Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Isn't this a big security concern??


torinwalker

Recommended Posts

First off, I'd like to point out that an online shopping cart system is fundamentally meant to offload work from the business operator. The online shopping cart is there to take orders, answer questions, calculate totals, etc.

 

With this in mind, I wonder now about the effective security surrounding the payment module system. I am presently writing a payment module for Moneris (Royal Bank/Bank Of Montreal Payment Gateway) using the Direct Post method because, frankly, doing it any other way within osCommerce is far more difficult.

 

Just prior to confirming my order, if I look at the source of the page, I can see all the variables being posted, the URL for the payment gateway, and other control variables, which, if I knew something about the particular gateway in use, I might be able to modify to nullify my transaction. For example (in the Moneris case) I might change the transaction_type from a purchase to a preauth. I might instead change the value to zero. If storeowners who use osCommerce aren't careful, they could end up delivering products for free, not realizing until it's too late to take action.

 

While this isn't a glaring security issue -- it simply means that the store owner must personally verify each transaction with the bank to ensure that both the transaction type and total amount are correct -- it really should be addressed, because, as I said before, a shopping cart system is meant to save the storeowner time and effort.

 

I'm a C/Java/Perl/everything else except PHP programmer, and my webserver protocol knowledge is rusty. I remember reading somewhere about a technique for correcting this problem - I believe by moving the actual submission to a user-inaccessible region within the webserver. I'm not sure how this can be done with PHP.

 

Has anyone written a payment module (I don't have time to examine all sixty of them) that uses a technique for carrying variables safetly to the payment gateway?

 

Please, any comments at all.

 

 

Torin...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...