Guest Posted March 10, 2006 Posted March 10, 2006 I have a store that uses No Chex as a payment method When a customer is at checkout_confirmation.php if they replace it with checkout_process.php the order is then accepted and added to the persons account as paid This is not a problem as I also get an email from NoChex to inform me payment has been made so if I don't then no goods are sent. However, if the products are downloads this could prove a problem Any ideas Russell PS I am not using SSL as payments are taken by no chex
Guest Posted March 11, 2006 Posted March 11, 2006 There many things you could do, couple of them Change the catalog\download.php file where it does the query for the download and add an extra check for the order download status if it's set to delivered. Thus only the administrator can change the order status once the payment is through. Add an extra session variable or use an existing one during checkout that will monitor the sequence of the checkout pages and act accordingly. You could for example logout the visitor automatically or ban an ip when the code detects foul play.
Guest Posted March 11, 2006 Posted March 11, 2006 There many things you could do, couple of them Change the catalog\download.php file where it does the query for the download and add an extra check for the order download status if it's set to delivered. Thus only the administrator can change the order status once the payment is through. Add an extra session variable or use an existing one during checkout that will monitor the sequence of the checkout pages and act accordingly. You could for example logout the visitor automatically or ban an ip when the code detects foul play. Ok thanks for that, the status I had already figured out but is a pain for customers to wait for download authorisation. The No Chex code is:- returnurl', tep_href_link(FILENAME_CHECKOUT_PROCESS, therefore it does it automaticly on the return when payment is made I am not sure how to write another session, banning an ip can be tiresome and so many people are using non static ip addresses that they constantly change I think that all payment modules are made that way but I thought I would point it out so people are aware that this can happen, don't ask me why I tried it LOL Anyway an idea I just thought of is to rename the checkout_process.php and then edit the FILENAME to the new name, I have not tried this as I have only just thought of it, but at least you would be the only person that new the new name, as I don't think people can see the name anywhere.
Guest Posted March 11, 2006 Posted March 11, 2006 The No Chex code is:- returnurl', tep_href_link(FILENAME_CHECKOUT_PROCESS, therefore it does it automaticly on the return when payment is made then you can automate it once you have a successful response from the gateway to enable it. But again they can change the returned data if the response is simply posted. Anyway an idea I just thought of is to rename the checkout_process.php and then edit the FILENAME to the new name, I have not tried this as I have only just thought of it, but at least you would be the only person that new the new name, as I don't think people can see the name anywhere. Same here they can examine the form in the checkout_confirmation page and figure out the success response. Unless you exchange data with the gateway by other means. The session is far more effective and it's up to you how to process it.
Guest Posted March 11, 2006 Posted March 11, 2006 then you can automate it once you have a successful response from the gateway to enable it. But again they can change the returned data if the response is simply posted.Same here they can examine the form in the checkout_confirmation page and figure out the success response. Unless you exchange data with the gateway by other means. The session is far more effective and it's up to you how to process it. Ok I have just checked the source code and you are right, anyone can see it. As said before I have no idea about writing a session and as I feel this is quite a security problem for anyone that does do auotomatic downloads, can anyone look into this who does know how to write such clever stuff? I do not offer downloads so it does not effect me at the moment but I am thinking of it in the future. Many thanks PS I know there are programs or even code that can hide your source code but I have found some of these do not work in Firefox, am I paranoid or what ?
♥Vger Posted March 11, 2006 Posted March 11, 2006 If you do supply downloads then install Downloads Controller. Vger
Guest Posted March 11, 2006 Posted March 11, 2006 php code is not visible to visitors. The generated html code is. But every form has variables visible in html format. here is another post for the status of the order. Or you could install the contrib Rhea suggested, http://www.oscommerce.com/forums/index.php?showtopic=195731
Recommended Posts
Archived
This topic is now archived and is closed to further replies.