Web Technology Experts Notes

Friday, 3 July 2015

Braintree hosted fields javascript php send nonce in ajax

Hosted Fields of Braintree are small, transparent iframes that replace the sensitive credit card inputs in your checkout flow, It helps you meet the latest data security requirements.

In this you need not to take the PCI Compliance as credit card details are in Braintree and process by Braintree. User will feel he is adding credit card details in your website and in actual its NOT.

After doing couples of days hard work, I am able to integrate the braintree hosted fields.
Following are HTML Form

<form action="/braintree/submitform" id="my-payment-form" method="GET">
<div class="braintreeinput">
<label for="card-number">Card Number</label>
      <br />
<div id="card-number">
</div>
</div>
<div class="braintreeinput">
<label for="cvv">CVV</label>
      <br />
<div id="cvv">
</div>
</div>
<div class="braintreeinput">
<label for="expiration-month">Expiration Month</label>
      <br />
<div id="expiration-month">
</div>
</div>
<div class="braintreeinput">
<label for="expiration-year">Expiration Year</label>
      <br />
<div id="expiration-year">
</div>
</div>
<div class="payBtnCont">
<input id="mainSubmitBtn" type="submit" value="Send Money" />
    </div>
</form>

Add Following javascript in web page

http://js.braintreegateway.com/js/beta/braintree-hosted-fields-beta.17.js

Get the Client Token from Server and set in javascript variable as below:

var clientToken = 'CLIENT_TOKEN_FROM_SERVER';

Following are javascript code:

      braintree.setup(clientToken, "custom", {
        id: "my-payment-form",
        hostedFields: {
          number: {
            selector: "#card-number"
          },
          cvv: {
            selector: "#cvv"
          },
          expirationMonth: {
            selector: "#expiration-month"
          },
          expirationYear: {
            selector: "#expiration-year"
          },
          styles:{
            ".braintreeinput": {
            "font-size": "16pt",
            "color": "#3A3A3A",
            "line-height" : "40px"
          }  
          }
        },onPaymentMethodReceived:function(nonce){
             console.log(JSON.stringify(response));
            /*Response:
{"nonce":"e1db0653-7a83-4022-8213-7e73504e7f88","details":{"lastTwo":"11","cardType":"Visa"},"type":"CreditCard"}*/


            $.ajax({
                url:'/braintree/submitform',
                data:'payment_method_nonce='+response.nonce,
                type:'POST',
                dataType:'json',
                success: function(response) {
                    //Ajax call results comes here
                }                
            });

            return false;
          
      }
        }
      
              );

Once you get the nonce in API call "/braintree/submitform", you can charge from customer using below code.

$result = Braintree_Transaction::sale([
  'amount' => '10.00',
  'paymentMethodNonce' => nonceFromTheClient,
  'options' => [
    'submitForSettlement' => True
  ]
]);

Thursday, 2 July 2015

How can I prevent SQL-injection in PHP?

Question: What is SQL Injection?
SQL injection is a code injection technique, which is used to attack on database driven applications. In this malicious SQL statements are inserted into an database query.

Question: How attackers attack on website with SQL Injection?
With use SQL Injection, attacker/hackers attack on web application's table/database.

For Example, Lets have a Web login-form where visitor enter the username and password to login in system.
Attacker use the special characters (i.e '"!@#$%^&*()_+) in Web login-form, to attack the websites

What can attackers do with SQL Injection?
Below are couples of ways an attacker can harm our website.

After submit the form, these special character mix the query and break the query, due to this an page will be crash. In this case attacker may able to see the queryies printed in browser(If debug mode is not off).
They may use combination of special-characters due to which they may able to login in our system without having valid login.
They may able to see list of users in our database
They may delete record or table

How we can prevent with SQL Injection
We must filter data entered by user before saving in database OR using in SQL query.
If you are able to escaping the string, then you are able to prevent your website from SQL attack.

Following are few different ways to prevent SQL Injection in PHP, Use any of below:
Use a PHP Function For PHP 5.4

$safeData = mysql_real_escape_string($_POST["user-input"]);
mysql_query("INSERT INTO table (column) VALUES ('" . $safeData . "')");
//If you using PHP >5.5 Use MYSQL as mysql_real_escape_string is deprecated in PHP5.5

Use MySQLI (New version of MySQL)

$mysqli = new mysqli("server", "username", "password", "database_name");
$unsafeData = $_POST["user-input"];
$stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)");
$stmt->bind_param("s", $unsafeData;
$stmt->execute();
$stmt->close();
$mysqli->close();

Use PDO to connect database

$stmt = $pdo->prepare('SELECT * FROM users WHERE name = :name');
$unsafeData = $_POST["user-input"];
$stmt->execute(array('name' => $unsafeData));

Following are SQL Vulnerable string

123' or '1  
123' or '1#
123' or 1 union select 1,database(), version()#
123' or 1 union select id, password,email from users#
123' or 1 union select id, password,email from users into outfile '/store-in-db.txt'#