This story about Electronic Pricetag Alteration (linked to from <A HREF="http://www.slashdot.org"SlashDot) I consider relavent to what a lot of us do, or have done.

Lets take a look at the basic flaw in this whole scheme, which is considering data submitted in a form to be secure. Why would these morons use information like that in the form? If the pricing is in the database, why are they relying on pricing data in the form, in the first place?

Now, I'm no mondo-web designer (if you've seen the stats pages, you'll surely agree), and I'm sure not qualifed to write a full blown shopping cart application like Amazon, etc uses. But I am sure as hell smart to recognize right off the bat that you don't give users that kind of opportunity. What's wrong with a SKU number? If you have special pricing offers, and you need to write the price to the web page for the user to see, you know you have a special price, and the SKU (however short lived it may be for that offer) contains the price. This means if someone jacks around the SKU, they're getting a different product, and they're still going to pay whatever the jacked SKU costs.

I know there are a lot of people who shouldn't be writing software out there (heck, some people probably think I fall into that category!). I'm no mega-cracker or system jacker, but even I knew you didn't want to do this before I knew anything about web programming. So, who are these people that write these fancy apps, that aren't smart enough to know something that basic? This seems like a real dichotomy, that they're smart enough to write a moderately sophisticated shopping app, but not smart enough to isolate tamperable data from the user.

So, if you're one of these people writing applications that involve people paying for things, you might want to take this into consideration. Or, if your co-workers/boss tell you that it's perfectly safe, make sure that it's not your paycheck that they'll be taking the price difference of a $1900 laptop that someone jacked to $1.90...

Real world evil, people, real world evil. It's not just a theory, it happens quite a bit.

--Chris

e-mail jcwren

In reply to Electronic Pricetag Alteration by jcwren

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.