Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Order security


tkw829

Recommended Posts

I'm a relative newbie, so this may be addressed or out of scope for this product. I am doing some testing for a new install, and I noticed that customers receive emails with a link for new orders in this format:

 

https://www.storefront.com/shop/account_his...php?order_id=23

 

It occured to me that if someone were to login and change the order_id, they could view orders belonging to other customers. Am I mistaken?

Troy Wilson

Keepsake-storybooks.com

Link to comment
Share on other sites

You can easily try this. It doesn't work. First the customer is asked to login and after that he sees only his own orders in the account history.

 

abra

The First Law of E-Commerce: If the user can't find the product, the user can't buy the product.

 

Feedback and suggestions on my shop welcome.

 

Note: My advice is based on my own experience or on something I read in these forums. No guarantee it'll work for you! Make sure that you always BACKUP the database and the files you are going to change so that you can rollback to a working version if things go wrong.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...