Hi all,
I am creating an ecommerce site, and have some javascript getting data from dom elements and inserting them into my PHP Cart via AJAX.
It all works fine, but then i came to think of possible security issues with my approach.
Button inserting data into the cart with js, looks pretty much like this.
<p data-prodid="30" data-price="700">Add product To Cart</p>
I validate that the product exists serverside, so its not possible to add products that doesnt exists (by ID).
But I opened Chrome dev tools (F12) - And simply changed data-prodid="30", to data-prodid="1". That change were passed through to my PHP script (where i do all nessecary validation), but I was able to change to product to be added to the cart, simply by changing a DOM attributte.
I get the price for the product serverside, by looking up on the prodID. So the price cant be changed..
Is it really that easy to manipulate a live site, just by changing whatever attributtes used?
Im still on localhost, developing - But came to think of this approach and use of data-attributtes in this fashion was a good idea at all.
Can anyone share some thoughts on this approach? (Using HTML5 data attributtes for cart functionality).
If my setup was different, say i didnt get the price from the prodID passed, but also directly from the html5 data-attributte - Would that allow hackers to change cart totals in such an easy way?
Is there any way, I can detect of these attributtes has been manipulated or entirely prevent this?
The best, Klemme
