PHP Shopping - Purchase item [closed]
https://stackoverflow.com//questions/20012065
-
20-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Ok so i'm working on some coursework and my main goal is to create a deliberately vulnerable web application and a secure one to compare the differences between the two. I'm doing pretty good with most of the app however I have been stumped.
I need to create a part of the web app which lets me buy an item from the web page, note that users buy tokens on the website and the tokens are used to buy items on the website.
For example, a book may cost 100 tokens. The user would have to purchase 100 tokens to buy the book.
In the deliberately vulnerable webapp i'll simply make the 'Purchase' button redirect to /buyItem?id=01 for an item with ID 1. The obvious downside to this would be that someone could send a link to a user off the web app which directs them to /buyItem?id=01 and it would automatically bill them, reducing the tokens from their balance and redirect them to a default webpage. I was wondering what the best way to secure this feature would be,
I thought about using a referrer value to make sure they have come from the correct page however these could easily be spoofed.
If anything needs to be explained I'd be happy to explain more. The system of buying tokens etc sucks but it's part of the coursework specification.
Solution
I would send the request via $_POST. This way the URL can't be easily modified. Then, assuming you're recording the "credits" in a database, simply check the available balance of the user. If the balance is greater than the purchase price, approve the transaction.
It's a basic method, but for what you're doing, I think it will work.
