I was using something like this:
<input type="hidden" name="ids" value="1, 3, 5" />
<input type="hidden" name="cost" value="350" />
But I was thinking, somebody could just change the cost to say “3” and pay for it for $3.00.. so I was thinking, would a securer(sp) option be setting these values into sessions when they load page, like so:
<?
unset($_SESSION['baskettotal']);
unset($_SESSION['basketids']);
$_SESSION['baskettotal'] = $grand;
$_SESSION['basketids'] = implode(", ", $ids);
?>
<input type="hidden" name="hash" value="<?=md5('stackoverflow'.$_SESSION['baskettotal'].$_SESSION['basketids']);?>" />
<?
if (($_POST['hash']) != (md5('stackoverflow'.$_SESSION['baskettotal'].$_SESSION['basketids']))){
echo "error";
die();
}
?>
Is this a good way of doing it? As they cannot edit the sessions, it’s defined by whats in their basket, as opposed to storing it in hidden input fields which they could easily manipulate?
You are indeed correct, this is a good method of doing this.
1) Create a session that contains the hash of all the values from that form.
2) When the form is submitted, calculate the hash of the values from the form and compare them against the one in the SESSION var. If they are the same, the user didn’t change anything… if they differ, obviously the user changed something.
Just to clarify, the user cannot change any of the SESSION variables, however if you stored this in a cookie for example, the user could potentially edit the hash via that cookie (since it is stored client side, as opposed to server side with sessions).
An example might be:
and when the user submits the form: