IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Software and Applications Forum / I note that security is not in your list of criteria?
Post #181,669
by ben_tilly
10/29/04 12:09:13 PM
Reply
New I note that security is not in your list of criteria?
So you don't mind if people can edit your prices, steal your credit cards or deface your site?

Whatever solution you go with, you should look for common security mistakes. (None of these are PHP-specific.) That means checking whether prices are kept in hidden form fields (bad, don't trust the user), try entering ' and " in each field to see if it can be made to crash (SQL injection attack giving direct access to your database) and if there are any user comment fields, see whether nasty HTML is filtered out. (Be careful, standard guides to cross-site scripting demonstrate ways to get break simple filters. Since attackers know them, you've got to try those as well.)

As for recommendations, I don't have any. Sorry. I don't use PHP...

Cheers,
Ben
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
Post #181,673
by drewk
Picture of drewk
10/29/04 1:08:18 PM
Reply
New Question about that
The PayPal shopping cart passes prices in hidden fields. This is only possibly a security issue. At my scale, each order will be hand-checked and assembled. If someone fakes up a page and says they're ordering something at other than the correct price I'll just void the order and file a complaint against the user with PayPal.

I would assume there's no law saying that just because someone fraudulently submits incorrect pricing on an order that I'm obliged to honor it.
===

Implicitly condoning stupidity since 2001.
Post #181,692
by ben_tilly
10/29/04 3:16:02 PM
Reply
New Good question
I'd strongly suggest asking a lawyer.

As a lay person I strongly suspect that the following factors play into it:
  1. When is a contract created?
  2. What does the contract obligate you to?
  3. How can you break it?

I know the answers to none of these. But I know that the answers can surprise.

The example that I know of is a case where someone switched price tags in a store, the purchase was rung up, paid for, and the person walked out. IIRC the person was caught before even leaving the store - yet the court ruled that a contract had been offered, accepted, and the sale was valid!

Your situation is different in that the person does not yet have product in hand. However they paid money and were shown a final purchase screen. I think (I don't know) that a contract exists at that point. However what does that contract say? If that screen say something about, "In the event of problems with your order, you will be refunded in full." then I'd suspect that you are free to reject any order for virtually any reason.

Even if you aren't covered by some clause like that, I would expect there to be law and precedent covering what happens if there is a sale but the merchant is unable (for whatever reason) to fulfill their end of the bargain. Or there could be complications due to Paypal's role in this. (Is the customer's contract with you or Paypal?)

In any case I'd suggest that you ask a lawyer. I'd bet that you'll find that you actually can refuse those orders, but I wouldn't want to count on it. Furthermore you'll sleep better if you know that you can and know why you're able to do so.

I'd also suggest that you point out the security issue to Paypal, because they really shouldn't be making elementary mistakes like this in 2004. In 1996 it was acceptable for people to not see that hidden form fields were a security problem. But now people have thought about this and the state of the art has moved on!

Cheers,
Ben
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
Post #181,699
by drewk
Picture of drewk
10/29/04 3:19:46 PM
Reply
New Guess I should look into the "encrypted buttons"
They've got something in their integration guide about encrypting the buttons somehow. I haven't looked yet at what it does. Thanks to this question, I think I'll do that now.
===

Implicitly condoning stupidity since 2001.
     Shopping carts? - (JayMehaffey) - (5) - Oct. 29, 2004, 11:20:19 AM EDT
         If you find one, let me know - (drewk) - Oct. 29, 2004, 11:58:45 AM EDT
         I note that security is not in your list of criteria? - (ben_tilly) - (3) - Oct. 29, 2004, 12:09:13 PM EDT
             Question about that - (drewk) - (2) - Oct. 29, 2004, 01:08:18 PM EDT
                 Good question - (ben_tilly) - (1) - Oct. 29, 2004, 03:16:02 PM EDT
                     Guess I should look into the "encrypted buttons" - (drewk) - Oct. 29, 2004, 03:19:46 PM EDT

And Bob's your uncle...
63 ms