How Do I Maintain Security in a Booking Form / Shopping Cart?

I’m creating a quite complex booking form, and some security questions are coming to mind as I work out the design.

The form is for my user’s clients to use, so there can’t be any login process which they have to go through.

I’m currently contemplating three issues…

Whether to Create an Internal Login Process

Here has been my thought process:

  1. Don’t use GET
    So none of my server side functions are using GET, as I understand that to be hackable.

  2. Get Data Using Hidden Forms and POST
    When I want to get data from the database, I’ve created a bunch of hidden forms with hidden inputs which I submit via POST to get the data I need. This felt safe to me, until @JonL commented that maybe it is still hackable.

  3. Create a login process
    So my app is for people to book onto events, so I have now moved onto creating a login process. When the first database access is made to get the basic details of the event, I’ve created a login process from some of that data gathered, and now all my POST server actions are protected by that Security Provider too.

Are there other aspects of security here you think I should be considering?

How to Store Price Information

If I read information from the database, it can either be stored on the client side as:

  1. The raw data from the server action
    So if the server action is get_prices then we are referencing a price amount as get_prices.data.prices[x].price_amount

  2. In a Session Based Data Store
    Which is what I do at the moment, so I can more easily manipulate which prices to display based on the user’s input.

Is one of these methods more secure than another in terms of the price value being hacked?

Accumulating The Cart Amount

So I have seen various videos where the ongoing “cart” amount is stored in a Data Store and then at checkout, the cart total in the Data Store is used in the credit card transaction.

Is this quite hackable too?

I am just in the middle of creating an elaborate process where the amount is written to a database table each time a user makes a selection of what to purchase so the final price they will pay is never stored locally.

Is this the recommended way to go, or am I being a bit paranoid? It will certainly be more of a hit on the database…

In Conclusion…

I’d love to hear your comments!

Best wishes,
Antony.

Community Page
Last updated: