Any chance of adding hidden fields with validator rule password

WPPizza – A Restaurant Plugin for WordPress Support General Support Any chance of adding hidden fields with validator rule password

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #46113

    I have been having trouble with closing the submit order form from dishonest people submitting via the browser console thus bypassing my payment gateway (and claiming successfully to have had a gift certificate). I managed to stop it by adding a hidden input to the form and making it required but then I had to remove the :hidden selector from the ignore option in scripts.min.js to have the hidden input noticed by the validator. It would be really nice to have the option of adding a hidden input with keyword that would match a validator rule.

    #46114
    Olly
    Admin & Mod

    instead of messing around with hidden fields – which anyone can manipulate anyway (though it depends on what exactly you are doing with it of course) it strikes me like a much better idea to disallow submission of non-enabled gateways in the first place. This should most definitely happen server side.

    looking at it in a bit more detail, i can see how one could change from STRIPE for example to COD , and I will certainly fix this as a matter of priority asap.
    However, if someone submits a COD order and you have not enabled anything other than one particular credit card gateway, I would have thought you would know that someone has messed around with things and should ignore the order so am not quite sure how someone can successfully claim to have a gift certificate (i dont even know where this “gift certificate” comes from ….)

    that said, it’s somewhat abstract , so if you can give me a walkthrough on your site as how people claim for some gift certificates as well as manipulate the checkout process i would be most interested.

    #46115
    Olly
    Admin & Mod

    PS: please mark any reply as private

    #46116
    Olly
    Admin & Mod

    As of wppizza 3.10.7 noone should be able to use a gateway that is not enabled in your backend , no matter how much they try to tamper with the frontend

    of course, if you – or anyone else for that matter – still experiences this , i want to to know about it !!

    (I’m kind of surprised myself that i overlooked this possibility for so long to be honest. But better late than never I guess…..)

    #46123
    This reply has been marked as private.
    #46124
    Olly
    Admin & Mod

    as it turns out – looking at that site – your problem has nothing to do with any of this .
    It is simply due to the order page being cached (or perhaps – less likely though – some php session problem)

    If I clear my cache and go directly to your orderpage (https://yoursite.tld/pantanir/) without ever having put anything into the cart, i STILL get items from some previous / other users.
    the order page must not ever be cached
    https://docs.wp-pizza.com/getting-started/?section=setup
    https://docs.wp-pizza.com/faqs/?section=using-a-cache-plugin

    i would also suggest you update wppizza to the latest version (3.10.7) which addresses a few other potential issue

    #46125
    Olly
    Admin & Mod
    This reply has been marked as private.
Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.