most of you have seen this form, mostly it has hidden attributes some of which can be changed to select boxes. the part that seems to be a security flaw is that people can edit live html with the web developer toolbar on firefox. i've gone into one of my clients orderforms and bought an expensive item for only five dollars and paypal never caught on.
below is the code that now anyone with any knowldge of html can edit live and submit the page with a new cost value
Expand|Select|Wrap|Line Numbers
- <form target="paypal" action="https://www.paypal.com/cgi-bin/webscr" method="post">
- <input type="image" src="images/x-click-but21.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!"></td>
- <img alt="" border="0" src="https://www.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1">
- <input type="hidden" name="add" value="1">
- <input type="hidden" name="cmd" value="_cart">
- <input type="hidden" name="business" value="email@company.com">
- <input type="hidden" name="item_name" value="product description">
- <input type="hidden" name="item_number" value="123456">
- <input type="hidden" name="amount" value="25.00"> //This is the part you change to realy mess with people
- <input type="hidden" name="page_style" value="company">
- <input type="hidden" name="no_shipping" value="2">
- <input type="hidden" name="return" value="http://www.company.com/addedtocart.htm">
- <input type="hidden" name="cancel_return" value="http://www.company.com/cancled.htm">
- <input type="hidden" name="cn" value="Comments">
- <input type="hidden" name="currency_code" value="USD">
- <input type="hidden" name="lc" value="US">
- <input type="hidden" name="bn" value="PP-ShopCartBF">
- </form>
thanks
eric
ps : nothing against the toolbar or the people who wrote it, i love the toolbar and use it on an almost daily basis
thanks again
eric