RE: Shopping Cart, security concerns

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, May 14, 2005 6:30 am, mayo said:
> I have to say it's a pretty simple project. The don't want to keep any
> information in a db. (!!??!!) Info will be sent to a merchant services
> account and to the distributor which will process the form.
>
> Info will be kept in hidden fields <input type="hidden" ...> and in
> session variables then sent off.

Don't put anything you *NEED* to be correct/accurate in type="hidden"

The web surfer can *CHANGE* that in about 5 seconds and send whatever they
want.

All your prices, all you shipping costs, all the weights, etc had better
be in your PHP source code, as arrays, I guess...

You'd really be better off just using a database with an existing cart.

The amount of code you'll have to write to do this correctly is insane.

> They have three products (it may rise to 5) and everything will be
> hardcoded  as there are no size or color variations. I told them that
> it's not advisable to have everything hardcoded but the client insists
> there is no reason to pull anything from a database. The on-site
> graphics/web designer person will make the changes. He is competent to
> do that and did a good job with the basic design.

But you CANNOT put your prices in type="hidden" fields!!!

That's EXACTLY how you get a shopping cart where the user changes the price!

> This is not my very first foray into PHP but first time doing something
> more complicated than
>
> 1. if person has this permission then show A else show B
>
> or
>
> 2. if person is on page 1 then show page 1 as bold else show page 1 as
> normal

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux