Leaderboard

Yes, every field has to have a name attribute for PHP to recognize it. So, yeah - it's a good point, depending on how you're pages are set up you'll probably want a hidden field to pass the product ID. My point was mostly don't pass the price for the product and assume that it hasn't been modified by the user. Which leads us to the next question: Sure - put this on your local dev environment: <?php if(!empty($_POST)){ print("<p>{$_POST['hidden_field']}</p>"); }else{ print("<p>not set</p>"); } ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Document</title> </head> <body> <form method="post"> <input type="hidden" name="hidden_field" value="originally set!" /> <input type="submit" /> </form> </body> </html> Load the script into your browser and click the submit button; see where 'not set' changes to 'originally set!'? Groovy - now, open your developer tools from the browser and select the field with the 'hidden_field' name attribute and change the value attribute on that field to 'hacked, yo!'. Now click the submit button again. Without any sort of validation or server-side checking, the form happily passes 'hacked, yo!' to the processing script, and if that script processed a product price the user could easily change it to 0.00 or less. *edit* If they mess with the product ID.... well, honestly who cares? They'll just end up paying the correct price and getting a different product. It doesn't really help them out at all.

Pass a product ID and quantity to the order form, then get the product price from the database and calculate the total price at that point. These fields should both be visible to the user. You can use a hidden honeypot or nonce field if you really want to, but if you're charging money I'm not sure many bots would actually pay for something at random (though I could be wrong so don't quote me on that). The only time you should deal with the price on the server-side (other than for output purposes) is when the order is being completed - you need to make sure the user doesn't use the developer tools to change the price during the sale, but once the sale is made you need to track how much the product cost at the time of the purchase in case the price changes in the future (which it will).