I have to say it's a pretty simple project. The don't want to keep any information in a db. (!!??!!) Info will be sent to a merchant services account and to the distributor which will process the form. Info will be kept in hidden fields <input type="hidden" ...> and in session variables then sent off. They have three products (it may rise to 5) and everything will be hardcoded as there are no size or color variations. I told them that it's not advisable to have everything hardcoded but the client insists there is no reason to pull anything from a database. The on-site graphics/web designer person will make the changes. He is competent to do that and did a good job with the basic design. This is not my very first foray into PHP but first time doing something more complicated than 1. if person has this permission then show A else show B or 2. if person is on page 1 then show page 1 as bold else show page 1 as normal Thanks -----Original Message----- From: Richard Lynch [mailto:ceo@xxxxxxxxx] Sent: Saturday, May 14, 2005 1:54 AM To: mayo Cc: php Subject: Re: Shopping Cart, security concerns On Fri, May 13, 2005 8:26 pm, mayo said: > I'm making my first shopping cart in PHP. I'm concerned about the > security of my session variables, concerned about people altering data > (lowering the price). Is there anything I should pay attention to. There are approximately 247 other PHP shopping carts out there. Maybe you'd be better off just installing one of them. Certainly, you should read the source code to several. Your session variables are at-risk on a shared server, usually; And not so much on a dedicated server. Or, more properly, on a dedicated server, if your session data isn't safe, you've got MUCH bigger problems than just your session data. As far as changing the price goes, just don't take the price as an INPUT from your cart/form. The only variables you need to accept from the user in the shopping cart itself are: $product_id and $quantity. For the fulfillment, maybe some location data like $country, $region, $postal to calculate shipping, and then their credit card info. Honestly, setting up a script to accept people's credit card numbers as your very first PHP project is probably not a particularly Good Idea... You can't absorb all the ins and outs of security overnight... Just my opinion. Perhaps you would be better served to install a pre-existing PHP shopping cart, and focus on making it secure and safe, rather than trying to write your own from scratch as well. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
