Search code examples
c#asp.net-mvchttphttp-redirectworldpay

Redirect with post data - WITHOUT query string

I'm trying to submit data to WorldPay's payment gateway. I'm currently doing this (successfully) by building up a query string (payment ID, amount, customer details, etc) and concatenating them to WorldPay's base url, like so:

https://secure-test.worldpay.com/wcc/purchase?instId=12345&testMode=100&amount=999

...and the doing a standard Response.Redirect([above_url]).

This works as intended, but I'm concerned that exposing this information in the query string is likely to encourage people to attack it (e.g changing the "amount" key to, say, "1"!).

WorldPay's examples only go as far as providing a basic HTML form, but since the data is POSTed using this method, the above concern is never an issue. Unfortunately I'm required to do some pre-processing (order status updates, etc) BEFORE redirecting the user to WorldPay to complete the payment, so I'm left wondering if this can be done programmatically?

I suspect I'm trying to do exactly the same as this question: Programmatically redirect the user to WorldPay's site, passing all the necessary payment details - without exposing the query string values.

Is this possible?

Solution

  • WorldPay support have provided me with a solution. Digging through their source I can see that they're doing what [I suspect] husnain_sys was suggesting:

                var formBuilder = new StringBuilder();
        formBuilder.AppendLine("<html><head>");
        formBuilder.AppendLineFormat("</head><body onload=\"document.{0}.submit()\">", formName);
        formBuilder.AppendLineFormat("<form name=\"{0}\" method=\"{1}\" action=\"{2}\" >", formName, Method.ToString(), Url);
        for (int i = 0; i < _inputValues.Keys.Count; i++) {
            formBuilder.AppendLineFormat("<input name=\"{0}\" type=\"hidden\" value=\"{1}\">", 
                HttpUtility.HtmlEncode(_inputValues.Keys[i]), HttpUtility.HtmlEncode(_inputValues[_inputValues.Keys[i]]));
        }
        formBuilder.AppendLine("</form>");
        formBuilder.AppendLine("</body></html>");

        _httpContext.Response.Clear();
        _httpContext.Response.Write(formBuilder.ToString());
        _httpContext.Response.End();

    This still looks like a hack to me (surely the redirect doesn't have to be done via JS?), but ah well - it works! Thanks guys. Hope this helps someone else.