Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Isn't this a big security concern??

torinwalker

By torinwalker
in General Support

Recommended Posts

torinwalker

torinwalker

Posted
Posted

First off, I'd like to point out that an online shopping cart system is fundamentally meant to offload work from the business operator. The online shopping cart is there to take orders, answer questions, calculate totals, etc.

 

With this in mind, I wonder now about the effective security surrounding the payment module system. I am presently writing a payment module for Moneris (Royal Bank/Bank Of Montreal Payment Gateway) using the Direct Post method because, frankly, doing it any other way within osCommerce is far more difficult.

 

Just prior to confirming my order, if I look at the source of the page, I can see all the variables being posted, the URL for the payment gateway, and other control variables, which, if I knew something about the particular gateway in use, I might be able to modify to nullify my transaction. For example (in the Moneris case) I might change the transaction_type from a purchase to a preauth. I might instead change the value to zero. If storeowners who use osCommerce aren't careful, they could end up delivering products for free, not realizing until it's too late to take action.

 

While this isn't a glaring security issue -- it simply means that the store owner must personally verify each transaction with the bank to ensure that both the transaction type and total amount are correct -- it really should be addressed, because, as I said before, a shopping cart system is meant to save the storeowner time and effort.

 

I'm a C/Java/Perl/everything else except PHP programmer, and my webserver protocol knowledge is rusty. I remember reading somewhere about a technique for correcting this problem - I believe by moving the actual submission to a user-inaccessible region within the webserver. I'm not sure how this can be done with PHP.

 

Has anyone written a payment module (I don't have time to examine all sixty of them) that uses a technique for carrying variables safetly to the payment gateway?

 

Please, any comments at all.

 

 

Torin...

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...