I've developed my shopping cart further. This is related to my earlier post: Securing PHP shopping cart

I've developed my shopping cart further. This is related to my earlier post: Securing PHP shopping cart

i've developed my shopping cart further. This is related to my earlier post: Securing PHP shopping cart

In addition to those functionalities, i've proceeded to make integration to Paytrail payment gateway. This post will add option to handle customer's personal data and to send that data to payment gateway. All credit card info/payments are handled by paytrail on their servers.

Merchant id/secret are paytrail's test credentials, if anyone thinks, i'm revealing those accidentally.

1. Is it somehow unsecure, that my output data will be visible in pure html? including md5 hash, which is calculated based on shopping cart items/user input data. (output.html)
2. If 1. is unsecure, how should i proceed changing my code, that it'll be less likely to be abused?
3. Are there any vulnerabilities on handling customer input data? (addresses, names etc.)
4. Also, please state, if your improvements/changes are purely an alternate way of doing things or are they crucial changes.

Thank you in advance and yet again, this script is free to use for anyone, who wishes to make their own integration with paytrail gateway.

function test_input($data)
{
 $data = trim($data);
 $data = htmlspecialchars($data);
 return $data;
}

<form action="https://payment.paytrail.com/" method="post" id="payment">
<input name="MERCHANT_ID" type="hidden" value="13466">
<input name="ORDER_NUMBER" type="hidden" value="123456">
<input name="REFERENCE_NUMBER" type="hidden" value="">
<input name="ORDER_DESCRIPTION" type="hidden" value="Testitilaus">
<input name="CURRENCY" type="hidden" value="EUR">
<input name="RETURN_ADDRESS" type="hidden" value="http://www.esimerkki.fi/success">
<input name="CANCEL_ADDRESS" type="hidden" value="http://www.esimerkki.fi/cancel">
<input name="PENDING_ADDRESS" type="hidden" value="">
<input name="NOTIFY_ADDRESS" type="hidden" value="http://www.esimerkki.fi/notify">
<input name="TYPE" type="hidden" value="E1">
<input name="CULTURE" type="hidden" value="fi_FI">
<input name="PRESELECTED_METHOD" type="hidden" value="">
<input name="MODE" type="hidden" value="1">
<input name="VISIBLE_METHODS" type="hidden" value="">
<input name="GROUP" type="hidden" value="">
<input name="CONTACT_TELNO" type="hidden" value="+5747 5884 7574543">
<input name="CONTACT_CELLNO" type="hidden" value="0060 55574645">
<input name="CONTACT_EMAIL" type="hidden" value="[email protected]">
<input name="CONTACT_FIRSTNAME" type="hidden" value="Özil">
<input name="CONTACT_LASTNAME" type="hidden" value="Älgebrä">
<input name="CONTACT_COMPANY" type="hidden" value="Company Ot">
<input name="CONTACT_ADDR_STREET" type="hidden" value="Kärkel 34">
<input name="CONTACT_ADDR_ZIP" type="hidden" value="00000">
<input name="CONTACT_ADDR_CITY" type="hidden" value="Äläbämä">
<input name="CONTACT_ADDR_COUNTRY" type="hidden" value="FI">
<input name="INCLUDE_VAT" type="hidden" value="0" />
<input name="ITEMS" type="hidden" value="2">
<input name="ITEM_TITLE[0]" type="hidden" value="Lasikengät">
<input name="ITEM_NO[0]" type="hidden" value="0">
<input name="ITEM_AMOUNT[0]" type="hidden" value="45">
<input name="ITEM_PRICE[0]" type="hidden" value="23.43">
<input name="ITEM_TAX[0]" type="hidden" value="0">
<input name="ITEM_DISCOUNT[0]" type="hidden" value="0">
<input name="ITEM_TYPE[0]" type="hidden" value="1">
<input name="ITEM_TITLE[1]" type="hidden" value="Nahkakengät">
<input name="ITEM_NO[1]" type="hidden" value="1">
<input name="ITEM_AMOUNT[1]" type="hidden" value="23">
<input name="ITEM_PRICE[1]" type="hidden" value="564.44">
<input name="ITEM_TAX[1]" type="hidden" value="0">
<input name="ITEM_DISCOUNT[1]" type="hidden" value="0">
<input name="ITEM_TYPE[1]" type="hidden" value="1">
<input name="AUTHCODE" type="hidden" value="958C104FA7522E0319214C3AE1147351">
<input type="submit" value="Siirry maksamaan">

I've developed my shopping cart further. This is related to my earlier post: Securing PHP shopping cart

In addition to those functionalities, I've proceeded to make integration to Paytrail payment gateway. This post will add option to handle customer's personal data and to send that data to payment gateway. All credit card info/payments are handled by Paytrail on their servers.

Merchant id/secret are Paytrail's test credentials, if anyone thinks, I'm revealing those accidentally.

1. Is my output data being visible in pure HTML considered insecure? This includes an MD5 hash, which is calculated based on shopping cart items/user input data (output.html).
2. If this is insecure, then how should I proceed with changing my code, such that it'll be less likely to be abused?
3. Are there any vulnerabilities on handling customer input data (addresses, names etc.)?
4. Also, please state if your improvements/changes are purely an alternate way of doing things or are they crucial changes.

This script is free to use for anyone who wishes to make their own integration with Paytrail gateway.

function test_input($data)
{
 $data = trim($data);
 $data = htmlspecialchars($data);
 return $data;
}

<form action="https://payment.paytrail.com/" method="post" id="payment">
<input name="MERCHANT_ID" type="hidden" value="13466">
<input name="ORDER_NUMBER" type="hidden" value="123456">
<input name="REFERENCE_NUMBER" type="hidden" value="">
<input name="ORDER_DESCRIPTION" type="hidden" value="Testitilaus">
<input name="CURRENCY" type="hidden" value="EUR">
<input name="RETURN_ADDRESS" type="hidden" value="http://www.esimerkki.fi/success">
<input name="CANCEL_ADDRESS" type="hidden" value="http://www.esimerkki.fi/cancel">
<input name="PENDING_ADDRESS" type="hidden" value="">
<input name="NOTIFY_ADDRESS" type="hidden" value="http://www.esimerkki.fi/notify">
<input name="TYPE" type="hidden" value="E1">
<input name="CULTURE" type="hidden" value="fi_FI">
<input name="PRESELECTED_METHOD" type="hidden" value="">
<input name="MODE" type="hidden" value="1">
<input name="VISIBLE_METHODS" type="hidden" value="">
<input name="GROUP" type="hidden" value="">
<input name="CONTACT_TELNO" type="hidden" value="+5747 5884 7574543">
<input name="CONTACT_CELLNO" type="hidden" value="0060 55574645">
<input name="CONTACT_EMAIL" type="hidden" value="[email protected]">
<input name="CONTACT_FIRSTNAME" type="hidden" value="Özil">
<input name="CONTACT_LASTNAME" type="hidden" value="Älgebrä">
<input name="CONTACT_COMPANY" type="hidden" value="Company Ot">
<input name="CONTACT_ADDR_STREET" type="hidden" value="Kärkel 34">
<input name="CONTACT_ADDR_ZIP" type="hidden" value="00000">
<input name="CONTACT_ADDR_CITY" type="hidden" value="Äläbämä">
<input name="CONTACT_ADDR_COUNTRY" type="hidden" value="FI">
<input name="INCLUDE_VAT" type="hidden" value="0" />
<input name="ITEMS" type="hidden" value="2">
<input name="ITEM_TITLE[0]" type="hidden" value="Lasikengät">
<input name="ITEM_NO[0]" type="hidden" value="0">
<input name="ITEM_AMOUNT[0]" type="hidden" value="45">
<input name="ITEM_PRICE[0]" type="hidden" value="23.43">
<input name="ITEM_TAX[0]" type="hidden" value="0">
<input name="ITEM_DISCOUNT[0]" type="hidden" value="0">
<input name="ITEM_TYPE[0]" type="hidden" value="1">
<input name="ITEM_TITLE[1]" type="hidden" value="Nahkakengät">
<input name="ITEM_NO[1]" type="hidden" value="1">
<input name="ITEM_AMOUNT[1]" type="hidden" value="23">
<input name="ITEM_PRICE[1]" type="hidden" value="564.44">
<input name="ITEM_TAX[1]" type="hidden" value="0">
<input name="ITEM_DISCOUNT[1]" type="hidden" value="0">
<input name="ITEM_TYPE[1]" type="hidden" value="1">
<input name="AUTHCODE" type="hidden" value="958C104FA7522E0319214C3AE1147351">
<input type="submit" value="Siirry maksamaan">
</form>