Solved

Validate currency amounts in registration form

Posted on 2014-09-10
6
166 Views
Last Modified: 2014-09-10
Good morning. _agx_ brings up an important point in my conference registration form; I hope it is OK if I quote from his helpful remarks:

>>>Be careful accepting amounts submitted by the user, as they can easily be changed. If you know the amount should be $100, when the box is checked, validate it before saving it your db. Make sure it has not been changed to something else like 0 ...

>><cfif getConferenceAmount.recordCount eq 0>
>> The payment amount is invalid.
>> </cfif>

>>>Hm... is this on your action page? ie Where you calculate the total charges before redirecting to authorize.net? If so, that CFIF won't halt processing unless you include a cfabort. Otherwise, the transaction will still continue - even if the conference isn't valid. The amount will just be 0$, ie Free

This is indeed on my action page -- confirmationPage.cfm.

How can I make this code more secure? Maybe something like:

 <!--- obtain a valid amount for variable "amount"; this will confirm that amount entered in #REQUEST.conferenceFeeTable# is correct amount --->
     <cfquery name="getConferenceAmount" datasource="#application.datasource#"> 
         SELECT amount, ConferenceFeeTitle
         FROM #REQUEST.conferenceFeeTable# 
         WHERE ConferenceFeeTypeID = <cfqueryparam cfsqltype="cf_sql_integer" value="#FORM.ConferenceFeeTypeID#">
     </cfquery>

     <cfif getConferenceAmount.recordCount eq 0>
     <cfabort showerror="The payment amount is invalid!">
     </cfif>
     
     
     
     <!--- obtain a valid amount for variable "form.PreconferenceAmount"; this will obtain a value for PreconferenceAmount as entered in #request.RegisterTable# --->
     <cfquery name="getPreconferenceAmount" datasource="#application.datasource#"> 
         SELECT PreconferenceAmount
         FROM #request.RegisterTable#
         WHERE RegisterID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.RegisterID)#">
     </cfquery>
     
     <cfif getPreconferenceAmount.recordCount eq 0>
     <cfabort showerror="The payment amount is invalid!">
     </cfif>
     
     <!--- add getConferenceAmount.amount and getPreconferenceAmount.PreconferenceAmount to obtain a combined amount to deliver to authorize.net --->
     <cfset amount = val(getConferenceAmount.amount) + val(getPreconferenceAmount.PreconferenceAmount)> 
     
     

Open in new window


Thank you as always!

Eric
0
Comment
Question by:Eric Bourland
  • 2
  • 2
  • 2
6 Comments
 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 250 total points
ID: 40314640
Hi Eric,
There are a variety of ways, one way is to just fetch the amount from the database again after the form is submitted.   Then you can recalculate the totals and compare them to what was submitted in the cart - if they differ someone tampered or the price just changed or something...  redraw the screen and tell the user to submit again.
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 250 total points
ID: 40314757
Edit:
Agreed and that's how the "getConferenceAmount.amount" is handled.  The action page runs a query to look up the selected conference and determine the amount. However, the distinction I was making about "PreconferenceAmount" is that it sounded like the action page was just accepting whatever dollar amount was submitted and inserting it directly into the db table - without any validation. If so, it could be altered. You should validate it before storing the value in your db table.  

One option is to store the expected amount in a db table, like with the other conference fees. The validate it the same way.  Run a query to get the expected amount. Throw an error if it doesn't match.  But if the amount will always be 100, it may be simpler to hard code it:

            <cfif val(FORM.theAmountField) NEQ 100>
                <cfabort showerror="Wrong preconference amount!">
           </cfif>

The likelihood this will happen is probably small, but I just wanted to point out it was possible to circumvent the payment validation.
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 40315027
This is a registration page for a small, closeknit group of people. (Given that the topic is salient, I wish the group were larger.) Larceny on the registration page is unlikely. But on general principles I would like to apply some more security to the page.

The amount (100.00) will not change. So, would something like this work?

     <!--- obtain a valid amount for variable "form.PreconferenceAmount"; this will obtain a value for PreconferenceAmount as entered in #request.RegisterTable# --->
     <cfquery name="getPreconferenceAmount" datasource="#application.datasource#"> 
         SELECT PreconferenceAmount
         FROM #request.RegisterTable#
         WHERE RegisterID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.RegisterID)#">
     </cfquery>
     
           <cfif val(FORM.PreconferenceAmount) NEQ 100>
                <cfabort showerror="Wrong preconference amount!">
           </cfif>

Open in new window

0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 250 total points
ID: 40315095
Yes, that would work,  I don't recall where the value 100 comes from in your previous post but instead of hard coding it deep in the code you could set a global variable.  (or store it in the database)

In application.cfc you could set the amount

<cfset request.PreConferenceAmount = 100>

and then refer to it throughout your app.
0
 
LVL 52

Assisted Solution

by:_agx_
_agx_ earned 250 total points
ID: 40315114
>> Larceny on the registration page is unlikely.

Exactly, but good to address it in case you use this as template for other sites as well.

>> Instead of hard coding it deep in the code you could set a global variable.  

Ah, that's better.  I was having a failure of imagination trying to illustrate hard coded/static value vs db query storage.
0
 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 40315144
gdemaria, _agx_,

For now I will just code it in the action page. I commented the code and will remember what I did.

It is working great and the client (www.nnvawi.org) is happy. Thank you as always.

Hope your day is going great.

Eric
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
On Submit return to same spot 7 91
Coldfusion session variables in scheduled job 1 313
coldfusion upload spreadsheet into the databse 2 42
cfscript coding help 4 15
Hi, I will be creating today a basic tutorial on how we can create a Mail Custom Function and use it where ever we want. The main advantage about creating a custom function is that we can accommodate a range of arguments to pass to the Function and …
CFGRID Custom Functionality Series -  Part 1 Hi Guys, I was once asked how it is possible to to add a hyperlink in the cfgrid and open the window to show the data. Now this is quite simple, I have to use the EXT JS library for this and I achiev…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question