Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Validate currency amounts in registration form

Posted on 2014-09-10
6
Medium Priority
?
177 Views
Last Modified: 2014-09-10
Good morning. _agx_ brings up an important point in my conference registration form; I hope it is OK if I quote from his helpful remarks:

>>>Be careful accepting amounts submitted by the user, as they can easily be changed. If you know the amount should be $100, when the box is checked, validate it before saving it your db. Make sure it has not been changed to something else like 0 ...

>><cfif getConferenceAmount.recordCount eq 0>
>> The payment amount is invalid.
>> </cfif>

>>>Hm... is this on your action page? ie Where you calculate the total charges before redirecting to authorize.net? If so, that CFIF won't halt processing unless you include a cfabort. Otherwise, the transaction will still continue - even if the conference isn't valid. The amount will just be 0$, ie Free

This is indeed on my action page -- confirmationPage.cfm.

How can I make this code more secure? Maybe something like:

 <!--- obtain a valid amount for variable "amount"; this will confirm that amount entered in #REQUEST.conferenceFeeTable# is correct amount --->
     <cfquery name="getConferenceAmount" datasource="#application.datasource#"> 
         SELECT amount, ConferenceFeeTitle
         FROM #REQUEST.conferenceFeeTable# 
         WHERE ConferenceFeeTypeID = <cfqueryparam cfsqltype="cf_sql_integer" value="#FORM.ConferenceFeeTypeID#">
     </cfquery>

     <cfif getConferenceAmount.recordCount eq 0>
     <cfabort showerror="The payment amount is invalid!">
     </cfif>
     
     
     
     <!--- obtain a valid amount for variable "form.PreconferenceAmount"; this will obtain a value for PreconferenceAmount as entered in #request.RegisterTable# --->
     <cfquery name="getPreconferenceAmount" datasource="#application.datasource#"> 
         SELECT PreconferenceAmount
         FROM #request.RegisterTable#
         WHERE RegisterID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.RegisterID)#">
     </cfquery>
     
     <cfif getPreconferenceAmount.recordCount eq 0>
     <cfabort showerror="The payment amount is invalid!">
     </cfif>
     
     <!--- add getConferenceAmount.amount and getPreconferenceAmount.PreconferenceAmount to obtain a combined amount to deliver to authorize.net --->
     <cfset amount = val(getConferenceAmount.amount) + val(getPreconferenceAmount.PreconferenceAmount)> 
     
     

Open in new window


Thank you as always!

Eric
0
Comment
Question by:Eric Bourland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 1000 total points
ID: 40314640
Hi Eric,
There are a variety of ways, one way is to just fetch the amount from the database again after the form is submitted.   Then you can recalculate the totals and compare them to what was submitted in the cart - if they differ someone tampered or the price just changed or something...  redraw the screen and tell the user to submit again.
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 1000 total points
ID: 40314757
Edit:
Agreed and that's how the "getConferenceAmount.amount" is handled.  The action page runs a query to look up the selected conference and determine the amount. However, the distinction I was making about "PreconferenceAmount" is that it sounded like the action page was just accepting whatever dollar amount was submitted and inserting it directly into the db table - without any validation. If so, it could be altered. You should validate it before storing the value in your db table.  

One option is to store the expected amount in a db table, like with the other conference fees. The validate it the same way.  Run a query to get the expected amount. Throw an error if it doesn't match.  But if the amount will always be 100, it may be simpler to hard code it:

            <cfif val(FORM.theAmountField) NEQ 100>
                <cfabort showerror="Wrong preconference amount!">
           </cfif>

The likelihood this will happen is probably small, but I just wanted to point out it was possible to circumvent the payment validation.
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 40315027
This is a registration page for a small, closeknit group of people. (Given that the topic is salient, I wish the group were larger.) Larceny on the registration page is unlikely. But on general principles I would like to apply some more security to the page.

The amount (100.00) will not change. So, would something like this work?

     <!--- obtain a valid amount for variable "form.PreconferenceAmount"; this will obtain a value for PreconferenceAmount as entered in #request.RegisterTable# --->
     <cfquery name="getPreconferenceAmount" datasource="#application.datasource#"> 
         SELECT PreconferenceAmount
         FROM #request.RegisterTable#
         WHERE RegisterID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.RegisterID)#">
     </cfquery>
     
           <cfif val(FORM.PreconferenceAmount) NEQ 100>
                <cfabort showerror="Wrong preconference amount!">
           </cfif>

Open in new window

0
DFW AZURE MEETUP TONIGHT FRI 6PM

We will be discussing what Azure Stack is, how does it fit into the suit of offerings that Azure has currently, and where can it fit into your organizations technology stack. We will also be discussing limitations of the platform while covering various applicable scenarios.

 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 1000 total points
ID: 40315095
Yes, that would work,  I don't recall where the value 100 comes from in your previous post but instead of hard coding it deep in the code you could set a global variable.  (or store it in the database)

In application.cfc you could set the amount

<cfset request.PreConferenceAmount = 100>

and then refer to it throughout your app.
0
 
LVL 52

Assisted Solution

by:_agx_
_agx_ earned 1000 total points
ID: 40315114
>> Larceny on the registration page is unlikely.

Exactly, but good to address it in case you use this as template for other sites as well.

>> Instead of hard coding it deep in the code you could set a global variable.  

Ah, that's better.  I was having a failure of imagination trying to illustrate hard coded/static value vs db query storage.
0
 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 40315144
gdemaria, _agx_,

For now I will just code it in the action page. I commented the code and will remember what I did.

It is working great and the client (www.nnvawi.org) is happy. Thank you as always.

Hope your day is going great.

Eric
0

Featured Post

PowerShell Core for Advanced Linux Administrators

Understand advanced principals around Powershell Core with a focus on the Linux Administrator.  This course covers how to administer numerous environments across multiple platforms including Linux, Azure, AWS, and Google Cloud from a single shell instance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The technique is by far very Simple! How we can export the ColdFusion query results to DOC file?  Well before writing this I researched a lot in Internet but did not found a good Answer anyways!  So i thought now i should share my small snippet w…
Sometimes databases have MILLIONS of records and we need a way to quickly query that table to return the results me need. Sure you could use CFQUERY but it takes too long when there are millions of records. That is why SOLR was invented. Please …
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question