Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Question on invoice sent after order ...


Bryan

Recommended Posts

There is a link to account_history_info.php with the invoice number in the query string. What prevents someone from hacking this URL and looking at all invoices to see what people are ordering and getting their mailing address, etc. Any preventitive measures available? For example I receive the following as part of my email confirmation:

 

Detailed Invoice: https://www.whatever.com/store/catalog/acco....php?order_id=1

 

Couldn't someone always follow this URL and change the order_id in the query string?

Link to comment
Share on other sites

I haven't looked at the code but I'm assuming that a person would have to be logged in and it would have to actually be an order that was made for their account. :?

 

Yep:

 

  if (!tep_session_is_registered('customer_id')) {

   $navigation->set_snapshot();

   tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));

 }



 $customer_number_query = tep_db_query("select customers_id from " . TABLE_ORDERS . " where orders_id = '". tep_db_input(tep_db_prepare_input($HTTP_GET_VARS['order_id'])) . "'");

 $customer_number = tep_db_fetch_array($customer_number_query);

 if ($customer_number['customers_id'] != $customer_id) {

   tep_redirect(tep_href_link(FILENAME_ACCOUNT_HISTORY, '', 'SSL'));

 }

 

That snippet takes care of it. :wink:

Link to comment
Share on other sites

Bryan;

 

If I'm not mistaken, clicking on that link takes you to the login screen and you would have to login before you saw any invoices.

... if you want to REALLY see something that doesn't set up right out of the box without some tweaking,

try being a Foster Parent!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...