[Arkarr]

I already told you that there is at least on way to exploit this.

Never trust a user input. Use AJAX.

[DarkDeviL]

Quote:

Originally Posted by Arkarr I already told you that there is at least on way to exploit this. Never trust a user input. Use AJAX.

And ... since AJAX ("JavaScript") is handled client side, in each client's browser, how come you would trust AJAX?

You're sending data to the server for verification, and the server would for example return true/false depending on the data, ... but how you use the data, that part is still up to the "JavaScript" code to do, which is client side, and can easily be manipulated.

So well, suggesting to trust "AJAX" over "user input", ... really makes no difference in the end.

[Arkarr]

Quote:

Originally Posted by arne1288 And ... since AJAX ("JavaScript") is handled client side, in each client's browser, how come you would trust AJAX? You're sending data to the server for verification, and the server would for example return true/false depending on the data, ... but how you use the data, that part is still up to the "JavaScript" code to do, which is client side, and can easily be manipulated. So well, suggesting to trust "AJAX" over "user input", ... really makes no difference in the end.

Call PHP page through AJAX. This way, use can't edit forms.

EDIT:
[PUBLIC PHP] ---> user select item --> call another PHP page (ex, makepayements.php?object=tierv) with AJAX to make it looks like it's not another page (so it's just design) --> php is being executed on server side, client can't edit --> return value is value from paypal (sucess / fail)

Not sure if I make sense.

[DarkDeviL]

Quote:

Originally Posted by Arkarr Call PHP page through AJAX. This way, use can't edit forms. EDIT: [PUBLIC PHP] ---> user select item --> call another PHP page (ex, makepayements.php?object=tierv) with AJAX to make it looks like it's not another page (so it's just design) --> php is being executed on server side, client can't edit --> return value is value from paypal (sucess / fail) Not sure if I make sense.

Security through obscurity is not going to help you.

It's about fixing the flaws, not simply attempting to hide or obfuscate them.

If all you do is adding AJAX stuff you say on top of the current code, then what you are doing is not going to help you at all.

If you're really working with AJAX, you should actually know that it is JavaScript, and that the J in "AJAX" actually stands for JavaScript:

JavaScript is handled purely client side, not server side AT ALL, a simple Google search can let you confirm that.

No matter what you send using JavaScript (or AJAX) to the server, is still being returned to the JavaScript part to be processed later on, and here you can still manipulate it, if you want to.

Feel free to try to make an example demonstrating your way, but if you aren't changing your communication with PayPal, please trust me when I tell you - you're not going to fix the issue 100% and only ending up on doing "security through obscurity", which is literally the same as doing nothing: the flaws would still remain.

[lay295]

Quote:

Originally Posted by arne1288 Security through obscurity is not going to help you. It's about fixing the flaws, not simply attempting to hide or obfuscate them. If all you do is adding AJAX stuff you say on top of the current code, then what you are doing is not going to help you at all. If you're really working with AJAX, you should actually know that it is JavaScript, and that the J in "AJAX" actually stands for JavaScript: JavaScript is handled purely client side, not server side AT ALL, a simple Google search can let you confirm that. No matter what you send using JavaScript (or AJAX) to the server, is still being returned to the JavaScript part to be processed later on, and here you can still manipulate it, if you want to. Feel free to try to make an example demonstrating your way, but if you aren't changing your communication with PayPal, please trust me when I tell you - you're not going to fix the issue 100% and only ending up on doing "security through obscurity", which is literally the same as doing nothing: the flaws would still remain.

He means taking the POST request out of the client sided HTML, and just make a POST request to something like this. I've made it a GET request instead though so you can just paste it in if you want to see. It seems like a fine approach, I haven't really been following this plugin but just wanted to say what I think @Arkarr was trying to. I think he just brought up AJAX as a way to call the PHP script, not to use it to send the data with to Paypal.

http://mrderp.xyz/makepayments.php?tier=1 (If the page loads slow it's just my shitty box it's on)
https://pastebin.com/wtayNh9C

[Arkarr]

Quote:

Originally Posted by lay295 He means taking the POST request out of the client sided HTML, and just make a POST request to something like this. I've made it a GET request instead though so you can just paste it in if you want to see. It seems like a fine approach, I haven't really been following this plugin but just wanted to say what I think @Arkarr was trying to. I think he just brought up AJAX as a way to call the PHP script, not to use it to send the data with to Paypal. http://mrderp.xyz/makepayments.php?tier=1 (If the page loads slow it's just my shitty box it's on) https://pastebin.com/wtayNh9C

^ this

I'm not good at explaining stuff.

[DarkDeviL]

Quote:

Originally Posted by lay295 He means taking the POST request out of the client sided HTML, and just make a POST request to something like this. I've made it a GET request instead though so you can just paste it in if you want to see. It seems like a fine approach, I haven't really been following this plugin but just wanted to say what I think @Arkarr was trying to. I think he just brought up AJAX as a way to call the PHP script, not to use it to send the data with to Paypal. http://mrderp.xyz/makepayments.php?tier=1 (If the page loads slow it's just my shitty box it's on) https://pastebin.com/wtayNh9C

That example is, as I said above, changing the communication with PayPal.

Personally, I have been using PayPal's "Hosted Button", which gives you a code like:

Code:

<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
  <input type="hidden" name="cmd" value="_s-xclick">
  <input type="hidden" name="hosted_button_id" value="INVALID_BUTTON_ID">
  [...]
</form>

Here you can simply change the "hosted_button_id", and everything (price, options, return URL, etc) for that button id is configured on PayPal's site and all you have to adjust on your site is the button ID, and can't be manipulated with.

However, only verified PayPal Premium and Business accounts can use PayPal's "Hosted Button", unless something changed recently.

A quick look on your demonstrated way seems however to do something similar; on your server-side things, they are taking the information, and sending it to PayPal to create a "token" (seems quite similar to the "Hosted Button") for the payment information your sever puts through, and then redirecting your "customer" to that PayPal URL with the token that your server receives from PayPal.

If you can use this option with a PayPal account you haven't verified in any way (passport, bank statement, etc), I'm probably starting to lean more like using this way, than the "Hosted Buttons" I've been using for stuff myself. Things would get less complicated this way, as you don't have to log in to PayPal every time you need to adjust a button or add new levels.

Again, your demonstrated way is much more different than just "adding AJAX on top of current code", it is changing the communication too.

[Arkarr]

Look, what I was trying to say is that you need to call a PHP page wich would do the paypal communication (so, it's server-sided only), not a HTML form. AJAX was a suggestion to just make things nice, as it's the only purpose of javascript that I can think of.

Again, I probably wasn't clear enough. If you really need to, I can write a small exemple demonstrating what I'm trying to explain. Basically, it would be exactly the same as @lay295 made.

And really, it is "adding AJAX on top of current code". Nothing else then moving the form into another page PHP page and call it through AJAX. Or whatever you want to is able to call that PHP page and get the result of it.

[DarkDeviL]

Quote:

Originally Posted by Arkarr Look, what I was trying to say is [...]

I already understand 100% what it is you mean!

And if you're doing exactly as the example from @lay295, it seems perfectly fine!

Quote:

Originally Posted by Arkarr And really, it is "adding AJAX on top of current code". Nothing else then moving the form into another page PHP page and call it through AJAX. Or whatever you want to is able to call that PHP page and get the result of it.

Really, it isn't "current code" any more, when you are changing so much code, as you are doing:

Line 63 towards line 148, you're removing all that "current code" and replacing it with / using the example from @lay295, so almost nothing of this highlighted code are visible to the end user any more, that is way more than just "adding AJAX on top of current code".

"Adding on top of current code" means all that highlighted code would have to stay in the HTML, otherwise it isn't "current code" anymore, that's what I meant from the beginning!

There are no reasons to discuss it any further, I completely understand what you mean, and have done so since @lay295's example.


BTW, with @lay295's example, you don't even need AJAX/JavaScript in the way you explain:

Code:

<form action="makepayments.php" method="get">
  <input type="hidden" name="tier" value="1" />
  <button name="submit" type="submit" class="btn btn-primary">Tier I - <?=$amount_tier1?> <?=$paypal_currency?></button>
</form>
<form action="makepayments.php" method="get">
  <input type="hidden" name="tier" value="2" />
  <button name="submit" type="submit" class="btn btn-primary">Tier 2 - <?=$amount_tier2?> <?=$paypal_currency?></button>
</form>
[...]

and it would work, even for those kind of people who might be blocking JavaScript on "unknown websites", etc. ;-)

Obviously, "tier" could be manipulated, but "makepayments.php" would take care of that. ;)


With the post above, I was simply sharing the way I have been doing things, not frowning up on your way ( ... any more ) .

Thank you for sharing your way(s) of doing it, and for the nice example!

[Triniayo]

Btw guys, the PHP Script has been made with the intention to use it through the ingame MOTD Panel. And there's not really a way to edit there.