but i have always had the opinion (and been told by a select few) that using Javascript - especially with shopping carts is unsafe and can be manipulated much more easily then client side scripts such as php. Is this correct? Or am i completely wrong?
I’d say anything sitting on the client side is available for manipulation by client users, yes. But I don’t know this from experience. PHP is sitting behind the server where the user does not have direct interaction (except in ways where the user can get access like with SQL injection or any other place where you are accepting input from the users).
You also have to be aware that not everyone has Javascript. I’ve seen Magento-based sites where I could not purchase things because I was required to select a colour, which could only be done via Javascript. Compare with Amazon, where I can buy anything I want no matter the state of my browser (it needs to render HTML, that’s it).
Basically i have a promotional code box on my checkout page that i want to use javascript to the ‘discount’ and ‘total’ input values on ‘onkeyup’. The problem i have is that the values in those input fields on the checkout page are set php variables so to get javascript to update these fields am i right in that i have to pass the php variable to a javascript one? (code below)
Javascript works on the rendered HTML. Everywhere you have a PHP variable, those variables are not appearing in the DOM (at least, they shouldn’t be!). If you have
<input type=“text” name=“discount” id=“discount” value=“<?php = $phpVariable ?>”>
then what should appear in the browser when you view the DOM (when you View Source in the browser) is
<input type=“text” name=“discount” id=“discount” value=“12.31”> (or whatever that variable brings up).
Therefore it seems to me that Javascript should be seeing the results of the PHP code and not the variables themselves.
and the fact that it can be seen in the ‘view source’.
If someone has a plugin like Firefox’ Web Developer ToolBar they can easily View Generated Source and see anything that has been outputted by Javascript (you can see the results of a calculation for example, or any new HTML elements that are created).
Of course the js files themselves are available… if they weren’t available for viewing, then they wouldn’t be available to the browser for use.
Since I surf without JS, I’d recommend you start out with everything working with PHP alone… make people hit submit buttons and refreshed pages to show new values.
On top of this you could layer some JS for things like on-page calculations (so people can see new values without needing to refresh). However this means you’d have to put checks in the form… if after viewing a JS-generated value, and the person hits Submit, the back end better do the calculation again using original numbers, and verify that it’s correct. Or some other kind of checksum function back there to make sure the results weren’t tampered with.
I’m not sure how people would do this… I don’t work on the back end and I’m rather new to programming in general. However my husband likes to test sites we know for things like open holes so he can alert them (he did this with one of my company’s sites where all the values being sent were sitting in hidden form inputs… yes, anyone could change them with a text editor, but the server end had some sort of checksum-style fallback to prevent this from mattering).