Form Security? Anyone?
Posted: Wed Nov 27, 2002 2:19 pm
I had someone try to get around my checkout pages on my ecom site so I'd like to tighten up my forms a little.
I have 3 pages that deal with the checkout
checkout - displays totals, user enters shipping method + CC info
checkout confirm - displays new totals with shipping and makes sure things are ok
order complete - displays order number and order info
whats the best way to make sure people are taking the right steps to go through the forms?
HTTP_REFERER seems to be completely useless for security because it can be turned off by browsers.
I was going to use
that way if it wasn't posted it goes back to checkout, however if someone made their own form and posted it the page would still work. that = bad also
session variables? If someone goes to checkout confirm I could set a variable, but if they go to that page from my site - it sets the var, then they make their own form to change prices it would still work.
Anyone have any thoughts? thanks!
I have 3 pages that deal with the checkout
checkout - displays totals, user enters shipping method + CC info
checkout confirm - displays new totals with shipping and makes sure things are ok
order complete - displays order number and order info
whats the best way to make sure people are taking the right steps to go through the forms?
HTTP_REFERER seems to be completely useless for security because it can be turned off by browsers.
I was going to use
Code: Select all
<?php
if(!$_POSTї'Submit'])
{
header("Location: sc_checkout.php");
exit;
}
?>session variables? If someone goes to checkout confirm I could set a variable, but if they go to that page from my site - it sets the var, then they make their own form to change prices it would still work.
Anyone have any thoughts? thanks!