Cakephp 3 Stripe payment form

0
votes

I'm hoping someone out there can help me understand how Stripe should work with Cakephp 3.

I have a form with the Stripe payment fields and a couple of fields for my cake app. From the Stripe documentation this seems to be an acceptable way to set it up.

The HTML is fairly standard, but note how every input for sensitive data—number, CVC, expiration, and postal code—omits the name attribute. By omitting a name, the user-supplied data in those fields won't be passed to your server when the form is submitted. Each element also includes a data-stripe attribute, to be discussed later.

I'm using cakephp 3 now which doesn't seem to allow me to remove properties from the HTML generated by the form helper. I can only make the 'name' property be blank. I queried this with Stripe support and they were a little noncommittal. They are generally very good but in this instance the answer seemed to be 'better safe than sorry.'

My main question is this: does it really matter if you don't use the form helper for Stripe fields. The main benefit i can find in the cake docs is that the CSRF component will act on those fields. I am using the CSRF component throughout my app, but since the Stripe fields aren't even sent to the server the CSRF component is irrelevant. Isn't it?

Here's an excerpt from the Cakephp manual:

The CsrfComponent works by setting a cookie to the user’s browser. When forms are created with the Cake\View\Helper\FormHelper, a hidden field is added containing the CSRF token. During the Controller.startup event, if the request is a POST, PUT, DELETE, PATCH request the component will compare the request data & cookie value. If either is missing or the two values mismatch the component will throw aCake\Network\Exception\InvalidCsrfTokenException.

I can still use the form helper for the few fields that do get submitted to the database, and just add the Stripe fields with HTML?

Does that make sense?

Stripe support did suggest having two separate forms, one for the cake data and one for the Stripe data, but since their docs say you can add the Stripe fields to a form that gets submitted to the server that seems a bit odd.

I would really appreciate some input on this as it seems even Stripe themselves aren't sure how to structure a cakephp payment form!

1
stripe-paymentscakephp-3.x
what if you set name attribute to false or null ?? As last resort, use your custom made helper or dont use helpers at all, write form by hand - Antoniossss
Definitely do not include a name-attribute, if you can avoid it. That is simply not secure. Is there no way to construct a form in CakePHP w/o using form helpers? Can you not just build it from raw-HTML? - korben

1 Answers

0
votes

Yes raw HTML appears to be the way to go.

Here's what i did.

Used the form helper to start and end the form (This means form tampering and CSRF will work for your non Stripe fields)

Added the Stripe fields within the Cake form using HTML (I haven't tested the HTML fields to see if the form tampering works on them. I'll test that later and post back)

Used the Form helper to unlock the stripeToken field so it could be added to the form without the form tampering blackholing the request.

Once i set all this up I used echo debug($_POST) in my controller to see what the form was submitting to the server and the only Stripe field that was showing up was stripeToken.

So it appears to me that this is working as it should.