Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New to the CF scene
    Join Date
    Jun 2009
    Posts
    5
    Thanks
    3
    Thanked 0 Times in 0 Posts

    would this pose security issues on my site?

    Hi everyone,

    I have a javascript form to allow users to select between two options when buying something from my site via paypal. each selection changes different values, such as shipping and price as the form is submitted

    I've head javascript can pose security threats. is this true?
    Last edited by kazaa; 06-30-2009 at 12:47 AM.

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,211
    Thanks
    80
    Thanked 4,571 Times in 4,535 Posts
    I don't see any "bn" hidden field. The PayPal build-a-button code always creates one, so it may be a requirement.

  • Users who have thanked Old Pedant for this post:

    kazaa (06-30-2009)

  • #3
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,211
    Thanks
    80
    Thanked 4,571 Times in 4,535 Posts
    For debugging purposes, try changing your shipping and amount fields from hidden to text and then add
    onsubmit="return false;"
    to your <form> tag so it doesn't submit anything. That way you can see if your JS code is working.

  • #4
    New to the CF scene
    Join Date
    Jun 2009
    Posts
    5
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by kazaa View Post
    Hi everyone,

    I have a javascript form to allow users to select between two options when buying something from my site via paypal. each selection changes different values, such as shipping and price as the form is submitted

    I've head javascript can pose security threats. is this true?
    Quote Originally Posted by Old Pedant View Post
    I don't see any "bn" hidden field. The PayPal build-a-button code always creates one, so it may be a requirement.
    Thank you Old Pedant, you were right and that did do the trick....now i'm wondering about security. do you have any idea?

  • #5
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,211
    Thanks
    80
    Thanked 4,571 Times in 4,535 Posts
    <shrug>Having a web page can cause a security threat.

    But, no, in this case all the danger is on Paypal's site. And one hopes and presumes that they are smart enough to write bullet-proof code.

    Since literally thousands (hundreds of thousands?) of web sites use this PayPal code every day, I think that the bugs are worked out by now.

  • Users who have thanked Old Pedant for this post:

    kazaa (06-30-2009)

  • #6
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,448
    Thanks
    11
    Thanked 598 Times in 578 Posts
    Quote Originally Posted by kazaa View Post
    I've head javascript can pose security threats. is this true?
    HTML alone can pose security threats.
    By far the greatest danger to a site is the author.
    JavaScript is a tool that doesn't care who wields it.

    Control the tools, control the production...


    Here is a simple list of security rules to follow on a transactional page (in descending order of importance):

    1. never show a user anything that another user created; eg:comments, recommendations, etc...

    2. never link <script>, <img>, or <object> tags to anywhere besides your site or a site managed by paypal.

    3. validate all submitted data on the server, not just in javascript.

    4. avoid using plug-ins like flash, java, and media player.



    If you live by those four rules, you should never encounter a javascript security problem.

    anyone else feel free to chime in if i've overlooked anything, or you have further ideas.
    Last edited by rnd me; 06-30-2009 at 04:35 AM.
    my site (updated 2014/10/20)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.3, IE11:9.2, IE9:2.7, IE10:2.6, FF:16.8, CH:47.5, SF:7.8, NON-MOUSE:37%


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •