SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Evangelist lance_vincent's Avatar
    Join Date
    Aug 2004
    Location
    philippines
    Posts
    574
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    help in shopping cart design

    hi guys!

    i have been designing this cart in at home when im not busy, its a shopping cart that would connect to online payment systems (or whatever is the more proper term for that). now my design was to store every items purchased on a database, including the final amount to be paid. on the final page where im displaying all the carts items and the final amount, i placed the necessary code for paypal, a proper payflow link form with hidden fields like the final amount, names, etc. this would then be taken to paypal then would be returned to a page i would like my buyers to see.

    simple is it.. but after sometime practicing practical "hacking" or exploits... it doesnt seem very good at the momment.

    you see, paypals form ask you to place the final amount on a hidden field, where the page can be first saved, then edited, then run to continue to paypals payflow..then baaamm... your carts been discounted 99.9% off...

    any suggestion here? im a programmer myself. i thought of passing only an id first, then would go to a php page where it will query and build a url for paypals payflow and use
    Code:
    header(Location: https://payplofw....)
    to open the page, but this way, the page is in GET mode, meaning, the user still sees the amount on the URL, they can change that and refresh the page.

    how can i make this more secure?
    Last edited by lance_vincent; Jan 23, 2007 at 03:38.
    If you won't dress like the
    Victoria Secret girls,
    don't expect us to act like soap opera guys.

  2. #2
    SitePoint Evangelist lance_vincent's Avatar
    Join Date
    Aug 2004
    Location
    philippines
    Posts
    574
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    sorry, but i need to bump..
    If you won't dress like the
    Victoria Secret girls,
    don't expect us to act like soap opera guys.

  3. #3
    SitePoint Wizard bronze trophy Kailash Badu's Avatar
    Join Date
    Nov 2005
    Posts
    2,560
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    use encryption.

    or validate the payment via IPN before processing the transaction.

  4. #4
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    further to what Kailash suggests, there is no reason why the final form processing page needs to be displayed in the browser. What I mean is that when the final form is processed to be sent to paypal, you can do it without sending it out to the browser.

    Combine that with encryption AND IPN and you should be happy

    Spike
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  5. #5
    SitePoint Evangelist lance_vincent's Avatar
    Join Date
    Aug 2004
    Location
    philippines
    Posts
    574
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    what do you mean by "use encryption", i mean, if i encrypt values to be sent to paypal, how can they read it?

    anyways, what i did was flag the transaction, take note if the price they paid is similar to the final value, if its not, then the email i will be sending will have notes in red saying the price didnt match so ignore this order..
    If you won't dress like the
    Victoria Secret girls,
    don't expect us to act like soap opera guys.

  6. #6
    SitePoint Wizard bronze trophy Kailash Badu's Avatar
    Join Date
    Nov 2005
    Posts
    2,560
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    paypal allows you to encrypt the parameters you sent them, and paypal knows how to decrypt them. Go to merchant services tab in your paypal account.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •