The Charge controller is the primary way you'll interact with Charge.
The main end point is charge/charge
. From there you'll perform all new Charge requests.
charge/charge
charge/charge
#The charge/charge
action endpoint is where you'll point all your payment forms. It's the backbone of charge.
Your payment form will start off something like this :
<form method="post" id="charge_form">
<input type="hidden" name="action" value="charge/charge"/>
{{ getCsrfInput }}
..
The main charge/charge
endpoint expects to receive a POST
request, and collects all the data about the charge.
opts
generated by the setPaymentOptions
methodcraft.charge.setPaymentOpitions(..)
or craft.charge.setCheckoutOptions(..)
to create this hidden input.cardToken
You should never post card details directly to your server. This means your card inputs explicitly don't include the name
attribute on them. Instead they should have a data-stripe
attribute, which is picked up by the form javascript, and sent securely and directly to the stripe api.
For example - NEVER DO THIS.
Card Number
<input type="text" name="cardNumber"/> <!-- This is incorrect, never include the name attribute -->
Expiry
<input type="text" name="cardExpiry" placeholder="MM / YY"/> <!-- This is incorrect, never include the name attribute -->
CVC
<input type="text" name="cardCVC" placeholder="123"/> <!-- This is incorrect, never include the name attribute -->
The CORRECT form setup, excludes the name attributes, and instead has data-stripe
attributes. Like this :
Card Number
<input type="text" data-stripe="number"/> <!-- correct usage of data attribute -->
Expiry
<input type="text" data-stripe="exp" placeholder="MM / YY"/> <!-- correct usage of data attribute -->
CVC
<input type="text" data-stripe="cvc" placeholder="123"/> <!-- correct usage of data attribute -->
Charge will actively prevent passing name values If charge sees any protected values passed as part of the post request to the controller it will immediately throw an exception.