What I do is this. The only fields I pass are the products Id, so when I go
to the add to cart page I do another query that gets the price again and
then I make that a client variable. Little more processing but my car would
be safe from price tricking.
Robert Everland III
Web Developer
Dixon Ticonderoga
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 15, 2001 2:27 PM
To: CF-Talk
Subject: exploiting shopping carts
Hey all,
I just got this article today about how people are exploiting shopping cart
logic to change prices and essentially stealing products. After some testing
on my own carts I have been able to exploit some of them by building a form
with all there required hidden fields and modifying there values. Of course
this wouldn't be a problem if they weren't sending pricing information as a
hidden variable but many of them do. Do you guys have any recommendation for
preventing this on carts built this way? I've thought of checking the
http_referer to make sure the request comes from the same domain the site is
in but I'm not sure there isn't a better solution that I'm missing. I've
attached the address to the article for you all to read.
http://msn.zdnet.com/msn/zdnet/story/0%2C12461%2C2692337-hud00025mn6%2C00.ht
ml
Rick
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
