tags:

views:

88

answers:

3
+6  Q: 

How can I prevent users from overriding the total cost in a shopping cart, when submitted as a hidden input field?

I'm having serious problems with accepting payments.

I'm passing the total amount in a hidden field

<input type="hidden"
  name="checkout-flow-support.merchant-checkout-flow-support.shipping-methods.flat-rate-shipping-1.price"
  value="129.00"/>

Some of the users changed this value to 2 using firebug and submitted the form. Instead of getting $129, we only received $2.

I have no idea how to proceed this anyone help me quick .

+6  A: 

im passing the total amount in a hidden field

Don't do this!

Since you know what items the user is attempting to purchase, calculate the cost server side.

hobodave  2010-05-06 06:22:22
well thanxs hobodave for your info. just have a situation if u have make donate $15 in your site and its just html form with hidden fields at that time how it gonna help :(
Gobi  2010-05-06 06:55:40
If it's a donation, then of course the amount is user defined. Your question doesn't indicate this is a donation type scenario. If it is, then why would a user donating $2 instead of $129 even matter?
hobodave  2010-05-06 06:58:25
First rule of Distributed Computing Club is: You do NOT trust the client. The second rule of Distributed Computing Club is: You do NOT trust the client. The third rule of Distributed Computing Club is: If this is your first visit, you WILL break the rules, and we WILL beat you up for it.
Jason  2010-05-07 20:56:48
+1  A: 

This is a textbook error, analogous to asking a customer at a brick-and-mortar store how much the item costs and trusting that response. It is a special case of the general security principle: don't trust the client. Hobodave's answer is correct; calculate prices, taxes, etc. server-side.

Willie Wheeler  2010-05-06 06:27:18
+2  A: 

With Payment Service Providers (PSPs), the general communication setup typically goes something like:

1) Your server contacts the PSP and sets up the transaction, specifying the amount required and your PSP account details.

2) The PSP responds with a transaction identifier, which you then add to the form. This transaction identifier holds no information about the prices involved - it's simply an identifier to the transaction record your server set up with the PSP.

3) Visitor fills out form which is sent off to the PSP. They then redirect the visitor back to your site.

4) Your server queries the PSP server and checks that the transaction succeeded (ie. the visitors payment method OK'd the transaction with the PSP, etc)

The server-to-PSP communication is typically done using a library such as curl.

Google provide a number of libraries / examples on how to correctly process transactions (and most other PSPs do the same, in my experience): http://code.google.com/apis/checkout/samplecode.html

The exact communication details may vary depending on the PSP, but basically there should not be any need to have the "total amount" ever go through the form displayed to the visitor. It's all done server-to-server so that the visitor cannot possibly change the details.

AllenJB  2010-05-06 06:31:01
-1: You appear to have completely missed the point. This question has nothing to do with the Server <-> PSP communication, but the egregious developer error in accepting the cost via user input.
hobodave  2010-05-06 06:33:13
Which would generally occur because the person asking the question misunderstands how the communication process between their application, the PSP and the visitors browser is supposed to occur.Simply telling them "don't" or "that's bad" is not generally very helpful. Here I tried to explain what they should be doing instead.
AllenJB  2010-05-06 06:39:33
I think Allen's response is fair. The last sentence in the response explains the "why" part...
Willie Wheeler  2010-05-06 06:44:17
Meh. It's like me going to a mechanic, asking how to keep my car from accelerating wildly out of control when I have the gas pedal floored, and him explaining how an internal combustion engine works and it's carnot efficiency. And I'm pretty sure you added that last sentence in a quick edit.
hobodave  2010-05-06 06:48:20
See, thing is, if this is a donation scenario, you could do something exactly like this. Basically treat it as if the customer were buying a gift card. Early in the process you have them pick the denomination, and later on they're just buying this product that's in there proverbial shopping cart. You give them all the receipts and rewards based on the initial value that was entered at the beginning, and they can't change it at the last minute and end up paying one price but being rewarded for another.
Jason  2010-05-07 21:00:25

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security