Jump to content

Recommended Posts

Hello all,

 

This is my first post on the forum so I apologise if this is in the wrong section, it seemed to be the most "on-topic"...

 

I am in the process of coding a discount code system for my website and the payment process is relatively long... It consists of 6 pages in total, 3 of which the user will actually visit (the others run) without you knowing.

 

However, on the Shopping Cart I set my first session. $_SESSION['grand_total'] = $grand_total and then on the next page set a POST.

 

$_POST['grand_total'] = $_SESSION['grand_total'];

 

I have done this a couple times in order to get through the 6 pages to eventually pass the $_POST value to SagePay.

 

Is this poor practice?

Is this safe?

 

Thank you.

This makes no sense

 

$_POST['grand_total'] = $_SESSION['grand_total'];

 

What is the purpose of setting the value of a POST value? I will assume that you have code that was hard-coded to use the value sent via POST and instead of refactoring that code you decided to just overwrite the POST value using the SESSION value. I would highly recommend refactoring the code to correctly use the appropriate value. If you have code that is referencing POST values when you aren't actually using them it will lead to confusion later on.

 

Secondly, why use SESSION at all? You should have a DB record for the order and you can get the current/correct value on any page load that you need it. Session data can be hijacked. I'm not an expert on all the vector points of attack and someone would need to review more of your code to know if you are at risk. But, using the data stored in the DB is far safer.

This makes no sense

$_POST['grand_total'] = $_SESSION['grand_total'];

What is the purpose of setting the value of a POST value? I will assume that you have code that was hard-coded to use the value sent via POST and instead of refactoring that code you decided to just overwrite the POST value using the SESSION value. I would highly recommend refactoring the code to correctly use the appropriate value. If you have code that is referencing POST values when you aren't actually using them it will lead to confusion later on.

 

Secondly, why use SESSION at all? You should have a DB record for the order and you can get the current/correct value on any page load that you need it. Session data can be hijacked. I'm not an expert on all the vector points of attack and someone would need to review more of your code to know if you are at risk. But, using the data stored in the DB is far safer.

Psycho, thank you for spending time providing me with a detailed and informative answer. The reasoning behind me setting the POST value the same as a SESSION was due to me not being able to POST the total of the order from the first payment process page, right through to the final confirmation page.

 

However, with the information provided - I will work on a system to pull the Order Total from the Database after I have inserted the relevant data to the database. :)

The reasoning behind me setting the POST value the same as a SESSION was due to me not being able to POST the total of the order from the first payment process page, right through to the final confirmation page.

 

Still makes no sense. You are doing something wrong. And why couldn't you? You haven't shown your code, but you should be able to pass it using a hidden field.

<input type="hidden" name="order_total" value="where_ever_total_comes_from">   
Edited by benanamen

 

Still makes no sense. You are doing something wrong. And why couldn't you? You haven't shown your code, but you should be able to pass it using a hidden field.

<input type="hidden" name="order_total" value="where_ever_total_comes_from">   

 

@benanamen:

 

This is bad advise. You should never use hidden fields to pass 'critical' data to be relied upon. All data passed via GET, POST, COOKIE, etc. should assumed to be malicious, tainted, etc. It is a trivial task to manipulate data in a hidden field. Hidden fields have their purpose but, in this case, there is no good reason to use it since you would have to compare the POST value to what is in the DB on each submission anyway. So, the logical solution is to just rely upon the DB value anyway.

This is bad advise.

 

You know, sometimes that happens when you start posting before you had your morning coffee. Admittedly, since the OP provided literally no information I just kinda threw that out there.  :suicide:

 

* Even a bad example is still an example. (Of how not to do something)

 

 

Lets fix this with the right info on the subject.

https://www.owasp.org/index.php/Web_Parameter_Tampering

 

Video Explaining:

https://www.youtube.com/watch?v=l5LCDEDn7FY&hd=1

Edited by benanamen

Most data that gets passed around through sessions and hidden form fields seems to be non-critical data. Google and Facebook don't seem to think the data they pass around about you is all that "critical". However, my bank and credit card companies sure do. They will log me out if I spend too long taking a leak in the bathroom.

Most data that gets passed around through sessions and hidden form fields seems to be non-critical data.

 

"Critical" in this sense is any data that you do not want the user to control or have access to. Amazon wouldn't calculate the total for your order and then populate a hidden field with that value to propagate the total through the pages to complete the order. If they did, there would be thousands of people placing orders with a cart total of $0.01 by manipulating the data.

@Psycho,

 

I was just thinking, if you are using real time credit card processing, at some point you are going to have to pass the total value to the third party processor such as paypal or authorizenet. How do you propose to do that without the total being $_POST'd from a hidden field or where ever?

Edited by benanamen

@Psycho,

 

I was just thinking, if you are using real time credit card processing, at some point you are going to have to pass the total value to the third party processor such as paypal or authorizenet. How do you propose to do that without the total being $_POST'd from a hidden field or where ever?

The request would be server -> payment gateway, not client -> server.

 

@Psycho,

 

I was just thinking, if you are using real time credit card processing, at some point you are going to have to pass the total value to the third party processor such as paypal or authorizenet. How do you propose to do that without the total being $_POST'd from a hidden field or where ever?

 

 

The request would be server -> payment gateway, not client -> server.

 

Exactly! The 3rd party site has to provide the CC processor with the amount to be charged. What we are talking about here is an ordering workflow where the application calculates the order total at the beginning of the checkout process and then passes that total through several pages to complete the order. It is a fairly simple task to manipulate values in a hidden field. So, it would be foolish to rely upon that calculated value once it is submitted from the client to the next page. Just calculate the total and stare it as part of the order in the DB.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.