How to secure my items?

tjwymantjwyman Member
in General edited February 2009
I just decided to do a quick test of one of my websites. I was checking to see if I could change the price of an item in my store by visiting the store in firefox, using the web developer toolbar, selecting miscellaneous, edit html, then changing the price of an item and applying it to the page. To my surprise, ok maybe I wasn't totally surprised, it worked and the item was added to my cart at a greatly reduced price. How do I secure my items to make sure they cannot be maliciously edited, even if just temporarily, so that a customer cannot change the price of an item?
Comments
  • We check the item price on the backend to verify the integrity of the order, from the datafeed foxy sends out. Depending on how you process your orders, I'd have a check somewhere in your automated or manual order/provisioning processes.

    There have been some other discussions about this -- only one I found so far was this one: http://forum.foxycart.com/comments.php?DiscussionID=748
  • brettbrett FoxyCart Team
    We need to make a FAQ about this, since it comes up pretty often. And I'm almost positive I just answered this within the last week or so but I can't find it, so here goes:

    Currently there is no functionality within FoxyCart itself to prevent price spoofing, but we do have plans to add some price encryption functionality, and we'd love it if you voted for it here:
    http://requests.foxycart.com/pages/general/suggestions/33324-link-form-encryption

    Worth noting is that we've actually not had a single report of price spoofing at this point. We think it's because customers are reluctant to change a price and then use their real credit card.

    If you do enough volume or automation to where an order could actually go out without somebody catching it, we do recommend verifying the prices using the XML datafeed prior to sending them out for fulfillment.
  • I am getting ready to launch a store and this thread is a big concern for me. Are there any updates on when this might be implemented?
  • brettbrett FoxyCart Team
    edited February 2010
    If you have concerns before this goes live we recommend checking orders against the XML and alerting if something looks fishy. If order volumes aren't high, just make sure the people fulfilling the orders are aware and keep an eye out in the meantime.

    As far as timing: We don't generally give dates, but we're working on our next release and this will be in it. It won't be a massive changeset and we're making progress on what'll be included, so it shouldn't take nearly as long as some of our previous releases. It's not going to be days and it's not going to be years. That's really all we can say though, as things invariably come up and we'd rather underpromise than create expectations we end up not meeting, causing frustration all around.
  • The XML thing sound sort of cumbersome to have 2 prices to keep track of, as well I read through it but couldnt find enough detailed info on how to actually set it up. Is that intgrated into the backend of the system somehow?
  • brettbrett FoxyCart Team
    The idea with the XML would be to check it against whatever CMS/database you're using to generate the links/forms in the first place. Our horribly inaccurate assumption is probably: If you have enough products that it'd be cumbersome to check manually or hardcode them into a verification script, you're probably using a CMS and can do it dynamically.

    I know that's not going to apply to 100% of users, but that's kind of the thought. As far as how to set it up, are you using a CMS or not? We don't have a script to check it but it's basically just getting the XML and checking each product's price against whatever valid price(s) you have set. Depends on what programming language you're using, how you want it integrated with other things, etc. Let us know.
  • erikzetterikzett Member
    edited February 2010
    I am using Wordpress so I would check it against a custom field, - I can bring these into the code very easily. Any thoughts on this?
  • brettbrett FoxyCart Team
    I'm not super familiar with the WP database design or how custom fields are access, but I can't imagine it'd be too bad. How are your PHP skills? The basic idea would be to take the test scripts, run a test transaction and save the XML to a file, then use that to post to your own end point and test it. Get the XML as a SimpleXML object in PHP and foreach transaction, foreach product loop through and compare it against the custom field value for the appropriate product. Determining the appropriate product may be easiest if you include the actual ID (like the page ID) as the product code, then verify against that (and perhaps verify the name if necessary).

    Honestly though, I'd try to weigh the cost/benefits of this, as we'll have a potentially easier method (as mentioned above) in the next version. If you need to launch immediately then go for it, but having done web design for years I know that often things take weeks or months to go live due to client delays. Just saying.

    If you take this approach please feel free to post some code if you need help.
Sign In or Register to comment.