Form Security anyone?

jplush76

I had someone try to get around my checkout pages on my ecom site so I'd like to tighten up my forms a little.

I have 3 pages that deal with the checkout

checkout - displays totals, user enters shipping method + CC info

checkout confirm - displays new totals with shipping and makes sure things are ok

order complete - displays order number and order info

whats the best way to make sure people are taking the right steps to go through the forms?

HTTP_REFERER seems to be completely useless for security because it can be turned off by browsers.

I was going to use

<?php
if(!$_POST['Submit'])
{
	header("Location: sc_checkout.php");
	exit;
}
?>

that way if it wasn't posted it goes back to checkout, however if someone made their own form and posted it the page would still work. that = bad also

Anyone have any thoughts? thanks!

PyroX

Set a session value at each step, and make sure the session value does not exist before you init it with session_start();