As some of you might know I was having problems with some hackers getting pasted my current API’s and somehow making orders for pennies (just last week someone made a $200 order for $0.01, of course I refunded and canceled the order, but its still a pain). So the other day I coded up a simple validation script, all the script does is check to see if the product_id was filled out and if so then it will check which product_id got submitted and then grab the price from that.
The code:
}elseif($_POST['product_id'] == ‘PRODUCTID’) {
if($size >= 1 && $size <= 3) {
$price_pre = '19.99';
}elseif($size >= 4) {
$price_pre = ’18.99′;
}else{
$price_pre = ’0′;
}
$product = ‘Product Name Here’;
$product_id = ‘PRODUCTID’;
}
Like I said before, the code is simple. But it is A LOT more secure then before. I will also be updating the code even more to make it even more secure. The code above simply checks which product_id is being purchased, and then it will grab the variables such as the price, product name, and even the real product_id from it.
Paypal also has a feature that lets you check if it is actually paypals server sending you the variables, the coder I outsource to is working on this and also looking to see if there is anything like this for my other 2 merchants. Which would be very helpful.
Fraud is a huge pain in the ass (even though I only ship the the customers billing address, I am still not sure how they get pass that). Just yesterday I got a charge back for an order which was fraud. I sent it to Belarus, so it was 100% my fault for not checking the order. So this weekend I have to code up a “sale washing” system which will help me validate my sales before my drop shippers send them out.
I am now getting about 1 fraud order a day, just today I got another fraud order for $140 to some Russian satellite country, I obviously will be refund it and taking the order out the system, its just a pain in the ass because I have to notify my drop shipper for the particular order before its sent off, or else I loose the cost for the product, the money from the order, and then they also tack on a $30 chargeback fee haha (which I can get removed for fraud orders).
Oh and for everyone that does not know, merchants do chargebacks to recoup the customers money for fraud orders. So anyways, I have a busy weekend, I have to finish the product_id validation script along with start on a sales washing script to help me with all the fraud orders. You know I am down for any criticism on the above code, if you see something wrong in my code let me know I wont feel bad haha.
Follow me on my journey of success and failures, it should be a fun ride.... Again, here is the link for the RSS feed.
Comments are Dofollow! My thanks to you for contributing to the discussion
12 Comments
Sorry, the comment form is closed at this time.
I know that some of you are going to say “how hard is it to track your orders?”. If your getting 10-20 orders a day things start to slip past you
hi Jon
need some help
can you plz contact me
Thanks
MS
By the way GOOD JOB
keep it up
Yeah, this is a good solution to catch those script kiddies.
I’ve settled on a standard format for a product id – “AA000″
Two letters followed by three numbers. Then, I can check that with a simple regular expression. If any “hackers” change the product ID value, it either won’t work, or they’ll order a completely different product (if they specify another valid ID).
Prices are set in the database (alongside the product id, title, description, etc), so only one price is ever fetched for one particular product id.
Thats why I like to hand process my orders. It really helps cut down on fraud orders. I would be concerned with 1 fraud order a day though. I sell upwards of 50 products per day and maybe I get 3-4 a week.
great job …john…
Well, i didn’t know hackers are so frequent on fraud orders. So it’s a must do security improvements on orders. But i think also, that it would be best to hand process order before they go out to dropshipper
Hey Jon,
Personally id redirect on the else condition.
If someone is doing the wrong thing then dont default the price to $0, that could lead to other problems depending on how your system works.
If they are doing something wrong and things dont add up just redirect to the homepage or last viewed page.
It might be a personal thing but to me it seems a bit safer.
How would you end that part?
This:
}elseif($size >= 4) {
$price_pre = ‘18.99′;
}else{
$price_pre = ‘0′;
}
In all my code, regardless of whether its simple URL structure or otherwise I always do the following:
1. Verify the page / product / id exists
2. Pull info from database and compare with what was sent
3. Redirect / amend incorrect details where necessary
4. Carry on
I use it mostly on URLs but it means if i have a URl structure of
toyshop.com/toys/cooltoy_999.html and someone types in
toyshop.com/toys/cooltoy_998.html it will redirect to
toyshop.com/girls/mylittlepony_998.html etc.
This means that if I ever make a mistake with URL structures i am covered and I cannot fall foul to people messing around
That’s a pain when you get hacked like that.