Form Security? Anyone?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Form Security? Anyone?

Post by JPlush76 »

I had someone try to get around my checkout pages on my ecom site so I'd like to tighten up my forms a little.

I have 3 pages that deal with the checkout

checkout - displays totals, user enters shipping method + CC info

checkout confirm - displays new totals with shipping and makes sure things are ok

order complete - displays order number and order info

whats the best way to make sure people are taking the right steps to go through the forms?


HTTP_REFERER seems to be completely useless for security because it can be turned off by browsers.

I was going to use

Code: Select all

<?php
if(!$_POSTї'Submit'])
{
	header("Location: sc_checkout.php");
	exit;
}
?>
that way if it wasn't posted it goes back to checkout, however if someone made their own form and posted it the page would still work. that = bad also

session variables? If someone goes to checkout confirm I could set a variable, but if they go to that page from my site - it sets the var, then they make their own form to change prices it would still work. :(


Anyone have any thoughts? thanks!
User avatar
BigE
Site Admin
Posts: 139
Joined: Fri Apr 19, 2002 9:49 am
Location: Missouri, USA
Contact:

Post by BigE »

I would say pass a hidden variable through your forms that contains a certian value, that way if its one value, they go to this place. If its this value, they go to this place. If its none of those values, they go to a certian page... get what I mean? Hope that helps.
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

hidden vars are displayed in the html source though.. is that what you meant?
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

Session variables would seem to work fine.
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

Don't session vars stay active until you close your browser?

PHP Man:
Sessions rely on the session ID, meaning one can 'steal' a session, by stealing the session ID. This can be made harder, by using a cookie specifically a session cookie, but does not in any way make it impossible and still relies on the user closing all browser windows, to expire the session cookie. Besides that, even session cookies can be sniffed on a network or logged by a proxyserver.


so someone could start the session, the variable gets loaded... then they create an html form with dummy prices and submit from the same browser. no?

luckily when an order comes in we check the price against our as/400 database so thats not an issue, but other flaws could be made I suppose.
Post Reply