Change prices allowed??greenspun.com : LUSENET : S-Mart Shopping Cart : One Thread
My name is Paul and I4m testing the script, s-mart.cgi. I do really think it4s nice but I have a question about it and wonder if somebody could give me a hint. I can save the order-form (i.e order.html) change price and submit the order-form with wrong price. Is it possible to unable customers to do that?
-- Paul Szentes (firstname.lastname@example.org), March 26, 1999
It looks like you've found a security loop-hole all of us have overlooked in the past... Nice find!
I am going to look into this issue and see if there is any way to make script more secure. I am thinking possibly about making it where the script processes the order based on the contents of the users shopping cart, rather than the form data.
will let you know if I come up with anything.
-- BP (email@example.com), March 26, 1999.
It appears that the order is totalled correctly when it is submitted regardless of the changes made to the order form prior to submitting it.
-- Mike Lynne (firstname.lastname@example.org), March 30, 1999.