On my shopping cart program, I don't pass prices around. It works like
this:
You get a CartID as a session variable. Anything in your shopping cart is
in the CartPart table with that ID and ProductID, Qty and any Options
(size, color). When you order, the CartParts are moved into OrderParts and
the current price (regular, sale, whatever) is stored in the OrderParts
table. The price of the item is never passed around anywhere. The only
thing sensitive exposed is the CartID and once moved into the order stage,
that's secured with the username/password of the customer...
In fact, I built my whole cart with out forms, using all gets insteads.
The only post is at the end. Made making links and quantity changes easy.
> I just got this article today about how people are exploiting shopping cart
> logic to change prices and essentially stealing products. After some testing
> on my own carts I have been able to exploit some of them by building a form
> with all there required hidden fields and modifying there values. Of course
> this wouldn't be a problem if they weren't sending pricing information as a
> hidden variable but many of them do. Do you guys have any recommendation for
> preventing this on carts built this way? I've thought of checking the
> http_referer to make sure the request comes from the same domain the site is
> in but I'm not sure there isn't a better solution that I'm missing. I've
> attached the address to the article for you all to read.
>
> http://msn.zdnet.com/msn/zdnet/story/0%2C12461%2C2692337-hud00025mn6%2C00.ht
> ml
>
> Rick
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
