...

View Full Version : would this pose security issues on my site?



kazaa
06-29-2009, 11:56 PM
Hi everyone,

I have a javascript form to allow users to select between two options when buying something from my site via paypal. each selection changes different values, such as shipping and price as the form is submitted

I've head javascript can pose security threats. is this true?

Old Pedant
06-30-2009, 12:44 AM
I don't see any "bn" hidden field. The PayPal build-a-button code always creates one, so it may be a requirement.

Old Pedant
06-30-2009, 12:48 AM
For debugging purposes, try changing your shipping and amount fields from hidden to text and then add
onsubmit="return false;"
to your <form> tag so it doesn't submit anything. That way you can see if your JS code is working.

kazaa
06-30-2009, 12:49 AM
Hi everyone,

I have a javascript form to allow users to select between two options when buying something from my site via paypal. each selection changes different values, such as shipping and price as the form is submitted

I've head javascript can pose security threats. is this true?


I don't see any "bn" hidden field. The PayPal build-a-button code always creates one, so it may be a requirement.

Thank you Old Pedant, you were right and that did do the trick....now i'm wondering about security. do you have any idea?

Old Pedant
06-30-2009, 12:57 AM
<shrug>Having a web page can cause a security threat.

But, no, in this case all the danger is on Paypal's site. And one hopes and presumes that they are smart enough to write bullet-proof code.

Since literally thousands (hundreds of thousands?) of web sites use this PayPal code every day, I think that the bugs are worked out by now.

rnd me
06-30-2009, 04:32 AM
I've head javascript can pose security threats. is this true?

HTML alone can pose security threats.
By far the greatest danger to a site is the author.
JavaScript is a tool that doesn't care who wields it.

Control the tools, control the production...


Here is a simple list of security rules to follow on a transactional page (in descending order of importance):

1. never show a user anything that another user created; eg:comments, recommendations, etc...

2. never link <script>, <img>, or <object> tags to anywhere besides your site or a site managed by paypal.

3. validate all submitted data on the server, not just in javascript.

4. avoid using plug-ins like flash, java, and media player.



If you live by those four rules, you should never encounter a javascript security problem.

anyone else feel free to chime in if i've overlooked anything, or you have further ideas.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum