|
Posted by Mayo on 05/14/05 16:30
I have to say it's a pretty simple project. The don't want to keep any
information in a db. (!!??!!) Info will be sent to a merchant services
account and to the distributor which will process the form.
Info will be kept in hidden fields <input type="hidden" ...> and in
session variables then sent off.
They have three products (it may rise to 5) and everything will be
hardcoded as there are no size or color variations. I told them that
it's not advisable to have everything hardcoded but the client insists
there is no reason to pull anything from a database. The on-site
graphics/web designer person will make the changes. He is competent to
do that and did a good job with the basic design.
This is not my very first foray into PHP but first time doing something
more complicated than
1. if person has this permission then show A else show B
or
2. if person is on page 1 then show page 1 as bold else show page 1 as
normal
Thanks
-----Original Message-----
From: Richard Lynch [mailto:ceo@l-i-e.com]
Sent: Saturday, May 14, 2005 1:54 AM
To: mayo
Cc: php
Subject: Re: [PHP] Shopping Cart, security concerns
On Fri, May 13, 2005 8:26 pm, mayo said:
> I'm making my first shopping cart in PHP. I'm concerned about the
> security of my session variables, concerned about people altering data
> (lowering the price). Is there anything I should pay attention to.
There are approximately 247 other PHP shopping carts out there. Maybe
you'd be better off just installing one of them.
Certainly, you should read the source code to several.
Your session variables are at-risk on a shared server, usually; And not
so
much on a dedicated server. Or, more properly, on a dedicated server,
if
your session data isn't safe, you've got MUCH bigger problems than just
your session data.
As far as changing the price goes, just don't take the price as an INPUT
from your cart/form. The only variables you need to accept from the
user
in the shopping cart itself are: $product_id and $quantity.
For the fulfillment, maybe some location data like $country, $region,
$postal to calculate shipping, and then their credit card info.
Honestly, setting up a script to accept people's credit card numbers as
your very first PHP project is probably not a particularly Good Idea...
You can't absorb all the ins and outs of security overnight... Just my
opinion.
Perhaps you would be better served to install a pre-existing PHP
shopping
cart, and focus on making it secure and safe, rather than trying to
write
your own from scratch as well.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Navigation:
[Reply to this message]
|