# [web] [php] fake form post

## Recommended Posts

how can i fake a form post with php? i have this form from paypal:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="image" src="http://mybutton.com" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
<img alt="" border="0" src="https://www.paypal.com/en_AU/i/scr/pixel.gif" width="1" height="1">
<input type="hidden" name="encrypted" value="some value here needs to be posted!">
</form>


so i want to redirect the user to: https://www.paypal.com/cgi-bin/webscr with the 'encrypted' value posted. i tried setting this: \$_POST['encrypted'] = "some value here needs to be posted!"; header ('Location: https://www.paypal.com/cgi-bin/webscr'); which sends me to the page, but looks like its not getting the post info

##### Share on other sites
You need to open a socket to paypal.com, then send through the http post request, to send the appropritate data. (google will help)

i don't think you want to use php for this.

##### Share on other sites
The encrypted value probably holds some transaction details, combined with some salt values (look it up), precisely so no-one could forge the post info. This is called private key encryption, where the client has neither all the keys nor the algorithm that generates the security hash, but still needs to pass it back to the server for validation. If you're trying to legally use it, contact the PayPal developer relations staff for instructions.

##### Share on other sites
yeah i have the encrypted data to send them i've just left it out here and replaced it with "some value here needs to be posted!".

##### Share on other sites
Quote:
 Original post by Nik02The encrypted value probably holds some transaction details, combined with some salt values (look it up), precisely so no-one could forge the post info. This is called private key encryption, where the client has neither all the keys nor the algorithm that generates the security hash, but still needs to pass it back to the server for validation. If you're trying to legally use it, contact the PayPal developer relations staff for instructions.

Ok, nik02, starting from the top.

Its called public key crypography. Its an asymetric cypher, where the key to encrypt is different from the key to decrypt. (so people sending you stuff have your "public" key, so they can encrypt stuff going to you, but they cannot decrypt mail going to you, because they do not have your "private" or decryption key).

As per hashes and salts:
A salt is a set of random bytes prepended to a hash function, so as to stop replay attacks. (this also helps people using a rainbow table, ect. from reversing your hash).

For example, for a game logon system:

So grab a random two character string from the server (the salt), and prepend it onto your username+password combo. (already hashed, probably), before hashing it and sending it to the server.

When you send it to the server.

The server has a list of all the valid md5(password + username)'s

So you calculate the hash for each of the u/p combinations with the salt that you sent to that client.

This then stops unscrupulous users from sending the same login packet to the server, to impersonate somebody else.

uh.... i'm not sure if thats an answer to the op, but hopefully it would be at least somewhat usefull.

##### Share on other sites
To make a POST within a page, you can use something like the CURL library.

##### Share on other sites
You could have some javascript automate the submission of a form with hidden fields. This is the most common way of achieving this.

Doing a server-server post is not suitable, necessary, or allowed for this integration method with Paypal. A human must see the contents of the page after the submit.

Mark

## Create an account

Register a new account

• ## Partner Spotlight

• ### Forum Statistics

• Total Topics
627657
• Total Posts
2978472

• 10
• 12
• 22
• 13
• 33