Solved

Validate currency amounts in registration form

Posted on 2014-09-10
6
176 Views
Last Modified: 2014-09-10
Good morning. _agx_ brings up an important point in my conference registration form; I hope it is OK if I quote from his helpful remarks:

>>>Be careful accepting amounts submitted by the user, as they can easily be changed. If you know the amount should be $100, when the box is checked, validate it before saving it your db. Make sure it has not been changed to something else like 0 ...

>><cfif getConferenceAmount.recordCount eq 0>
>> The payment amount is invalid.
>> </cfif>

>>>Hm... is this on your action page? ie Where you calculate the total charges before redirecting to authorize.net? If so, that CFIF won't halt processing unless you include a cfabort. Otherwise, the transaction will still continue - even if the conference isn't valid. The amount will just be 0$, ie Free

This is indeed on my action page -- confirmationPage.cfm.

How can I make this code more secure? Maybe something like:

 <!--- obtain a valid amount for variable "amount"; this will confirm that amount entered in #REQUEST.conferenceFeeTable# is correct amount --->
     <cfquery name="getConferenceAmount" datasource="#application.datasource#"> 
         SELECT amount, ConferenceFeeTitle
         FROM #REQUEST.conferenceFeeTable# 
         WHERE ConferenceFeeTypeID = <cfqueryparam cfsqltype="cf_sql_integer" value="#FORM.ConferenceFeeTypeID#">
     </cfquery>

     <cfif getConferenceAmount.recordCount eq 0>
     <cfabort showerror="The payment amount is invalid!">
     </cfif>
     
     
     
     <!--- obtain a valid amount for variable "form.PreconferenceAmount"; this will obtain a value for PreconferenceAmount as entered in #request.RegisterTable# --->
     <cfquery name="getPreconferenceAmount" datasource="#application.datasource#"> 
         SELECT PreconferenceAmount
         FROM #request.RegisterTable#
         WHERE RegisterID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.RegisterID)#">
     </cfquery>
     
     <cfif getPreconferenceAmount.recordCount eq 0>
     <cfabort showerror="The payment amount is invalid!">
     </cfif>
     
     <!--- add getConferenceAmount.amount and getPreconferenceAmount.PreconferenceAmount to obtain a combined amount to deliver to authorize.net --->
     <cfset amount = val(getConferenceAmount.amount) + val(getPreconferenceAmount.PreconferenceAmount)> 
     
     

Open in new window


Thank you as always!

Eric
0
Comment
Question by:Eric Bourland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 250 total points
ID: 40314640
Hi Eric,
There are a variety of ways, one way is to just fetch the amount from the database again after the form is submitted.   Then you can recalculate the totals and compare them to what was submitted in the cart - if they differ someone tampered or the price just changed or something...  redraw the screen and tell the user to submit again.
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 250 total points
ID: 40314757
Edit:
Agreed and that's how the "getConferenceAmount.amount" is handled.  The action page runs a query to look up the selected conference and determine the amount. However, the distinction I was making about "PreconferenceAmount" is that it sounded like the action page was just accepting whatever dollar amount was submitted and inserting it directly into the db table - without any validation. If so, it could be altered. You should validate it before storing the value in your db table.  

One option is to store the expected amount in a db table, like with the other conference fees. The validate it the same way.  Run a query to get the expected amount. Throw an error if it doesn't match.  But if the amount will always be 100, it may be simpler to hard code it:

            <cfif val(FORM.theAmountField) NEQ 100>
                <cfabort showerror="Wrong preconference amount!">
           </cfif>

The likelihood this will happen is probably small, but I just wanted to point out it was possible to circumvent the payment validation.
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 40315027
This is a registration page for a small, closeknit group of people. (Given that the topic is salient, I wish the group were larger.) Larceny on the registration page is unlikely. But on general principles I would like to apply some more security to the page.

The amount (100.00) will not change. So, would something like this work?

     <!--- obtain a valid amount for variable "form.PreconferenceAmount"; this will obtain a value for PreconferenceAmount as entered in #request.RegisterTable# --->
     <cfquery name="getPreconferenceAmount" datasource="#application.datasource#"> 
         SELECT PreconferenceAmount
         FROM #request.RegisterTable#
         WHERE RegisterID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.RegisterID)#">
     </cfquery>
     
           <cfif val(FORM.PreconferenceAmount) NEQ 100>
                <cfabort showerror="Wrong preconference amount!">
           </cfif>

Open in new window

0
How To Install Bash on Windows 10

Windows’ budding partnership with Canonical has certainly led to some great improvements. One of them being the ability to use Bash on your Windows machine without third party applications! This might be one of the greatest things a cloud engineer in a Windows environment can do!

 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 250 total points
ID: 40315095
Yes, that would work,  I don't recall where the value 100 comes from in your previous post but instead of hard coding it deep in the code you could set a global variable.  (or store it in the database)

In application.cfc you could set the amount

<cfset request.PreConferenceAmount = 100>

and then refer to it throughout your app.
0
 
LVL 52

Assisted Solution

by:_agx_
_agx_ earned 250 total points
ID: 40315114
>> Larceny on the registration page is unlikely.

Exactly, but good to address it in case you use this as template for other sites as well.

>> Instead of hard coding it deep in the code you could set a global variable.  

Ah, that's better.  I was having a failure of imagination trying to illustrate hard coded/static value vs db query storage.
0
 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 40315144
gdemaria, _agx_,

For now I will just code it in the action page. I commented the code and will remember what I did.

It is working great and the client (www.nnvawi.org) is happy. Thank you as always.

Hope your day is going great.

Eric
0

Featured Post

How To Install Bash on Windows 10

Windows’ budding partnership with Canonical has certainly led to some great improvements. One of them being the ability to use Bash on your Windows machine without third party applications! This might be one of the greatest things a cloud engineer in a Windows environment can do!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, I will be creating today a basic tutorial on how we can create a Mail Custom Function and use it where ever we want. The main advantage about creating a custom function is that we can accommodate a range of arguments to pass to the Function and …
CFGRID Custom Functionality Series -  Part 1 Hi Guys, I was once asked how it is possible to to add a hyperlink in the cfgrid and open the window to show the data. Now this is quite simple, I have to use the EXT JS library for this and I achiev…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question