[ic] Errors displayed at checkout, potential security issue
John1
list_subscriber at yahoo.co.uk
Tue Jul 20 17:08:32 EDT 2004
On Monday, July 19, 2004 4:38 PM, ic_users at newmediaems.com wrote:
> At 11:01 AM 7/18/2004, you wrote:
>
>> I am using the foundation demo as the basis of my catalogue. The
>> checkout.html page contains the following lines to display order
>> submission errors to the customer:
>>
>>
>> [if type=explicit compare="[error all=1 show_var=1 keep=1]"]
>> <P>
>> <B>[L]There were errors in your last submission[/L]:<br>
>> <blockquote>
>> <FONT color="__CONTRAST__">
>> [error all=1 keep=1 show_error=1 show_label=1
>> joiner="<br>"]
>>
>>
>> By chance, I noticed that this code can also result in displaying
>> other previous errors to the customer. For example, if the catalog
>> contains some duff SQL which is called while the customer is
>> browsing the catalog then when they checkout they will be presented
>> with the error message which may well also contain some SQL e.g.
>>
>> (table products): Query on table failed: Can't locate object method
>> "name" via package "Vend::SQL_Parser: <some SQL query> at
>> /opt/interchange/lib/Vend/Scan.pm line 623. Query was: <some SQL
>> query>
>>
>> One "solution" might be to check that the referring page was
>> checkout.html. i.e. The reason for displaying errors to the
>> customer at checkout is to display errors in their order submission.
>> In this case, they will have just pressed the "Place order" button
>> on the checkout.html page, and the same page is being returned for
>> them to correct their errors.
>>
>> Can anyone suggest the best way of testing whether the referring
>> page was checkout.html and then only displaying errors if this is
>> the case? Indeed, would this solution work? Can anyone suggest an
>> alternative or better solution? Thanks
>
> We used to be able to get the previous page name via @@MV_PREV_PAGE@@
> and/or [data session last_url], but I think these have been disabled
> for security reasons. Since the 'Place Order' action on the checkout
> page is currently the only mv_todo=submit on the customer side of the
> foundation catalog, one thing you could do is:
>
> [if cgi mv_todo eq submit]
> [if type=explicit compare="[error all=1 show_var=1 keep=1]"]
> <P>
> <B>[L]There were errors in your last submission[/L]:<br>
> <blockquote>
> <FONT color="__CONTRAST__">
> [error all=1 keep=1 show_error=1 show_label=1
> joiner="<br>"] ...
> [/if]
>
>
Thanks for your suggestion Ed. Looks like that should work. :-)
More information about the interchange-users
mailing list