Guys, I apologize me if the question is less organized and less clear. I am in hurry :(
伙计们,如果问题没有条理,也不清楚的话,我向你们道歉。我赶时间:
My web app has payment form that need to be submitted to another ASP.NET page (lets call it http://vendor.com/getpay.aspx) residing on another server.
我的web应用程序有支付表单,需要提交给另一个ASP。另一个服务器上的NET页面(我们称之为http://vendor.com/getpay.aspx)。
That page will do some mumbo-jumbo works and then redirects it to the acutal payment gateway site.
该页面将做一些繁琐的工作,然后将其重定向到actal支付网关站点。
when i post my payment form to getpay.aspx via simple HTML form, it works and redirects fine.
当我把我的付款表格寄给getpay时。aspx通过简单的HTML表单,可以很好地工作和重定向。
if i change the form and its hidden inputs to server side controls, it doesn't work. their page is throwing viewstate exception.
如果我将表单及其隐藏的输入更改为服务器端控件,它将不起作用。他们的页面抛出viewstate异常。
- I need the form hidden inputs to be server controls so that i can bind some values generated by my code behind.(i think i can do this like the classic asp way using <%= %>, but it is like going back in standard!)
- 我需要表单隐藏输入作为服务器控件,这样我就可以绑定代码后面生成的一些值。(我想我可以像使用<%= %>的经典asp方法那样做,但这就像回到标准中一样!)
- I tried HttpWebRequest in the code behind, it posts the form but the browser doesn't redirect to Payment Gateway page.
- 我在后面的代码中尝试了HttpWebRequest,它会发布表单,但是浏览器不会重定向到支付网关页面。
- I am posting the payment info over non https, how can i prevent the user tampering with the posted data?.
- 我在非https上发布支付信息,如何防止用户篡改已发布的数据?
- I want to validate the payment form in the backend then post it, i couldn't trust the user input data.
- 我想在后台验证支付表单,然后发布它,我不能信任用户输入数据。
- Also the result was returned to my redirect page with query strings appended. It is also happening over the non https. how much i can trust this redirect data?
- 还将结果返回到我的重定向页面,并附加了查询字符串。这也发生在非https上。我能信任这个重定向数据多少?
Thx much
Thx多
1 个解决方案
#1
3
Generate your form by clearing the Response and rewriting the html HTTP form out into the cleared response. When I get home I will trawl through my old code and provide an example.
通过清除响应并将html HTTP表单重写为清除响应生成表单。当我回到家时,我将查阅我的旧代码并提供一个示例。
EDIT: OK here is my code, I had to recreate because I am still at work but it goes a little like this:
编辑:好的,这是我的代码,我必须重新创建,因为我还在工作,但它有点像这样:
Create an intermediate page to capture your variables from the ASPX page and then use this to send as a 'simple' form:
创建一个中间页面,从ASPX页面捕获您的变量,然后使用此页面作为“简单”表单发送:
protected void Page_Load(object sender, EventArgs e)
{
// Capture the post to this page
IDictionary<string, string> variables = new Dictionary<string, string>();
variables.Add("test", Request.Form["test"]); // collect all variables after checking they exist
RewriteContent(variable);
}
public void RewriteContent(IDictionary<string, string> variables)
{
string formContent = @"
<html>
<head>
<title>My Form</title>
</head>
<body>
<form action='' method=''>";
foreach (KeyValuePair<string, string> keyVal in variables)
{
formContent += @"<input type='" + keyVal.Key + "' value='" + keyVal.Value + "' />";
}
formContent += @"
</form>
</body>
</html>"; // Add either an auto post in a javascript or an explicit submit button
Response.Clear();
Response.Write(formContent);
Response.Flush();
Response.End();
}
EDIT 2: Sorry I just realised I have not answered the other questions.
编辑2:对不起,我刚意识到我没有回答其他问题。
Q3/Q4/Q5. If you are not using https you cannot really stop tampering or be sure the response is correct but you can restrict the chance it is bogus. This can be achieved by hashing the values with a secret that is shared at your end and the destination, and then when you get the response you should hash the values and compare to the hash that is sent back to you before you accept that it is valid.
第三/第四季度/ Q5。如果您不使用https,您不能停止篡改或确保响应是正确的,但您可以限制它是假的机会。这可以通过使用在您的端和目的地共享的秘密对值进行哈希来实现,然后当您得到响应时,您应该对值进行哈希,并与发送给您的哈希进行比较,然后再接受它是有效的。
Most payment mechanisms are verified in this manner usually with an MD5 or SHA1 hash you can find more info on the following links:
大多数支付机制都以这种方式进行验证,通常使用MD5或SHA1散列,您可以在以下链接中找到更多信息:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha1.aspx http://www.developerfusion.com/code/4601/create-hashes-md5-sha1-sha256-sha384-sha512/ http://snippets.dzone.com/posts/show/5816
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha1.aspx http://www.developerfusion.com/code/4601/create-hashes-md5-sha1-sha256-sha384-sha512/ http://www.developerfusion.com/code/4601/create-hashes-md5-sha1-sha256-sha384-sha512/
EDIT 3: Doing some encryption now and thought I would share some code with you (because I am nice like that). Might give you an idea of what to do and you can probably code better than me so just tidy up my mess a bit :)
编辑3:现在做一些加密,我想和你分享一些代码(因为我很好)。可能会让你知道该怎么做,你可能会比我写得更好,所以稍微整理一下我的烂摊子:)
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;
using log4net;
namespace MyCompany.Cipher
{
private static readonly ILog log = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType);
public string GenerateSha1HashForString(string valueToHash, EncodeStyle encodeStyle)
{
string hashedString = string.Empty;
try
{
hashedString = SHA1HashEncode(Encoding.UTF8.GetBytes(valueToHash), encodeStyle);
}
catch (Exception ex)
{
if (log.IsErrorEnabled) { log.Error(string.Format("{0}\r\n{1}", ex.Message, ex.StackTrace)); }
throw new Exception("Error trying to hash a string; information can be found in the error log", ex);
}
return hashedString;
}
private string ByteArrayToString(byte[] bytes, EncodeStyle encodeStyle)
{
StringBuilder output = new StringBuilder(bytes.Length);
if (EncodeStyle.Base64 == encodeStyle)
{
return Convert.ToBase64String(bytes);
}
for (int i = 0; i < bytes.Length; i++)
{
switch (encodeStyle)
{
case EncodeStyle.Dig:
//encode to decimal with 3 digits so 7 will be 007 (as range of 8 bit is 127 to -128)
output.Append(bytes[i].ToString("D3"));
break;
case EncodeStyle.Hex:
output.Append(bytes[i].ToString("X2"));
break;
}
}
return output.ToString();
}
private string SHA1HashEncode(byte[] valueToHash, EncodeStyle encode)
{
SHA1 a = new SHA1CryptoServiceProvider();
byte[] arr = new byte[60];
string hash = string.Empty;
arr = a.ComputeHash(valueToHash);
hash = ByteArrayToString(arr, encode);
return hash;
}
}
Put it in a class some where that your project can see and it can generate an SHA1 hash based on a string value by calling the public method.
将它放在项目可以看到的类中,它可以通过调用public方法生成基于字符串值的SHA1散列。
#1
3
Generate your form by clearing the Response and rewriting the html HTTP form out into the cleared response. When I get home I will trawl through my old code and provide an example.
通过清除响应并将html HTTP表单重写为清除响应生成表单。当我回到家时,我将查阅我的旧代码并提供一个示例。
EDIT: OK here is my code, I had to recreate because I am still at work but it goes a little like this:
编辑:好的,这是我的代码,我必须重新创建,因为我还在工作,但它有点像这样:
Create an intermediate page to capture your variables from the ASPX page and then use this to send as a 'simple' form:
创建一个中间页面,从ASPX页面捕获您的变量,然后使用此页面作为“简单”表单发送:
protected void Page_Load(object sender, EventArgs e)
{
// Capture the post to this page
IDictionary<string, string> variables = new Dictionary<string, string>();
variables.Add("test", Request.Form["test"]); // collect all variables after checking they exist
RewriteContent(variable);
}
public void RewriteContent(IDictionary<string, string> variables)
{
string formContent = @"
<html>
<head>
<title>My Form</title>
</head>
<body>
<form action='' method=''>";
foreach (KeyValuePair<string, string> keyVal in variables)
{
formContent += @"<input type='" + keyVal.Key + "' value='" + keyVal.Value + "' />";
}
formContent += @"
</form>
</body>
</html>"; // Add either an auto post in a javascript or an explicit submit button
Response.Clear();
Response.Write(formContent);
Response.Flush();
Response.End();
}
EDIT 2: Sorry I just realised I have not answered the other questions.
编辑2:对不起,我刚意识到我没有回答其他问题。
Q3/Q4/Q5. If you are not using https you cannot really stop tampering or be sure the response is correct but you can restrict the chance it is bogus. This can be achieved by hashing the values with a secret that is shared at your end and the destination, and then when you get the response you should hash the values and compare to the hash that is sent back to you before you accept that it is valid.
第三/第四季度/ Q5。如果您不使用https,您不能停止篡改或确保响应是正确的,但您可以限制它是假的机会。这可以通过使用在您的端和目的地共享的秘密对值进行哈希来实现,然后当您得到响应时,您应该对值进行哈希,并与发送给您的哈希进行比较,然后再接受它是有效的。
Most payment mechanisms are verified in this manner usually with an MD5 or SHA1 hash you can find more info on the following links:
大多数支付机制都以这种方式进行验证,通常使用MD5或SHA1散列,您可以在以下链接中找到更多信息:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha1.aspx http://www.developerfusion.com/code/4601/create-hashes-md5-sha1-sha256-sha384-sha512/ http://snippets.dzone.com/posts/show/5816
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha1.aspx http://www.developerfusion.com/code/4601/create-hashes-md5-sha1-sha256-sha384-sha512/ http://www.developerfusion.com/code/4601/create-hashes-md5-sha1-sha256-sha384-sha512/
EDIT 3: Doing some encryption now and thought I would share some code with you (because I am nice like that). Might give you an idea of what to do and you can probably code better than me so just tidy up my mess a bit :)
编辑3:现在做一些加密,我想和你分享一些代码(因为我很好)。可能会让你知道该怎么做,你可能会比我写得更好,所以稍微整理一下我的烂摊子:)
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;
using log4net;
namespace MyCompany.Cipher
{
private static readonly ILog log = LogManager.GetLogger(MethodBase.GetCurrentMethod().DeclaringType);
public string GenerateSha1HashForString(string valueToHash, EncodeStyle encodeStyle)
{
string hashedString = string.Empty;
try
{
hashedString = SHA1HashEncode(Encoding.UTF8.GetBytes(valueToHash), encodeStyle);
}
catch (Exception ex)
{
if (log.IsErrorEnabled) { log.Error(string.Format("{0}\r\n{1}", ex.Message, ex.StackTrace)); }
throw new Exception("Error trying to hash a string; information can be found in the error log", ex);
}
return hashedString;
}
private string ByteArrayToString(byte[] bytes, EncodeStyle encodeStyle)
{
StringBuilder output = new StringBuilder(bytes.Length);
if (EncodeStyle.Base64 == encodeStyle)
{
return Convert.ToBase64String(bytes);
}
for (int i = 0; i < bytes.Length; i++)
{
switch (encodeStyle)
{
case EncodeStyle.Dig:
//encode to decimal with 3 digits so 7 will be 007 (as range of 8 bit is 127 to -128)
output.Append(bytes[i].ToString("D3"));
break;
case EncodeStyle.Hex:
output.Append(bytes[i].ToString("X2"));
break;
}
}
return output.ToString();
}
private string SHA1HashEncode(byte[] valueToHash, EncodeStyle encode)
{
SHA1 a = new SHA1CryptoServiceProvider();
byte[] arr = new byte[60];
string hash = string.Empty;
arr = a.ComputeHash(valueToHash);
hash = ByteArrayToString(arr, encode);
return hash;
}
}
Put it in a class some where that your project can see and it can generate an SHA1 hash based on a string value by calling the public method.
将它放在项目可以看到的类中,它可以通过调用public方法生成基于字符串值的SHA1散列。