Page 1 of 1

Form Security? Anyone?

Posted: Wed Nov 27, 2002 2:19 pm
by JPlush76
I had someone try to get around my checkout pages on my ecom site so I'd like to tighten up my forms a little.

I have 3 pages that deal with the checkout

checkout - displays totals, user enters shipping method + CC info

checkout confirm - displays new totals with shipping and makes sure things are ok

order complete - displays order number and order info

whats the best way to make sure people are taking the right steps to go through the forms?


HTTP_REFERER seems to be completely useless for security because it can be turned off by browsers.

I was going to use

Code: Select all

<?php
if(!$_POSTї'Submit'])
{
	header("Location: sc_checkout.php");
	exit;
}
?>
that way if it wasn't posted it goes back to checkout, however if someone made their own form and posted it the page would still work. that = bad also

session variables? If someone goes to checkout confirm I could set a variable, but if they go to that page from my site - it sets the var, then they make their own form to change prices it would still work. :(


Anyone have any thoughts? thanks!

Posted: Wed Nov 27, 2002 3:18 pm
by BigE
I would say pass a hidden variable through your forms that contains a certian value, that way if its one value, they go to this place. If its this value, they go to this place. If its none of those values, they go to a certian page... get what I mean? Hope that helps.

Posted: Wed Nov 27, 2002 3:54 pm
by JPlush76
hidden vars are displayed in the html source though.. is that what you meant?

Posted: Wed Nov 27, 2002 4:27 pm
by jason
Session variables would seem to work fine.

Posted: Wed Nov 27, 2002 4:38 pm
by JPlush76
Don't session vars stay active until you close your browser?

PHP Man:
Sessions rely on the session ID, meaning one can 'steal' a session, by stealing the session ID. This can be made harder, by using a cookie specifically a session cookie, but does not in any way make it impossible and still relies on the user closing all browser windows, to expire the session cookie. Besides that, even session cookies can be sniffed on a network or logged by a proxyserver.


so someone could start the session, the variable gets loaded... then they create an html form with dummy prices and submit from the same browser. no?

luckily when an order comes in we check the price against our as/400 database so thats not an issue, but other flaws could be made I suppose.