You could put all the data that needs to be passed over in
to a WDDX packet, then encrypt it, base64 it, and send it
over in a hidden field.
You could do this, but, again, if the data comes from the
browser, someone can tamper with it. You're raising the
bar of difficulty by doing
Any data from the browser is subject to tampering. You can't rely on
HTTP_REFERER - that's sent by the browser, and thus subject
to the same sort
of tampering as the form fields.
Then can you suggest the best way of tackling this situation...
- website, basket and pre-checkout on one
Any data from the browser is subject to tampering. You can't
rely on HTTP_REFERER - that's sent by the browser, and thus
subject to the same sort of tampering as the form fields.
Then can you suggest the best way of tackling this situation...
- website, basket and pre-checkout on
Worldpay have what is known as a 'data fetch' method whereby when you enter
the payment system you pass in a cart ID. The payment system then does the
equivalent of a CFHTTP to a URL on your site that you predefine in the
payment system administration pages passing the cart ID as a parameter. You
Worldpay have what is known as a 'data fetch' method whereby
when you enter
the payment system you pass in a cart ID. The payment system
[ snip ]
Great - thanks for all the info.
CFHTTP it is, then.
--
Aidan Whitehall [EMAIL PROTECTED]
Netshopper UK Ltd
Advanced Web Solutions
Then can you suggest the best way of tackling this situation...
- website, basket and pre-checkout on one server
- basket or orders table in database, each basket record tied to a
session.userid value
- secure payment area / checkout on another server
- no database access from secure
Then can you suggest the best way of tackling this situation...
- website, basket and pre-checkout on one server
- basket or orders table in database, each basket record tied
to a session.userid value
- secure payment area / checkout on another server
- no database access
What I do is this. The only fields I pass are the products Id, so when I go
to the add to cart page I do another query that gets the price again and
then I make that a client variable. Little more processing but my car would
be safe from price tricking.
Robert Everland III
Web Developer
Dixon
On my shopping cart program, I don't pass prices around. It works like
this:
You get a CartID as a session variable. Anything in your shopping cart is
in the CartPart table with that ID and ProductID, Qty and any Options
(size, color). When you order, the CartParts are moved into OrderParts and
I just got this article today about how people are exploiting
shopping cart logic to change prices and essentially stealing
products. After some testing on my own carts I have been able
to exploit some of them by building a form with all there
required hidden fields and modifying there
10 matches
Mail list logo
