Bryan Posted February 17, 2003 Share Posted February 17, 2003 There is a link to account_history_info.php with the invoice number in the query string. What prevents someone from hacking this URL and looking at all invoices to see what people are ordering and getting their mailing address, etc. Any preventitive measures available? For example I receive the following as part of my email confirmation: Detailed Invoice: https://www.whatever.com/store/catalog/acco....php?order_id=1 Couldn't someone always follow this URL and change the order_id in the query string? Link to comment Share on other sites More sharing options...
rseigel Posted February 17, 2003 Share Posted February 17, 2003 I haven't looked at the code but I'm assuming that a person would have to be logged in and it would have to actually be an order that was made for their account. :? Yep: if (!tep_session_is_registered('customer_id')) { $navigation->set_snapshot(); tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL')); } $customer_number_query = tep_db_query("select customers_id from " . TABLE_ORDERS . " where orders_id = '". tep_db_input(tep_db_prepare_input($HTTP_GET_VARS['order_id'])) . "'"); $customer_number = tep_db_fetch_array($customer_number_query); if ($customer_number['customers_id'] != $customer_id) { tep_redirect(tep_href_link(FILENAME_ACCOUNT_HISTORY, '', 'SSL')); } That snippet takes care of it. :wink: Link to comment Share on other sites More sharing options...
Bryan Posted February 17, 2003 Author Share Posted February 17, 2003 OK, good to hear. So because I was logged in and all orders I checked were actually orders I placed (test orders) I was able to hack the query string? Thanks for the reassurance :D Link to comment Share on other sites More sharing options...
mugitty Posted February 17, 2003 Share Posted February 17, 2003 Bryan; If I'm not mistaken, clicking on that link takes you to the login screen and you would have to login before you saw any invoices. ... if you want to REALLY see something that doesn't set up right out of the box without some tweaking, try being a Foster Parent! Link to comment Share on other sites More sharing options...
Bryan Posted February 17, 2003 Author Share Posted February 17, 2003 Excellent, that is what I was hoping for (actually my client was). Thanks for the quick feedback. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.