Jump to content
Larry Ullman's Book Forums

Chapter 13 Creating A Receipt Page Sha1


Recommended Posts

Chapter 13 page 421 creating a receipt page....

Wondering if anyone else had this issue or if anyone can recommend a work around...

For the query to grab the order info .. this is not working "SHA1(email)=?".. I have echo out  $email_hash and and I have echo out  echo sha1(email address in the order)....they are the same... I am wondering if there is a mysqli issue when using sha1?

 

 

Link to comment
Share on other sites

For some reason sha1() not working in my query on page 423

Here is what I did..

In chapter 10 I used http://www.larryullman.com/forums/index.php?/topic/3373-chapter-10-checkoutphp/

in chapter 13 I am not verifying  the correct email address in the query on page 423...

I am verifying the customer_id that is set  in checkout.php I am setting a session y using  customer_id value

then on final.php I am using  this  session in the url-not sha1(email).

on receipt.php I changed the IF statement that validates required parameter-page 422 step 3

I then changed the query-page 423 to check y which is now customer_id.....changed sha1(email)=?  to .  c.customer_id=?';.....

Seems to be working...not sure how secure this is...

I hope this is not total confusion.....

Link to comment
Share on other sites

  • 2 weeks later...

If I understand correctly, you're using the customer ID in the URL? If so, that's not great. Database primary keys should be kept hidden as much as possible. To test it security-wise, what happens when you change the customer ID in the URL manually?

Link to comment
Share on other sites

Yes Larry you understand correctly... Yes I was thinking using primary key or any information from database in URL is not too cool....If I change either the x or y in the url the page will display:

--------------------------------------------------

OOpps! Error!

This page has been accessed in error.

-----------------------------------------------------

maybe I should add a header redirection  and exit();

 

Thank you for your interest in this thread.....

Link to comment
Share on other sites

I believe my issue has to do  with my hosting.  I found this. I am not that tech savey so not sure.  I also tried using MD5 ..same issue.  
I hard coded the hash from the url into the query  ie... WHERE o.id=? AND 'url hash'=?';.......this works. 

also hard coded email address for order....and changed query to ...AND c.email=?...this works......

and of course using customer_id works....

 

Everything seems to work until I use sha1 or md5....My only fix is to go back and add a column to orders called email_hash and create the hash in the php when the order is added to the customers table....then use in the query WHERE o.id=? AND c.email_hash=?

Link to comment
Share on other sites

I think your solution is close, although you could just retrieve the email address (i.e., run the query without using in in the WHERE clause), then hash it in PHP and compare it to the received hash. It's a bit laborious, but doesn't require a change to the database.

Link to comment
Share on other sites

 Share

×
×
  • Create New...