Urgent : Problem with Web Developer Add-ons

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
arulkumar
Forum Newbie
Posts: 5
Joined: Wed Oct 21, 2009 7:10 am

Urgent : Problem with Web Developer Add-ons

Post by arulkumar »

Actual process : We are doing some javascript calculation and stored in hidden fields then send to the payment process.

Problem is : hackers are changed the hidden field values using the Mozilla Firefox Web Developer add-ons(Forms->Display Form Fields) and do the payments


There is any way to resolve this option?

Please replay ASAP.....

Thanks in advance
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Urgent : Problem with Web Developer Add-ons

Post by jackpf »

Don't save them in hidden fields maybe? :?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Urgent : Problem with Web Developer Add-ons

Post by pickle »

Never, ever, EVER, trust anything a user gives you. Especially don't count on Javascript to execute properly. The Javascript should only be there to improve the user interface - for giving the user immediate feedback without needing a page load. You should always be doing the calculations server-side as well.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
arulkumar
Forum Newbie
Posts: 5
Joined: Wed Oct 21, 2009 7:10 am

Re: Urgent : Problem with Web Developer Add-ons

Post by arulkumar »

Thanks for your valuable reply ....

Another Problem is : I am sending the values to payapl through hidden field only ...... so they can change the values

they is any other way to send the parameters to paypal ?
TheOnly92
Forum Newbie
Posts: 19
Joined: Thu Jan 15, 2009 6:05 am

Re: Urgent : Problem with Web Developer Add-ons

Post by TheOnly92 »

Use cURL. It's definitely not good to send confidential information from the client side.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Urgent : Problem with Web Developer Add-ons

Post by kaisellgren »

arulkumar wrote:Thanks for your valuable reply ....

Another Problem is : I am sending the values to payapl through hidden field only ...... so they can change the values

they is any other way to send the parameters to paypal ?
PayPal's IPN or the other service (what ever it was called) will send you the details about the transaction, when they arrive, you need to recalculate and make a comparison to see whether the payment was fraudulent or not.
arulkumar
Forum Newbie
Posts: 5
Joined: Wed Oct 21, 2009 7:10 am

Re: Urgent : Problem with Web Developer Add-ons

Post by arulkumar »

Thanks for your help...

I have fixed the issue....
Post Reply