Obtaining the charge amount from a stripe token using stripe API

Question

The goal: I have an html page that has two different items you can purchase. One is $5 and the other is $10. I'm using stripe to process the payments. When stripe creates a payment token and submits that to my process_charge.php I'd like to pull the charge amount from the data submitted via POST. Then I can use that amount to call Stripe_Charge::create().

The problem: The amount isn't being submitted to my PHP form and I'm not sure how to get it.

My temporary solution: A different php form for every single item I'm selling. Then a NEW PHP FORM FOR EVERY NEW ITEM!!! not ideal

I'm currently using the embedded form method listed here: https://stripe.com/docs/tutorials/checkout

My order page looks like this.

<div class="payment-options">
    <form action="process_card.php" method="POST">
        <script
            src="https://checkout.stripe.com/checkout.js" class="stripe-button"
            data-key="pk_test_PUBLIC_KEY_FOR_TESTING"
            data-amount="1000"
            data-name="Nice Lint"
            data-description="High quality belly button lint."
            data-image="images/nice-lint.svg"
            data-panel-label="Checkout {{amount}}"
            data-label="Pay with Credit Card"
            data-billing-address="true"
            data-shipping-address="true">
        </script>
    </form>
</div>

So this works great. It takes the customer's information, their shipping/billing address and their credit card details. Then it generates a charge token and submits that to process_card.php. There I can take the token and perform something like this:

if ($_POST) {
  Stripe::setApiKey("sk_test_SECRET_KEY_FOR_TESTING");
  try {
    if (!isset($_POST['stripeToken']))
      throw new Exception("The Stripe Token was not generated correctly");
    Stripe_Charge::create(array("amount" => '1000'],
                                "currency" => "usd",
                                "card" => $_POST['stripeToken']));
  }
  catch (Exception $e) {
    $error = $e->getMessage();
  }
}

Here I take the token that was submitted via POST and send that off to stripe using their API. The amount, currency, and card token are required fields. You can see the token is being pulled from the POST data but I'm having to send a literal string for the amount. This is all fine and dandy until I have more than one product/service whatever and I have different forms that generate tokens with different amounts and send them to my process_card.php. Then that literal string isn't looking happy anymore. His stupid smirk is wiped right off his stupid face.

So anyways, I checked all the POST data to see if any of the submitted fields contained the amount so I could pass that along. So I just did a little loop to see what was submitted:

foreach ($_POST as $key => $value) {
    echo "key: " . $key . "  -  " . $value . "<br>";
}

and it gives me this:

key: stripeToken - tok_youShouldDefinitelyPostThisTokenOnAPublicWebsite
key: stripeEmail - [email protected]
key: stripeBillingName - asdf
key: stripeBillingAddressLine1 - asdf
key: stripeBillingAddressZip - 12345
key: stripeBillingAddressCity - Schenectady
key: stripeBillingAddressState - NY
key: stripeBillingAddressCountry - United States
key: stripeBillingAddressCountryCode - US
key: stripeShippingName - asdf
key: stripeShippingAddressLine1 - asdf
key: stripeShippingAddressZip - 12345
key: stripeShippingAddressCity - Schenectady
key: stripeShippingAddressState - NY
key: stripeShippingAddressCountry - United States
key: stripeShippingAddressCountryCode - US

No amount. Shucks. So off to the API docs to see if I can find a solution. The closest thing I could find was Stripe_Charge::retrieve({CHARGE_ID}); which was found here: https://stripe.com/docs/api/php#retrieve_charge . This however only applied to successfully processed charges.

So I'm stuck. Can't figure it out. The best solution I could come up with was adding a <input type="hidden" name="amt" value="1000" /> line inside the embedded form I was provided so I could pull the amount via $_POST['amt']. The problem with this is that I have no idea if it's PCI compliant. In many places on the stripe site/api/docs they tell you not to include name fields in their forms so you aren't passing sensitive information from page to page on your site, so I figure "better safe than sorry". Is there an alternate way of handling this or some best practice I'm not aware of?

**Sorry this was so long. I really put in as much effort as I could to try to solve it on my own and I wanted to provide as much information as I could.

Answer 1

I don't see any issue in regards to PCI compliance by putting their price in the form (as long as you're using SSL). However this would allow them to simply edit the HTML input before submitting and getting the item a lot cheaper than you'd want them to. You could get around this by using a database with a products table and reference the product ID in a hidden input field.