On Sun, Oct 24, 2010 at 8:41 PM, cjrh <[email protected]> wrote: > On Oct 24, 5:03 pm, Branko Vukelic <[email protected]> wrote: >> * Calculated values are shown, and a form with hidden fields and a >> submit button labeled 'Confirm' is shown > > The hidden fields still show in the page source though. A smart user > could submit his own set of data if he can see what field id's are > being expected. That's what I want to avoid. There must be no way a > user can change the charge amount at any stage of the process.
Oh, so ok, I get what you're trying to do now. Don't pass charge amount around. Charge amount should be one-way. You NEVER, under ANY circumstances, using ANY technology, expect that amount to come from client side. There is nothing you can do to prevent a skilled hacker from manipulating the data. The ajax thing you used is readily readable using any javascript debugger. If there is a definite correlation between the rates and the final amount you either a. get the amount of service and return the total cost, or b. get the total cost and return the amount of service You can't receive both, and hope it's correct. Period. The best way to do this it probably use a table for unconfirmed offerings. And move them into confirmed table once confirmation is done. Either that or make a confirmation flag in the database, and add expiry date to it so it automatically expires in, say, 24 hours if user doesn't confirm. -- Branko Vukelić [email protected] [email protected] Check out my blog: http://www.brankovukelic.com/ Check out my portfolio: http://www.flickr.com/photos/foxbunny/ Registered Linux user #438078 (http://counter.li.org/) I hang out on identi.ca: http://identi.ca/foxbunny Gimp Brushmakers Guild http://bit.ly/gbg-group
