No, I would not have prices in the hidden fields. :-) Thanks though for the concern. I do have a few questions about easiest / best way to write this. Especially as I don't have PHP experience, meaning it takes me longer to write the code and more importantly I might miss something important. ====== Shopping Cart display Item Qty (allow user to change or delete) Item ID (added to session variable by hidden field) Item Name (added to session variable by hidden field) Item Desc Short (added to session variable by hidden field) Item Price (hardcoded. I hate this but it would be pulled from a file or hardcoded - an if else clause. If itemID = 1 then price = x) Page 1 (Shipping Info: Name, Address...) Info forwarded to page two in hidden fields) Page 2 (Billing Address: Name, Address ...) Info forwarded to page three in hidden fields Page 3 - confirmation page Page 4 (CC info) Page 5 (Hidden from consumer Security Check Page) Qty * Price = Qty Tax recalculated Shipping recalculated Relevant data sent to merchant and distributor company Thanks -----Original Message----- From: Richard Lynch [mailto:ceo@xxxxxxxxx] Sent: Saturday, May 14, 2005 10:52 PM To: mayo Cc: 'php' Subject: RE: Shopping Cart, security concerns On Sat, May 14, 2005 6:30 am, mayo said: > I have to say it's a pretty simple project. The don't want to keep any > information in a db. (!!??!!) Info will be sent to a merchant services > account and to the distributor which will process the form. > > Info will be kept in hidden fields <input type="hidden" ...> and in > session variables then sent off. Don't put anything you *NEED* to be correct/accurate in type="hidden" The web surfer can *CHANGE* that in about 5 seconds and send whatever they want. All your prices, all you shipping costs, all the weights, etc had better be in your PHP source code, as arrays, I guess... You'd really be better off just using a database with an existing cart. The amount of code you'll have to write to do this correctly is insane. > They have three products (it may rise to 5) and everything will be > hardcoded as there are no size or color variations. I told them that > it's not advisable to have everything hardcoded but the client insists > there is no reason to pull anything from a database. The on-site > graphics/web designer person will make the changes. He is competent to > do that and did a good job with the basic design. But you CANNOT put your prices in type="hidden" fields!!! That's EXACTLY how you get a shopping cart where the user changes the price! > This is not my very first foray into PHP but first time doing something > more complicated than > > 1. if person has this permission then show A else show B > > or > > 2. if person is on page 1 then show page 1 as bold else show page 1 as > normal -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
