Re^2: perl shopping cart

Your shopping cart seems to have one of the vulnerabilities mentioned above:

<input value="15.00" name="price0" type="hidden">
[download]

Please correct me if I am wrong, but I think your cart just ganted me 30$ discount ;-)

Comment on Re^2: perl shopping cart Download Code

Replies are listed 'Best First'.
Re^3: perl shopping cart by gothic_mallard (Pilgrim) on Oct 27, 2004 at 13:19 UTC
With things like that, the values that are getting passed around should be for front-end display only - the only really important information that needs to be passed back is what item you want and how many. You should already know what items cost so when you recieve an order you can bill accordingly. --- Jay All code is untested unless otherwise stated. All opinions expressed are my own and are intended as guidance, not gospel; please treat what I say as such and as Abigail said Think for yourself. If in doubt ask.	[reply]
Re^4: perl shopping cart by Golo (Friar) on Oct 27, 2004 at 13:37 UTC
But then, why would one use easy manipulatable formvalues for frontend display if you create the actual order based on the real price anyways? That sounds like a lot of duplicate work, why not simply take and calc the prices from the authorative source? This cart seems to use the hidden formvalues to do it's (server-side) calculations (total, tax, etc.)	[reply]