[SOLVED] Dealing With Security in a Shopping Cart System

[rxbanditboy1112]

Hello Everyone,

I am working on a shopping cart system right now. It is pretty much done. Its pretty secure, but I am trying to think of all the different possible security holes there may be and trying to plug them. The most simple one I thought of from someone who wants to just mess with the system is being able to go through the different steps of the checkout just by changing the number at the top. I just have a switch with different cases to go through the steps of my checkout system. If they changed the number from checkout1 to checkout2 on their own they may be skipping pages and see errors. That in it self is not a problem, and is an easy fix; however, then i was thinking. Well if i make a hidden variable in the form and then send it to the next page so the next page checks for it (that way they need to go in order or else the hidden variable wont be sent) what will prevent someone from making a form on another server then just looking at the source code of my form and using that to exploit my system some how....

 

I dont know I'm just trying to cover all possible ground. So I am thinking ok well first i need a hidden variable to be passed for each page, then i need to have some sort of server check. I also thought well if this hacker or whoever was smart enough he could possibly exploit the fact that i have a world writtable folder for pictures on the server. He may then be able to use that and place a form on the server and do something like that.... So maybe i need a folder check also or something?

 

I am not sure if my train of thought is correct. Should i even be concerned about anything beyond skipping pages? I have the proper ssl certs, and everything goes in and out encrypted. What other things are needed to protect the system and maybe credit card info... btw all this info is encrypted, place into a database, unencrypted and then sent through paypal to be processed while running through a secure server.

Thanks!

[gabeg]

The only problem with skipping pages in that manner is that the input from the last page is null, so make sure you are validating fields and have the necessary information needed before displaying the current page.

[rxbanditboy1112]

True.

[chronister]

I have learned recently that if your script is dependent on a certain variable, don't pass it in the URL. Use a session instead. For your page check item, I needed this as well. again $_SESSION was the answer.

 

If you need to ensure that a user came from a particular page, try something like this.

 

page1.php

 

$_SESSION['page_check']='page1.php';

 

page2.php

<?php
if($_SESSION['page_check']=='page1.php')
{
     echo 'User came from the proper page, so do your thing.';
}
else
{
    echo 'user did not come from proper page. Send em back with a header redirect.';
    
}
?>

[rxbanditboy1112]

Ahhh yea! Thats a good idea. I want to stay as far away from putting things into the url as possible. Sometimes it is needed like for article numbers, user profiles or some sort of heirarchy, but for a cart system i think the less in the there the better.

[rxbanditboy1112]

Also, I thought of something else. On an apache server, how likely is it that someone would be able to download one of my paypal files that holds some constants needed to protect the account if there is an index page for the folder it is placed in. Is there another way that someone could view the hierarchy of files without admin access to the server?

[chronister]

Use a .htaccess file to limit access to 127.0.0.1.

 

I used this and my script is the only thing that can access that directory.

 

In that directory, make a new file called .htaccess

 

in .htaccess, place this

 

order allow,deny

allow from 127.0.0.1

deny from all

 

Keeps everyone out but the script.

[rxbanditboy1112]

Oh cool! Thanks .

[rxbanditboy1112]

Oh just a little update on this topic incase others are also interested. I read up on htaccess, and instead of using the allow from 127.0.0.1 (which did work) i used allow from domainname.com the reason being is that i realized i was on a shared hosting account and i wasn't sure if requests from other people with the same IP would be accepted if i used 127.0.0.1