1

I'm sure this is a pretty universal question, but I somehow can't find any info on it online. I have an e-commerce site with different product prices. I then use Javascript to calculate the total price, but where exactly should I store each pricing value to avoid getting hacked?

One tutorial I followed suggest adding the price to each item in the HTML file via a custom attribute, for example data-price="100".

This is very convenient and it works, but I also heard hackers could basically tamper with any of the values in an HTML form, so how to prevent them from changing the price to 1 instead of 100? Would it be safer to define the values in the Javascript document instead? Or somewhere else? What is the best practice?

Thank you so much!

Ben Viatte
  • 485
  • 1
  • 5
  • 16
  • 4
    The only way is to show some informational prices on the client-side only. Fetch the real prices from your database on the server when handling a request. – Teemu Dec 11 '20 at 15:35
  • Please do not use any client-side input as a source of truth when it comes to money, you can display it, but please do not rely on it to finalize your transaction – Marcos Barbero Dec 11 '20 at 15:36
  • 4
    I don't have time for a full answer, but anything client-side can be messed with. Prices need to come from the server side, be displayed only on client side, and processing the order needs to happen server side with the server-side prices. – Sydney Y Dec 11 '20 at 15:37
  • You need to create basic price data in the database and validate it with code, perhaps as it says that all websites will have vulnerabilities. However, you can prevent this by doing a valid validation of the database so that it cannot be changed via client side. – Adhitya Dec 11 '20 at 15:40
  • As if security alone were not enough of an issue by itself, consider also that it might be impossible to do any calculation on client-side as browsers can be set to prevent the execution of JavaScript code (it is not very common but it can be done pretty easily). – secan Dec 11 '20 at 15:45

2 Answers2

4

Never trust the client.

If they want to order 27 self-sealing stem bolts which cost 5 quatloos each then your JS might tell them that it will cost 135 quatloos but you should never trust their browser for that total.

The browser should tell your server that they are ordering 27 self-sealing stem bolts.

It's up to the server to determine the final amount to charge.

When they make payment you should then compare the sum paid with the server-calculated cost.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
2

Generally, calculating the price of a product on the client-side is a practice that should be avoided.

The best way to avoid an attack is to not calculate anything related to money on the client-side, but rather get the information from the server.

Maybe you could implement a process to call the server for the price at a given point in the transaction process, initially displaying a calculated price (from your javascript).

Edit: answer only.

CoatCat
  • 162
  • 1
  • 9
  • 1
    Thank you for your answer! I am using wordpress, so it's with php server (phpmyadmin). I have access to the database with phpmyadmin, but I'm not sure exactly how to create the part about pricing, then fetch the values... this is a field I don't have much experience in. I guess I should do more research and educate myself in mySQL. In any case, big thanks! – Ben Viatte Dec 11 '20 at 16:28