Jump to content
Larry Ullman's Book Forums
Duke

Chapter 13 Creating A Receipt Page Sha1

Recommended Posts

Chapter 13 page 421 creating a receipt page....

Wondering if anyone else had this issue or if anyone can recommend a work around...

For the query to grab the order info .. this is not working "SHA1(email)=?".. I have echo out  $email_hash and and I have echo out  echo sha1(email address in the order)....they are the same... I am wondering if there is a mysqli issue when using sha1?

 

 

Share this post


Link to post
Share on other sites

For some reason sha1() not working in my query on page 423

Here is what I did..

In chapter 10 I used http://www.larryullman.com/forums/index.php?/topic/3373-chapter-10-checkoutphp/

in chapter 13 I am not verifying  the correct email address in the query on page 423...

I am verifying the customer_id that is set  in checkout.php I am setting a session y using  customer_id value

then on final.php I am using  this  session in the url-not sha1(email).

on receipt.php I changed the IF statement that validates required parameter-page 422 step 3

I then changed the query-page 423 to check y which is now customer_id.....changed sha1(email)=?  to .  c.customer_id=?';.....

Seems to be working...not sure how secure this is...

I hope this is not total confusion.....

Share this post


Link to post
Share on other sites

Larry, Thank you for checking. So far it is working fine. If I find this not working I will post here. I am not sure on how secure this is.

Share this post


Link to post
Share on other sites

If I understand correctly, you're using the customer ID in the URL? If so, that's not great. Database primary keys should be kept hidden as much as possible. To test it security-wise, what happens when you change the customer ID in the URL manually?

Share this post


Link to post
Share on other sites

Yes Larry you understand correctly... Yes I was thinking using primary key or any information from database in URL is not too cool....If I change either the x or y in the url the page will display:

--------------------------------------------------

OOpps! Error!

This page has been accessed in error.

-----------------------------------------------------

maybe I should add a header redirection  and exit();

 

Thank you for your interest in this thread.....

Share this post


Link to post
Share on other sites

I think we should go back to the original approach and SHA1(). You've done some debugging work there, but I would pursue it further. Let me know if you need help with that.

Share this post


Link to post
Share on other sites

I believe my issue has to do  with my hosting.  I found this. I am not that tech savey so not sure.  I also tried using MD5 ..same issue.  
I hard coded the hash from the url into the query  ie... WHERE o.id=? AND 'url hash'=?';.......this works. 

also hard coded email address for order....and changed query to ...AND c.email=?...this works......

and of course using customer_id works....

 

Everything seems to work until I use sha1 or md5....My only fix is to go back and add a column to orders called email_hash and create the hash in the php when the order is added to the customers table....then use in the query WHERE o.id=? AND c.email_hash=?

Share this post


Link to post
Share on other sites

I think your solution is close, although you could just retrieve the email address (i.e., run the query without using in in the WHERE clause), then hash it in PHP and compare it to the received hash. It's a bit laborious, but doesn't require a change to the database.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...