[ic] Errors displayed at checkout, potential security issue
Ed LaFrance (New Media E.M.S.)
ic_users at newmediaems.com
Mon Jul 19 11:38:40 EDT 2004
At 11:01 AM 7/18/2004, you wrote:
>I am using the foundation demo as the basis of my catalogue. The
>checkout.html page contains the following lines to display order submission
>errors to the customer:
>
>
> [if type=explicit compare="[error all=1 show_var=1 keep=1]"]
> <P>
> <B>[L]There were errors in your last submission[/L]:<br>
> <blockquote>
> <FONT color="__CONTRAST__">
> [error all=1 keep=1 show_error=1 show_label=1 joiner="<br>"]
>
>
>By chance, I noticed that this code can also result in displaying other
>previous errors to the customer. For example, if the catalog contains some
>duff SQL which is called while the customer is browsing the catalog then
>when they checkout they will be presented with the error message which may
>well also contain some SQL e.g.
>
>(table products): Query on table failed: Can't locate object method "name"
>via package "Vend::SQL_Parser: <some SQL query> at
>/opt/interchange/lib/Vend/Scan.pm line 623. Query was: <some SQL query>
>
>One "solution" might be to check that the referring page was checkout.html.
>i.e. The reason for displaying errors to the customer at checkout is to
>display errors in their order submission. In this case, they will have just
>pressed the "Place order" button on the checkout.html page, and the same
>page is being returned for them to correct their errors.
>
>Can anyone suggest the best way of testing whether the referring page was
>checkout.html and then only displaying errors if this is the case? Indeed,
>would this solution work? Can anyone suggest an alternative or better
>solution? Thanks
We used to be able to get the previous page name via @@MV_PREV_PAGE@@
and/or [data session last_url], but I think these have been disabled for
security reasons. Since the 'Place Order' action on the checkout page is
currently the only mv_todo=submit on the customer side of the foundation
catalog, one thing you could do is:
[if cgi mv_todo eq submit]
[if type=explicit compare="[error all=1 show_var=1 keep=1]"]
<P>
<B>[L]There were errors in your last submission[/L]:<br>
<blockquote>
<FONT color="__CONTRAST__">
[error all=1 keep=1 show_error=1 show_label=1 joiner="<br>"]
...
[/if]
- Ed
===============================================================
New Media E.M.S. Technology Solutions for Business
11630 Fair Oaks Blvd., #250 eCommerce | Consulting | Hosting
Fair Oaks, CA 95628 Ed.LaFrance at newmediaems.com
(916) 961-0446 http://www.newmediaems.com
(866) 519-4680 Toll-Free (916) 961-0447 Fax
===============================================================
More information about the interchange-users
mailing list