Danuel Posted October 19, 2015 Share Posted October 19, 2015 Hello all, This is my first post on the forum so I apologise if this is in the wrong section, it seemed to be the most "on-topic"... I am in the process of coding a discount code system for my website and the payment process is relatively long... It consists of 6 pages in total, 3 of which the user will actually visit (the others run) without you knowing. However, on the Shopping Cart I set my first session. $_SESSION['grand_total'] = $grand_total and then on the next page set a POST. $_POST['grand_total'] = $_SESSION['grand_total']; I have done this a couple times in order to get through the 6 pages to eventually pass the $_POST value to SagePay. Is this poor practice? Is this safe? Thank you. Quote Link to comment Share on other sites More sharing options...
Psycho Posted October 19, 2015 Share Posted October 19, 2015 This makes no sense $_POST['grand_total'] = $_SESSION['grand_total']; What is the purpose of setting the value of a POST value? I will assume that you have code that was hard-coded to use the value sent via POST and instead of refactoring that code you decided to just overwrite the POST value using the SESSION value. I would highly recommend refactoring the code to correctly use the appropriate value. If you have code that is referencing POST values when you aren't actually using them it will lead to confusion later on. Secondly, why use SESSION at all? You should have a DB record for the order and you can get the current/correct value on any page load that you need it. Session data can be hijacked. I'm not an expert on all the vector points of attack and someone would need to review more of your code to know if you are at risk. But, using the data stored in the DB is far safer. Quote Link to comment Share on other sites More sharing options...
Danuel Posted October 19, 2015 Author Share Posted October 19, 2015 This makes no sense $_POST['grand_total'] = $_SESSION['grand_total']; What is the purpose of setting the value of a POST value? I will assume that you have code that was hard-coded to use the value sent via POST and instead of refactoring that code you decided to just overwrite the POST value using the SESSION value. I would highly recommend refactoring the code to correctly use the appropriate value. If you have code that is referencing POST values when you aren't actually using them it will lead to confusion later on. Secondly, why use SESSION at all? You should have a DB record for the order and you can get the current/correct value on any page load that you need it. Session data can be hijacked. I'm not an expert on all the vector points of attack and someone would need to review more of your code to know if you are at risk. But, using the data stored in the DB is far safer. Psycho, thank you for spending time providing me with a detailed and informative answer. The reasoning behind me setting the POST value the same as a SESSION was due to me not being able to POST the total of the order from the first payment process page, right through to the final confirmation page. However, with the information provided - I will work on a system to pull the Order Total from the Database after I have inserted the relevant data to the database. Quote Link to comment Share on other sites More sharing options...
benanamen Posted October 19, 2015 Share Posted October 19, 2015 (edited) The reasoning behind me setting the POST value the same as a SESSION was due to me not being able to POST the total of the order from the first payment process page, right through to the final confirmation page. Still makes no sense. You are doing something wrong. And why couldn't you? You haven't shown your code, but you should be able to pass it using a hidden field. <input type="hidden" name="order_total" value="where_ever_total_comes_from"> Edited October 19, 2015 by benanamen Quote Link to comment Share on other sites More sharing options...
Psycho Posted October 19, 2015 Share Posted October 19, 2015 Still makes no sense. You are doing something wrong. And why couldn't you? You haven't shown your code, but you should be able to pass it using a hidden field. <input type="hidden" name="order_total" value="where_ever_total_comes_from"> @benanamen: This is bad advise. You should never use hidden fields to pass 'critical' data to be relied upon. All data passed via GET, POST, COOKIE, etc. should assumed to be malicious, tainted, etc. It is a trivial task to manipulate data in a hidden field. Hidden fields have their purpose but, in this case, there is no good reason to use it since you would have to compare the POST value to what is in the DB on each submission anyway. So, the logical solution is to just rely upon the DB value anyway. Quote Link to comment Share on other sites More sharing options...
benanamen Posted October 19, 2015 Share Posted October 19, 2015 (edited) This is bad advise. You know, sometimes that happens when you start posting before you had your morning coffee. Admittedly, since the OP provided literally no information I just kinda threw that out there. * Even a bad example is still an example. (Of how not to do something) Lets fix this with the right info on the subject. https://www.owasp.org/index.php/Web_Parameter_Tampering Video Explaining: https://www.youtube.com/watch?v=l5LCDEDn7FY&hd=1 Edited October 19, 2015 by benanamen Quote Link to comment Share on other sites More sharing options...
hansford Posted October 20, 2015 Share Posted October 20, 2015 Most data that gets passed around through sessions and hidden form fields seems to be non-critical data. Google and Facebook don't seem to think the data they pass around about you is all that "critical". However, my bank and credit card companies sure do. They will log me out if I spend too long taking a leak in the bathroom. Quote Link to comment Share on other sites More sharing options...
Psycho Posted October 20, 2015 Share Posted October 20, 2015 Most data that gets passed around through sessions and hidden form fields seems to be non-critical data. "Critical" in this sense is any data that you do not want the user to control or have access to. Amazon wouldn't calculate the total for your order and then populate a hidden field with that value to propagate the total through the pages to complete the order. If they did, there would be thousands of people placing orders with a cart total of $0.01 by manipulating the data. Quote Link to comment Share on other sites More sharing options...
benanamen Posted October 20, 2015 Share Posted October 20, 2015 (edited) @Psycho, I was just thinking, if you are using real time credit card processing, at some point you are going to have to pass the total value to the third party processor such as paypal or authorizenet. How do you propose to do that without the total being $_POST'd from a hidden field or where ever? Edited October 20, 2015 by benanamen Quote Link to comment Share on other sites More sharing options...
scootstah Posted October 20, 2015 Share Posted October 20, 2015 @Psycho, I was just thinking, if you are using real time credit card processing, at some point you are going to have to pass the total value to the third party processor such as paypal or authorizenet. How do you propose to do that without the total being $_POST'd from a hidden field or where ever? The request would be server -> payment gateway, not client -> server. Quote Link to comment Share on other sites More sharing options...
Psycho Posted October 21, 2015 Share Posted October 21, 2015 @Psycho, I was just thinking, if you are using real time credit card processing, at some point you are going to have to pass the total value to the third party processor such as paypal or authorizenet. How do you propose to do that without the total being $_POST'd from a hidden field or where ever? The request would be server -> payment gateway, not client -> server. Exactly! The 3rd party site has to provide the CC processor with the amount to be charged. What we are talking about here is an ordering workflow where the application calculates the order total at the beginning of the checkout process and then passes that total through several pages to complete the order. It is a fairly simple task to manipulate values in a hidden field. So, it would be foolish to rely upon that calculated value once it is submitted from the client to the next page. Just calculate the total and stare it as part of the order in the DB. Quote Link to comment Share on other sites More sharing options...
benanamen Posted October 21, 2015 Share Posted October 21, 2015 I just looked at an OpenCart DB I have on the server and it does indeed store the total in the order table. Thanks for the feedback. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.