Stripe payment form and form helper


I can’t find a way to use the form helper to create a suitable payment form for Stripe

Stripe requires an input with no name and i can’t find a way to create an unnamed input

I’ve actually started to wonder if this even matters because my understanding is that the stripe form with unnamed inputs doesn’t get sent to the server anyway

The reason i wanted to use the form helper is that i’m also using the CSRF component and my understanding of that is that it only works on fields created with the form helper.

Anyone out there encountered this issue?

Here’s an excerpt from the docs:

The CsrfComponent works by setting a cookie to the user’s browser. When forms are created with the Cake\View\Helper\FormHelper, a hidden field is added containing the CSRF token. During the Controller.startup event, if the request is a POST, PUT, DELETE, PATCH request the component will compare the request data & cookie value. If either is missing or the two values mismatch the component will throw a Cake\Network\Exception\InvalidCsrfTokenException.

So it sounds to me like it should be fine to use the form helper to add the fields that are actually meant to go to the server for cake to process, and then add in the Stripe fields with HTML because – since they aren’t going to the server anyway – the CSRF component is irrelevant.

Yes? No? Maybe?

Okay I’ll answer my own question again.

So if you have a form with fields that need to go to your database and also want to process your Stripe payment there, like if you want to set a flag field to show a booking or transaction has been completed, you can do it in the following way.

  1. Use the form helper to start and end your form (This means form tampering and CSRF will work for your non Stripe fields)
  2. Add the Stripe fields within the Cake form using HTML (I haven’t tested the HTML fields to see if the form tampering works on them. I’ll test that later and post back)
  3. Use the Form helper to unlock the stripeToken field so it can be added to the form without the form tampering blackholing the request.

Once i set all this up I used echo debug($_POST) in my controller to see what the form was submitting to the server and the only Stripe field that was showing up was stripeToken.

So it appears to me that this is working as it should.