Solved

Validate currency amounts in registration form

Posted on 2014-09-10
6
163 Views
Last Modified: 2014-09-10
Good morning. _agx_ brings up an important point in my conference registration form; I hope it is OK if I quote from his helpful remarks:

>>>Be careful accepting amounts submitted by the user, as they can easily be changed. If you know the amount should be $100, when the box is checked, validate it before saving it your db. Make sure it has not been changed to something else like 0 ...

>><cfif getConferenceAmount.recordCount eq 0>
>> The payment amount is invalid.
>> </cfif>

>>>Hm... is this on your action page? ie Where you calculate the total charges before redirecting to authorize.net? If so, that CFIF won't halt processing unless you include a cfabort. Otherwise, the transaction will still continue - even if the conference isn't valid. The amount will just be 0$, ie Free

This is indeed on my action page -- confirmationPage.cfm.

How can I make this code more secure? Maybe something like:

 <!--- obtain a valid amount for variable "amount"; this will confirm that amount entered in #REQUEST.conferenceFeeTable# is correct amount --->
     <cfquery name="getConferenceAmount" datasource="#application.datasource#"> 
         SELECT amount, ConferenceFeeTitle
         FROM #REQUEST.conferenceFeeTable# 
         WHERE ConferenceFeeTypeID = <cfqueryparam cfsqltype="cf_sql_integer" value="#FORM.ConferenceFeeTypeID#">
     </cfquery>

     <cfif getConferenceAmount.recordCount eq 0>
     <cfabort showerror="The payment amount is invalid!">
     </cfif>
     
     
     
     <!--- obtain a valid amount for variable "form.PreconferenceAmount"; this will obtain a value for PreconferenceAmount as entered in #request.RegisterTable# --->
     <cfquery name="getPreconferenceAmount" datasource="#application.datasource#"> 
         SELECT PreconferenceAmount
         FROM #request.RegisterTable#
         WHERE RegisterID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.RegisterID)#">
     </cfquery>
     
     <cfif getPreconferenceAmount.recordCount eq 0>
     <cfabort showerror="The payment amount is invalid!">
     </cfif>
     
     <!--- add getConferenceAmount.amount and getPreconferenceAmount.PreconferenceAmount to obtain a combined amount to deliver to authorize.net --->
     <cfset amount = val(getConferenceAmount.amount) + val(getPreconferenceAmount.PreconferenceAmount)> 
     
     

Open in new window


Thank you as always!

Eric
0
Comment
Question by:Eric Bourland
  • 2
  • 2
  • 2
6 Comments
 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 250 total points
ID: 40314640
Hi Eric,
There are a variety of ways, one way is to just fetch the amount from the database again after the form is submitted.   Then you can recalculate the totals and compare them to what was submitted in the cart - if they differ someone tampered or the price just changed or something...  redraw the screen and tell the user to submit again.
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 250 total points
ID: 40314757
Edit:
Agreed and that's how the "getConferenceAmount.amount" is handled.  The action page runs a query to look up the selected conference and determine the amount. However, the distinction I was making about "PreconferenceAmount" is that it sounded like the action page was just accepting whatever dollar amount was submitted and inserting it directly into the db table - without any validation. If so, it could be altered. You should validate it before storing the value in your db table.  

One option is to store the expected amount in a db table, like with the other conference fees. The validate it the same way.  Run a query to get the expected amount. Throw an error if it doesn't match.  But if the amount will always be 100, it may be simpler to hard code it:

            <cfif val(FORM.theAmountField) NEQ 100>
                <cfabort showerror="Wrong preconference amount!">
           </cfif>

The likelihood this will happen is probably small, but I just wanted to point out it was possible to circumvent the payment validation.
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 40315027
This is a registration page for a small, closeknit group of people. (Given that the topic is salient, I wish the group were larger.) Larceny on the registration page is unlikely. But on general principles I would like to apply some more security to the page.

The amount (100.00) will not change. So, would something like this work?

     <!--- obtain a valid amount for variable "form.PreconferenceAmount"; this will obtain a value for PreconferenceAmount as entered in #request.RegisterTable# --->
     <cfquery name="getPreconferenceAmount" datasource="#application.datasource#"> 
         SELECT PreconferenceAmount
         FROM #request.RegisterTable#
         WHERE RegisterID = <cfqueryparam cfsqltype="cf_sql_integer" value="#val(form.RegisterID)#">
     </cfquery>
     
           <cfif val(FORM.PreconferenceAmount) NEQ 100>
                <cfabort showerror="Wrong preconference amount!">
           </cfif>

Open in new window

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 39

Assisted Solution

by:gdemaria
gdemaria earned 250 total points
ID: 40315095
Yes, that would work,  I don't recall where the value 100 comes from in your previous post but instead of hard coding it deep in the code you could set a global variable.  (or store it in the database)

In application.cfc you could set the amount

<cfset request.PreConferenceAmount = 100>

and then refer to it throughout your app.
0
 
LVL 52

Assisted Solution

by:_agx_
_agx_ earned 250 total points
ID: 40315114
>> Larceny on the registration page is unlikely.

Exactly, but good to address it in case you use this as template for other sites as well.

>> Instead of hard coding it deep in the code you could set a global variable.  

Ah, that's better.  I was having a failure of imagination trying to illustrate hard coded/static value vs db query storage.
0
 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 40315144
gdemaria, _agx_,

For now I will just code it in the action page. I commented the code and will remember what I did.

It is working great and the client (www.nnvawi.org) is happy. Thank you as always.

Hope your day is going great.

Eric
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

PROBLEM: How to add your own buttons to the bottom toolbar with paging info ( result count ). While creating a cfgrid, I ran into an issue where I wanted to embed my own custom buttons where the default ones ( insert / delete / etc… ) are for aes…
Hi. There are several upload tutorials using jquery and coldfusion. I found a very interesting one here Upload Your Files using Jquery & ColdFusion and Preview them (http://www.randhawaworld.com/) . I did keep the main js functions but made sever…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now