JavaScript Shopping Cart with CI , Help About Security Issues and Considerations!!!!

[eluser]alekz[/eluser]
Hi, i'm developing a site that need a shopping cart, it's multistore site, but i want to make this one with javascript using jquery and CI, the way i'm doing that is the follow:

1.- Create a view with the articles and in divs called item i put the id, name, image, description, price, and a input text for the quantity of ever article. and in another div called shopping cart a insert a empty form called "shopping" directed to a controller called "shopping/insert",

2.- a js function on the OnChange take the user quantity introduced by the client and put the article data inside of the form shopping

i know that this is the logic way to do that but i need to know what security considerations i need to do in server side to avoid an issue

i was thinking to do:

1.- Check on the server side if the idArticle exists on the current store to avoid put the idArticle of one store in another if one user introduce maliciosus code with wrongs id.

2.- check the quantitys, check sessions,

i read that a good way is using cookies but i dont know how to do that....

i'm waitng for your suggestions!!!


Best Regards
From Mexico

[eluser]meigwilym[/eluser]
Hi,

Before going straight in and building a JS shopping cart, you may want to consider the accessibility issues. I think you'd be better off building a standard HTML/PHP cart, and then AJAXifying it later.

This way you won't be missing the x% of your visitors who don't have JS enabled, and so won't miss any sales.

I'm not quite sure how to answer your questions, but if you feel you're inexperienced with certain aspects of PHP then take a close look at the very excellent user manual that's available. I've learned much about programming from it.

Good luck with your project,

Mei

[eluser]alekz[/eluser]
i was thinking in something like aSSL that you can find here
it's a library to enable SSL without HTTPS currently is only for ASP, i will try to pass to PHP with ASP to PHP Translator

i'm waiting for ideas and security advices...

[eluser]The Questioner[/eluser]
I'm currently building an all-singing, all-dancing comprehensive ecommerce site using CodeIgnitor. I too have come across the same issues that you have mentioned in this thread.

One of the key things to remember is always strip, clean and shoe-horn any data you receive from the browser. Whether this data is from POST or GET from HTML or Javscript/Jquery triggered events. For example, if your visitor selects and adds a product to the cart, your controller should first clean (trim, set max string length, htmlentities, etc) and force convert the passed product ID into an integer (assuming the product ID is stored as an integer). The controller should then check if this product exists within the database. If it does, then clean the quantity field and ensure that you have a check for min and max values allowed. Only after all of these checks have been done, should the product be added to the cart.

Regarding usage of Javascript/JQuery, it depends on what your target audience is. If you're creating a store selling clothes, then most of of your visitors will be Joe & Jane Doe, who will typically have javascript enabled (as it's the default setting). Estimates differ on the number of web users that have javascript disabled, but it's around the 1.5% mark (Google is your friend).

The question is, do you want to go through all the extra effort to ensure that your site works nicely without Javascript enabled – especially if this effort is for 1.5% of your target market? Meigwilym makes some good points, but at where do you draw the line and at what cost?