Reversing the question: how would the user change it? Jacques
From: "Mason Harding" <[email protected]> > Hello. I am looking at the page > /ecommerce/control/updateCheckoutOptions/quickcheckout, and see that you > can set a "checkOutPaymentId" that is posted to /ecommerce/control/checkout. > I've followed the code all the way to the payment gateway, but don't see > any security verifying that the user didn't change the checkOutPaymentId to > one that is not their own before posting. I assume I am missing > something? > > Thanks, > Mason >
