Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    Feb 2006
    Posts
    32
    Thanks
    2
    Thanked 0 Times in 0 Posts

    PHP Order form issues

    Hello,

    I am having a problem with an order form, and can't figure out why.

    Here is how the form works:
    It is a four page form (1: Select product. 2: Contact Details 3: Payment Details. 4: Confirm and submit)

    The data from the previous page of the form is passed along as a hidden form field populated by PHP from the form data.

    You can see the form in action at http://www.gojicapital.com/buy.html (Click buy now and follow the order process.)

    Here is the problem:

    Even though I have Javascript validation on the forns, I'm getting a sizable number of empty or incomplete orders. Some are completely blank, some have just the product chosen, and some have just the payment details.

    What could be causing this?
    I give green rep to those who answer my questions! :)

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,044
    Thanks
    2
    Thanked 316 Times in 308 Posts
    If you have verified that the code works normally, passing information correctly, then if you are receiving unusual submissions it is likely that people/scripts are attempting to probe your code, either trying to place orders without paying, using your contact form for email header injection to send spam, to inject code onto your site to possibly intercept customer's payment information, or to inject code to read or change your files/database.

    Take a look at your code from a security what-if standpoint...

    Also I notice an error message at the top of your opening page that is probably due to a session_start() or setcookie problem in your code.

    Edit: In addition to the javascript to make sure fields are filled in..., I hope you are validating the actual information in the PHP script as well... Javascript can be turned off and someone looking to abuse your system would turn this off as a first step and if a script is being used to automatically submit form data to your code, it would care less about the existence of javascript on a page.
    Last edited by CFMaBiSmAd; 11-04-2006 at 05:54 PM.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    New Coder
    Join Date
    Feb 2006
    Posts
    32
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    Also I notice an error message at the top of your opening page that is probably due to a session_start() or setcookie problem in your code.
    Hmmm...I'm not getting any error messages. Which page is it on and what does the message say?

    ~Adam
    I give green rep to those who answer my questions! :)

  • #4
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,044
    Thanks
    2
    Thanked 316 Times in 308 Posts
    At the link you posted in your first post -
    Warning: Cannot modify header information - headers already sent by (output started at /home/gc/public_html/buy.html:4) in /home/gc/public_html/convert.inc.php on line 32
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #5
    $object->toCD-R(LP); vinyl-junkie's Avatar
    Join Date
    Jun 2003
    Posts
    3,092
    Thanks
    2
    Thanked 23 Times in 23 Posts
    All the suggestions you have been given are good, but you need to post your code if you want us to help you find out where the error is happening.
    Music Around The World - Collecting tips, trade
    and want lists, album reviews, & more
    SNAP to it!

  • #6
    New Coder
    Join Date
    Feb 2006
    Posts
    32
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Thanks for the error message. That's coming from a tracking script. I'll have to take care of that.

    I am not using PHP to validate form data, so I guess that's a good place to start.

    Thanks!

    ~Adam
    I give green rep to those who answer my questions! :)

  • #7
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,044
    Thanks
    2
    Thanked 316 Times in 308 Posts
    Another comment on javascript for order forms - you can use this to make sure something is filled in or to display totals, but don't rely on it for anything beyond this.

    Here is an example - someone places a large order for several hundred dollars, but the total is calculated and sent in a (hidden or visible) field in the form. I can make my own form/script and submit it to your final processing code, but I will set the total field to $1.00. If your server side code uses that total for the amount you charge me, I will be a happy camper.

    Only accept user input from a browser and keep any calculations and sensitive data local to the server. Anything in a browser in a (hidden or visible) form field can be viewed and faked when sent to the server.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #8
    New Coder
    Join Date
    Feb 2006
    Posts
    32
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by CFMaBiSmAd View Post
    I can make my own form/script and submit it to your final processing code, but I will set the total field to $1.00.
    True, but that doesnt matter to me, as I process the orders manually, so I'd still charge you the correct amount. :-)

    Thanks for all the advice. I've setup a server side (PHP) validation for the form, so that should stop the blank orders. I'm also going to put in a few security safeguards.

    ~Adam
    I give green rep to those who answer my questions! :)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •