[ic] Errors displayed at checkout, potential security issue

Ed LaFrance (New Media E.M.S.) ic_users at newmediaems.com
Mon Jul 19 11:38:40 EDT 2004 

At 11:01 AM 7/18/2004, you wrote:

>I am using the foundation demo as the basis of my catalogue.  The
>checkout.html page contains the following lines to display order submission
>errors to the customer:
>
>
>   [if type=explicit compare="[error all=1 show_var=1 keep=1]"]
>     <P>
>         <B>[L]There were errors in your last submission[/L]:<br>
>         <blockquote>
>         <FONT color="__CONTRAST__">
>                 [error all=1 keep=1 show_error=1 show_label=1 joiner="<br>"]
>
>
>By chance, I noticed that this code can also result in displaying other
>previous errors to the customer.  For example, if the catalog contains some
>duff SQL which is called while the customer is browsing the catalog then
>when they checkout they will be presented with the error message which may
>well also contain some SQL e.g.
>
>(table products): Query on table failed: Can't locate object method "name"
>via package "Vend::SQL_Parser: <some SQL query> at
>/opt/interchange/lib/Vend/Scan.pm line 623. Query was: <some SQL query>
>
>One "solution" might be to check that the referring page was checkout.html.
>i.e.  The reason for displaying errors to the customer at checkout is to
>display errors in their order submission.  In this case, they will have just
>pressed the "Place order" button on the checkout.html page, and the same
>page is being returned for them to correct their errors.
>
>Can anyone suggest the best way of testing whether the referring page was
>checkout.html and then only displaying errors if this is the case?  Indeed,
>would this solution work?  Can anyone suggest an alternative or better
>solution?   Thanks

We used to be able to get the previous page name via @@MV_PREV_PAGE@@ 
and/or [data session last_url], but I think these have been disabled for 
security reasons. Since the 'Place Order' action on the checkout page is 
currently the only mv_todo=submit on the customer side of the foundation 
catalog, one thing you could do is:

[if cgi mv_todo eq submit]
[if type=explicit compare="[error all=1 show_var=1 keep=1]"]
     <P>
         <B>[L]There were errors in your last submission[/L]:<br>
         <blockquote>
         <FONT color="__CONTRAST__">
                 [error all=1 keep=1 show_error=1 show_label=1 joiner="<br>"]
                 ...
[/if]


- Ed

===============================================================
New Media E.M.S.              Technology Solutions for Business
11630 Fair Oaks Blvd., #250   eCommerce | Consulting | Hosting
Fair Oaks, CA  95628          Ed.LaFrance at newmediaems.com
(916) 961-0446                http://www.newmediaems.com
(866) 519-4680 Toll-Free      (916) 961-0447 Fax
===============================================================

More information about the interchange-users mailing list