...

View Full Version : PHP Order form issues



adamjthompson
11-04-2006, 06:17 PM
Hello,

I am having a problem with an order form, and can't figure out why.

Here is how the form works:
It is a four page form (1: Select product. 2: Contact Details 3: Payment Details. 4: Confirm and submit)

The data from the previous page of the form is passed along as a hidden form field populated by PHP from the form data.

You can see the form in action at http://www.gojicapital.com/buy.html (Click buy now and follow the order process.)

Here is the problem:

Even though I have Javascript validation on the forns, I'm getting a sizable number of empty or incomplete orders. Some are completely blank, some have just the product chosen, and some have just the payment details.

What could be causing this?

CFMaBiSmAd
11-04-2006, 06:51 PM
If you have verified that the code works normally, passing information correctly, then if you are receiving unusual submissions it is likely that people/scripts are attempting to probe your code, either trying to place orders without paying, using your contact form for email header injection to send spam, to inject code onto your site to possibly intercept customer's payment information, or to inject code to read or change your files/database.

Take a look at your code from a security what-if standpoint...

Also I notice an error message at the top of your opening page that is probably due to a session_start() or setcookie problem in your code.

Edit: In addition to the javascript to make sure fields are filled in..., I hope you are validating the actual information in the PHP script as well... Javascript can be turned off and someone looking to abuse your system would turn this off as a first step and if a script is being used to automatically submit form data to your code, it would care less about the existence of javascript on a page.

adamjthompson
11-04-2006, 06:58 PM
Also I notice an error message at the top of your opening page that is probably due to a session_start() or setcookie problem in your code.


Hmmm...I'm not getting any error messages. Which page is it on and what does the message say?

~Adam

CFMaBiSmAd
11-04-2006, 07:09 PM
At the link you posted in your first post -

Warning: Cannot modify header information - headers already sent by (output started at /home/gc/public_html/buy.html:4) in /home/gc/public_html/convert.inc.php on line 32

vinyl-junkie
11-04-2006, 07:33 PM
All the suggestions you have been given are good, but you need to post your code if you want us to help you find out where the error is happening.

adamjthompson
11-04-2006, 07:38 PM
Thanks for the error message. That's coming from a tracking script. I'll have to take care of that.

I am not using PHP to validate form data, so I guess that's a good place to start.

Thanks!

~Adam

CFMaBiSmAd
11-04-2006, 08:48 PM
Another comment on javascript for order forms - you can use this to make sure something is filled in or to display totals, but don't rely on it for anything beyond this.

Here is an example - someone places a large order for several hundred dollars, but the total is calculated and sent in a (hidden or visible) field in the form. I can make my own form/script and submit it to your final processing code, but I will set the total field to $1.00. If your server side code uses that total for the amount you charge me, I will be a happy camper.

Only accept user input from a browser and keep any calculations and sensitive data local to the server. Anything in a browser in a (hidden or visible) form field can be viewed and faked when sent to the server.

adamjthompson
11-05-2006, 01:52 AM
I can make my own form/script and submit it to your final processing code, but I will set the total field to $1.00.

True, but that doesnt matter to me, as I process the orders manually, so I'd still charge you the correct amount. :-)

Thanks for all the advice. I've setup a server side (PHP) validation for the form, so that should stop the blank orders. I'm also going to put in a few security safeguards.

~Adam



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum