Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

Payment modules security problem!


Recommended Posts

Hi there,

I have noticed this behavior with the PayPal module, but it might very well be present with other payment modules. In fact, I don't see how it could not.


First, a little background: I rely on the order status to trigger certain things, like when my (custom) order status "Paid" is set, the shipping details go to the logistics company etc.

To that end there must not be any possibility for the end user to change that status (i.e. hack!)


Now what is doable, at least using PayPal with IPN is the following:

Since we go from checkout_confirmation.php to Paypal which (optionally) redirects us back to checkout_success.php or such, thus checkout_process.php is never called, which is good, as the script in the ext/ directory sets the new order status.

However, instead of paying via Paypal, the technically skilled customer could just call the checkout_process.php manually, which would call the before_process() function of the payment module, which would set the status to "Paid" or "Complete" or whatever you have as PAYPAL_[...]_ORDER_STATUS_ID.


Of course that is not acceptable since, as mentioned, I need the order status as my absolute and secure indicator of what is going on with the order. So how is this supposed to work at all?? Seems like an inherent security flaw to me.


But, I am not just complaining, I also have a solution which works for me:


In checkout_process.php I am only calling before_process() (and whatever follows) if the payment module allows me to do so (this is set in the allowed_process variable).

if ($GLOBALS[$payment->selected_module]->allow_process === true) {
 // load the before_process function from the payment modules
} else {
 // the case where the logic is completely inside the payment module


Any thoughts?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...