable, but I know I cannot do that!
Thank you all!
CMcc

 

[ChrisHirst]

I have been racking my brain trying to figure out how to validate a form on a saved page (user saved the page to their desktop) where the dynamic variables are then saved as static variables?

With ASP???


You can't. ASP scripts run on a webserver, page saved to desktop == No server.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[CMcC]

Thank you Chris. That is what I was thinking. Not sure if possible to make a form submit button disabled if they save the page.(or not allow them to save the page).

On our server, a value is determined what is needed to be paid. This information is then sent to a 3rd party payment gateway and the form submits hidden variables to a remote URL.

If the user selects to save the page, then I have no way to verify that same amount is still due. When this happens, the payment comes in at the wrong amount and a payment exception is generated on this end before any payments are applied to any accounts. Trying to stop the exceptions and the only way that a user could have paid and "old" value amount, was to have saved the page to their desktop or something similar and come back to the page later and submitted the "pay" button.

If I find a way around this, I will post. Yes, ASP is old school, but until we can get our data converted all over to SQL, I unfortunately have clunk my way around these things.

Much appreciated!
Cmcc

 

[gk53]

you should remove that javascript from user and all submit's should go to your server, when your server get request to submit payment you need to verufy amount, inventory and ect. and make a service call from your server to payment processor, and when get result, build response to user. It is differen architecture, but it is only one way it should work

 

[CMcC]

Hi gk53. I will see what I can do. That does sound like what I need to do. I appreciate your input.
Cmcc

 

[Olaf Doschke]

If you rather mean VBScript, in which classic server side ASP scripts can be developed, that's possible in the Browser, too, as Javascript is:

http://www.w3schools.com/vbscript/

Indeed you can develop a client side shopping system in both VBScript or Javascript. Today rather in Javascript. but ASP stands for active SERVER pages. But you can't trust and verify monetary things on the client side, you always will forward the final order to a server side script, validating all input, calculating fees, tolls, etc. only there. Anybody can stop, debug and change code at the client side, so you can't trust any input coming from there. And you only do money transactions on the server side, too, in cooperation with payment services, eg paypal, etc.

Bye, Olaf.

 

[ChrisHirst]

Indeed you can develop a client side shopping system in both VBScript or Javascript.

Only Infernet Exploder supports vbscript in the browser for client side scripting.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[Olaf Doschke]

Yes, true. Because it's a Microsoft thing anyway. It was very welcome for customers wanting Intranet solutions way back in 1999, though.

Bye, Olaf.

PS w3schools also mentions VBScript is a Microsoft thing only, so is ASP.

 

[ChrisHirst]

so is ASP.

But ASP vbScript does NOT run in the browser context, so is NOT Operating System or browser dependent.

Client side vBScript is OS AND Browser dependent

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum

 

[Olaf Doschke]

Chris: FoxPro is involved, and this only runs on Windows anyway. (Chris: Look at my profile and you'll see why I jumped in).

Several answered on the how o do correctly. I was merely showing there are options you deny, I don't recommend them anyway, this is what we agree on.

CmCC, having such an old FoxPro system, how about going to a foxpro software vendor (I work for TMN-Systemberatung.de in germnany, for example) and let them reimplement. It's not good designed anyway, as you show it. You create html you send to customers, having a form with redirect method. Payment data is included. Anybody with low programming knowlege can use Browser Debug tools (you can eg start by F12 in Internet Explorer) to manually override values in the form, even of the hidden html input elements.

You better redo this overall instead of trying to keep it alive or update it.

Bye, Olaf.

 

[Olaf Doschke]

CmCC: Here you have a screenshot about what a user knowing F12 can do:

I changed your sample value from 474.39 to 120.56 simply by pressing F12 and then navigating the HTML element nodes down to the hidden input. It's only visually hidde.

Now I could submit with the "Continue to Pay be eCheck now" and pay a lower price than you want.

Your system is not safe, and adding programming to it won't make that better, you have to do the redirect from the server side. Moving the checkit function to run on the client side, no matter if VBBScript or Javascript, won't make this any more secure. The user can not only change form input values, but also remove the call to the checkit function.

This really has to be redone for your own safety sake!

Bye, Olaf.

 

[Olaf Doschke]

By the way: Saving the HTML to a file saves the value you put in there. Eg I saved after editing the amount to 120.56 and realoaded the saved html with 474.39, but the value submitted still will be, what I want.

If a user doesn't want to cheat but reuses this saved file every month, he'll not load the current amount, but the amount saved way back when first saving that submit form and always pay the same amount every month.

It's by design. You don't send the user a form with the payment amount and a submit button redirecting to the third party payment site. You let users log in to your system, letting the see current amount due and redirect them from your server to the third party payment site.

What you're doing is like giving the customer a bill written with pencil, with a rubber and a pencil to write in any amount and then pay.

Bye, Olaf.

 

[CMcC]

Thank you Olaf AND everyone for all of your responses. We are in the process of converting our Foxpro over to SQL now. I am creating a server side process that will exist on our server to check the value that is coming back from the client before heading off to the third party processor. Customer's do not log in to pay on our site. This involves local government taxes that anyone can pay for. They select by clicking what they want to pay and are redirected to the third party website to use their echeck or credit card. I agree that logging into a system to pay would be the best way to do it, but unfortunately my hands are tied by outdated software, having to do things the old way.

CMCC

 

[guitarzan]

CMcC:
We use Authorize.Net for a payment gateway. Like your site, our website only gathers information about what the person wants to buy, and we pass that to Authorize.Net to handle the actual payment by credit card, echeck, etc.

They supplied us with code to create a "fingerprint", which is a hash value based on various things including amount, date/time stamp, a random number... and your "Transaction Key" which is unique to your account and should never be given to anyone. The fingerprint is placed in a hidden variable on your form, and gets submitted with everything else. Authorize.Net verifies the fingerprint to make sure it is valid, is from you, was created using your key, and that the amount was not modified.

I would hope your third party could provide the same thing...

 

[CMcC]

Thanks Guitarzan.
I will have to ask our gateway provider if they include such a fingerprint. That is a valuable thing. I will continue to code my process page until further notice...
Cmcc