[ic] Errors displayed at checkout, potential security issue

John1 list_subscriber at yahoo.co.uk
Tue Jul 20 17:08:32 EDT 2004 

On Monday, July 19, 2004 4:38 PM, ic_users at newmediaems.com wrote:

> At 11:01 AM 7/18/2004, you wrote:
> 
>> I am using the foundation demo as the basis of my catalogue.  The
>> checkout.html page contains the following lines to display order
>> submission errors to the customer:
>> 
>> 
>>   [if type=explicit compare="[error all=1 show_var=1 keep=1]"]
>>     <P>
>>         <B>[L]There were errors in your last submission[/L]:<br>
>>         <blockquote>
>>         <FONT color="__CONTRAST__">
>>                 [error all=1 keep=1 show_error=1 show_label=1
>> joiner="<br>"] 
>> 
>> 
>> By chance, I noticed that this code can also result in displaying
>> other previous errors to the customer.  For example, if the catalog
>> contains some duff SQL which is called while the customer is
>> browsing the catalog then when they checkout they will be presented
>> with the error message which may well also contain some SQL e.g.
>> 
>> (table products): Query on table failed: Can't locate object method
>> "name" via package "Vend::SQL_Parser: <some SQL query> at
>> /opt/interchange/lib/Vend/Scan.pm line 623. Query was: <some SQL
>> query> 
>> 
>> One "solution" might be to check that the referring page was
>> checkout.html. i.e.  The reason for displaying errors to the
>> customer at checkout is to display errors in their order submission.
>> In this case, they will have just pressed the "Place order" button
>> on the checkout.html page, and the same page is being returned for
>> them to correct their errors. 
>> 
>> Can anyone suggest the best way of testing whether the referring
>> page was checkout.html and then only displaying errors if this is
>> the case?  Indeed, would this solution work?  Can anyone suggest an
>> alternative or better solution?   Thanks
> 
> We used to be able to get the previous page name via @@MV_PREV_PAGE@@
> and/or [data session last_url], but I think these have been disabled
> for security reasons. Since the 'Place Order' action on the checkout
> page is currently the only mv_todo=submit on the customer side of the
> foundation catalog, one thing you could do is:
> 
> [if cgi mv_todo eq submit]
> [if type=explicit compare="[error all=1 show_var=1 keep=1]"]
>      <P>
>          <B>[L]There were errors in your last submission[/L]:<br>
>          <blockquote>
>          <FONT color="__CONTRAST__">
>                  [error all=1 keep=1 show_error=1 show_label=1
>                  joiner="<br>"] ...
> [/if]
> 
> 
Thanks for your suggestion Ed.  Looks like that should work.  :-)

More information about the interchange-users mailing list