Is jQuery an acceptable method to process product variation calculations in an E-Commerce site?
Question
I'm creating a very simple store with literally one product where the user can choose different options and, dependant on the options selected, this will generate the total cost for the item. So for example, if the user selects the red variant, the price will increase by 5%, if the user selects the blue variant then the price will increase by 10%.
Currently I'm making the calculations with jQuery and then passing them to an empty field which is then posted to a payment gateway. Is this method safe? Theoretically, a user could open up Firebug or Chrome Developer Tools and edit the value (to zero) before posting it to the gateway but couldn't this apply to similar methods of product variation calculations? I'm trying to figure out whether or not this is an issue, but is there a better way?
3 answers
solution1
2 ACCPTED 2013-05-23 14:31:49
This is definitely an issue, as you said yourself a user can modify the values.
So, you would show a price to the user on the client side, it doesn't matter how the value is generated because it will never be trusted by the server and will never be passed to the payment gateway.
User presses "buy now", is redirected to the payment gateway, but via your own server first. The server should validate the product and calculate the price.
The final price (calculated by your own server) will be shown to the user at point of payment.
On the client side you could either continue to generate the values with JQuery, or have the server return them via an AJAX request. But this would only be for user experience, the values could not be trusted.
solution2
1 2013-05-23 14:28:18
After a PayPal payment been proceed, PayPal sends IPN (Instant Payment Notification) message to the url you specify.You have to resend it to verify if the message is original from paypal. After that, to be sure the user payed the right amount of money you get the values from IPN (it may come with user Id. transaction ID and so on...) and check them with your DataBase.
Some useful links:
Rule number one in e-commerce website: Never trust Users So, this is the right process:
After calculations with jQuery and then passing them to an empty field which is then posted to a payment gateway, store the user name/id, transaction, and amount in database. Create method that verify, the stored values with the IPN response from paypal.
If values match, payment succeed. Else, mark it for later hand verification(you should store the id so it is easier to find on paypal).
solution3
1 2013-05-23 14:31:28
If you choose this method, you sholud probably store product configuration (like string represenetaion od JSON or comma delimited field, etc.) in a hidden field, calculate the price (client or server side) and show price only as an information to a customer.
When he submits the configuration, validate it and calcuclate pice again on server.
That way customer could change the configuration (trough Firebug or so), but could not change the price since it is calculated based on a configuration.
Well, that is how i would do it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.