[ic] Errors displayed at checkout, potential security issue

John1 list_subscriber at yahoo.co.uk
Sun Jul 18 14:01:50 EDT 2004

I am using the foundation demo as the basis of my catalogue.  The
checkout.html page contains the following lines to display order submission
errors to the customer:

  [if type=explicit compare="[error all=1 show_var=1 keep=1]"]
        <B>[L]There were errors in your last submission[/L]:<br>
        <FONT color="__CONTRAST__">
                [error all=1 keep=1 show_error=1 show_label=1 joiner="<br>"]

By chance, I noticed that this code can also result in displaying other
previous errors to the customer.  For example, if the catalog contains some
duff SQL which is called while the customer is browsing the catalog then
when they checkout they will be presented with the error message which may
well also contain some SQL e.g.

(table products): Query on table failed: Can't locate object method "name"
via package "Vend::SQL_Parser: <some SQL query> at
/opt/interchange/lib/Vend/Scan.pm line 623. Query was: <some SQL query>

One "solution" might be to check that the referring page was checkout.html.
i.e.  The reason for displaying errors to the customer at checkout is to
display errors in their order submission.  In this case, they will have just
pressed the "Place order" button on the checkout.html page, and the same
page is being returned for them to correct their errors.

Can anyone suggest the best way of testing whether the referring page was
checkout.html and then only displaying errors if this is the case?  Indeed,
would this solution work?  Can anyone suggest an alternative or better
solution?   Thanks

More information about the interchange-users mailing list