Home/ Questions/Q 8314663
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T20:53:44+00:00

I am working with a credit card processor script — provided by the processor

  • 0

I am working with a credit card processor script — provided by the processor — which takes in various credit card data and merchant account data, fetches a cURL, and parses the return XML for transaction status.

Code:

define("CURL_PROCESSING_URL", "https://ideposit.vbprograms.net/servlet/pg");

$params =   "Merchant_User_Name=" . "vitale" .
            "&Merchant_Password=" . "test" .
            "&Tracking_Number=" . "00001" .
            "&Credit_Card_Number=" . "4012888888881" .
            "&Credit_Card_Exp_Date=" . "1205" .
            "&Charge_Amount=" . "12.00" .
            "&AVS_Street=" . "8320" .
            "&AVS_Zip_Code=" . "85284" .
            "&CV_Security_Code=" . "999" .
            "&Credit_Card_Type=" . "MC_CARD_VISA" .
            "&CardHolder_Name=" . "test Card Holder";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, CURL_PROCESSING_URL);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$returned = curl_exec($ch);
curl_close($ch);

$p = xml_parser_create();
xml_parse_into_struct($p, $returned, $vals, $index);
xml_parser_free($p);

Questions:

1) Does SSL_VERIFYPEER being set to false make it easier for the server to be spoofed and transaction data to be intercepted?

2) Is the cURL URL and associated POST values stored in server logs or transferred in plain text?

3) Is there a safer way or set of options for carrying this transaction out?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I would think in a production environment, you would want to use default value of CURLOPT_SSL_VERIFYPEER = true. This verifies that the SSL cert is valid. For testing or develpoment environments where perhaps the processor gives you a sandbox to work with that may have a self-signed cert or a cert that is expired or similar, you would probably be OK having this as false.

    You are using SSL, so the data will not be sent in plain text. Without knowing what sort of error logging you have in place it is hard to say whether it would be stored on server logs.

    cURL is totally fine for doing what you are trying to do assuming that you always use SSL and you are not logging sensitive data.

    • 0