3 January, 2020 at 4:50 pm #46113Thorvaldur SveinssonParticipant
I have been having trouble with closing the submit order form from dishonest people submitting via the browser console thus bypassing my payment gateway (and claiming successfully to have had a gift certificate). I managed to stop it by adding a hidden input to the form and making it required but then I had to remove the :hidden selector from the ignore option in scripts.min.js to have the hidden input noticed by the validator. It would be really nice to have the option of adding a hidden input with keyword that would match a validator rule.3 January, 2020 at 5:28 pm #46114
instead of messing around with hidden fields – which anyone can manipulate anyway (though it depends on what exactly you are doing with it of course) it strikes me like a much better idea to disallow submission of non-enabled gateways in the first place. This should most definitely happen server side.
looking at it in a bit more detail, i can see how one could change from STRIPE for example to COD , and I will certainly fix this as a matter of priority asap.
However, if someone submits a COD order and you have not enabled anything other than one particular credit card gateway, I would have thought you would know that someone has messed around with things and should ignore the order so am not quite sure how someone can successfully claim to have a gift certificate (i dont even know where this “gift certificate” comes from ….)
that said, it’s somewhat abstract , so if you can give me a walkthrough on your site as how people claim for some gift certificates as well as manipulate the checkout process i would be most interested.3 January, 2020 at 5:37 pm #46115
PS: please mark any reply as private3 January, 2020 at 7:19 pm #46116
As of wppizza 3.10.7 noone should be able to use a gateway that is not enabled in your backend , no matter how much they try to tamper with the frontend
of course, if you – or anyone else for that matter – still experiences this , i want to to know about it !!
(I’m kind of surprised myself that i overlooked this possibility for so long to be honest. But better late than never I guess…..)4 January, 2020 at 2:04 pm #46123Thorvaldur SveinssonParticipantThis reply has been marked as private.4 January, 2020 at 2:30 pm #46124
as it turns out – looking at that site – your problem has nothing to do with any of this .
It is simply due to the order page being cached (or perhaps – less likely though – some php session problem)
If I clear my cache and go directly to your orderpage (https://yoursite.tld/pantanir/) without ever having put anything into the cart, i STILL get items from some previous / other users.
the order page must not ever be cached
i would also suggest you update wppizza to the latest version (3.10.7) which addresses a few other potential issue4 January, 2020 at 2:37 pm #46125This reply has been marked as private.
- You must be logged in to reply to this topic.