[ic] Credit card LUHN checking - why we don't want it

Zack Johnson interchange-users@lists.akopia.com
Fri Jul 6 09:29:01 2001 

Does anybody have a list of recommended vars to ignore?  I was unaware that
mv_credit_card_force exists.  Are there other potential integrity threats
like that?

Perhaps this could become part of the default distribution?

Thanks for the tip!

Zack

----- Original Message -----
From: "Mark Johnson" <markj@redhat.com>
To: <interchange-users@developer.akopia.com>
Sent: Friday, July 06, 2001 9:16 AM
Subject: Re: [ic] Credit card LUHN checking - why we don't want it


> For all the concerns about form variables: make a list of all the form
> vars you do not want a client to be able to manipulate, and add them to
> the FormIgnore directive in catalog.cfg.
>
> FormIgnore  mv_credit_card_force mv_payment_mode mv_whatever_else
>
> If all the same values are going to be set in stone, you can add them at
> start-up with
>
> ValuesDefault  mv_credit_card_force  1
> ValuesDefault  mv_payment_mode      charge
> ..
>
> If you have vars that you want to change but not allow users to
> manipulate, you will have to set them programmatically.
>
> Javier Martin wrote:
> >
> > Steffen Dettmer said:
> >
> > > * Mike Heins wrote on Thu, Jul 05, 2001 at 16:45 -0400:
> > > > Quoting Martin Dabb (jmdabb@paradise.net.nz):
> > > > > LUHN checking doesn't work for cards from all countries, including
New
> > > > > Zealand where my client's business is - hence I''ll need to
> > > find a way to
> > > > > turn it off.
> > > >
> > > > That is easy enough - set
> > > >
> > > >     <INPUT TYPE=hidden NAME=mv_credit_card_force VALUE=1>
> > > >
> > > > which forces the LUHN-10 check good.
> > >
> > > Huh? The Shop trusts the browser?! Why that? Are there other such
> > > things? Is there a field called mv_price_check_disable or
> > > similar? I cannot understand how a database driven system could
> > > be confiugrable and fakeable by some client/browser? Or did I
> > > missed something?
> >
> > This is a good question.
> >
> > Place an
> >
> >   <input type=hidden name=mv_payment_mode value="CREDIT">
> >
> > in the checkout page of some interchange storefront that uses the
> > 'authorizenet' module as it comes out-of-box, and you'll be credited
instead
> > of charged!! (unless I'm also missing something).
> >
> > Javier
> >
> > _______________________________________________
> > Interchange-users mailing list
> > Interchange-users@lists.akopia.com
> > http://lists.akopia.com/mailman/listinfo/interchange-users
>
> --
> Mark Johnson
> Senior Systems Architect - Professional Services
> Red Hat, Inc.
> E-Business Solutions
> markj@redhat.com
> 703-456-2912
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@lists.akopia.com
> http://lists.akopia.com/mailman/listinfo/interchange-users
>