Re: shopping cart implementation

For the cart, make sure you validate any options, etc from the DB when adding to the cart and checking out. DO NOT use form fields for price. It warrants repeating. Validate everything at Checkout.

As far as storing CC don't longer than you have to. You're better off with setting up a CC server for it. If not, store it as a GPG encrypted chunk. (There's a nice tie module for this.) Make sure the secret key is off of the server.

Depending on how you need to access the data after the order, you could store the non-payment info with a different key that could be read by the server.

update
Also, see this node for ideas.
-Lee

"To be civilized is to deny one's nature."

Comment on Re: shopping cart implementation

Replies are listed 'Best First'.
Re: Re: shopping cart implementation by perrin (Chancellor) on Sep 16, 2002 at 19:35 UTC
DO NOT use form fields for price. Incidentally, this is my favorite web security bug. I am amazed by how many people have done this. I'll take two new PCs for $3.00 please.	[reply]
Re: Re: Re: shopping cart implementation by shotgunefx (Parson) on Sep 16, 2002 at 19:56 UTC
I must confess, I once HAD to do this to interface to a third party service, no other way. I did however validate it before they could finish the check out and when orders were imported. Suprisingly, no one even attempted it. (This is not downplaying the danger! It only takes a couple HDTV flat panels and your ****ED.) -Lee "To be civilized is to deny one's nature."	[reply]