I’m creating a quite complex booking form, and some security questions are coming to mind as I work out the design.
The form is for my user’s clients to use, so there can’t be any login process which they have to go through.
I’m currently contemplating three issues…
Whether to Create an Internal Login Process
Here has been my thought process:
Don’t use GET
So none of my server side functions are using GET, as I understand that to be hackable.
Get Data Using Hidden Forms and POST
When I want to get data from the database, I’ve created a bunch of hidden forms with hidden inputs which I submit via POST to get the data I need. This felt safe to me, until @JonL commented that maybe it is still hackable.
Create a login process
So my app is for people to book onto events, so I have now moved onto creating a login process. When the first database access is made to get the basic details of the event, I’ve created a login process from some of that data gathered, and now all my POST server actions are protected by that Security Provider too.
Are there other aspects of security here you think I should be considering?
How to Store Price Information
If I read information from the database, it can either be stored on the client side as:
The raw data from the server action
So if the server action is
get_pricesthen we are referencing a price amount as
In a Session Based Data Store
Which is what I do at the moment, so I can more easily manipulate which prices to display based on the user’s input.
Is one of these methods more secure than another in terms of the price value being hacked?
Accumulating The Cart Amount
So I have seen various videos where the ongoing “cart” amount is stored in a Data Store and then at checkout, the cart total in the Data Store is used in the credit card transaction.
Is this quite hackable too?
I am just in the middle of creating an elaborate process where the amount is written to a database table each time a user makes a selection of what to purchase so the final price they will pay is never stored locally.
Is this the recommended way to go, or am I being a bit paranoid? It will certainly be more of a hit on the database…
I’d love to hear your comments!