X-Cart Order Status without logging in
We are wondering how to implement a way for customers to check their current order status without logging in. I know some customers either forget their passwords and don't reset it so they can login, and others aren't registered so they have no way of checking it if they delete their email we send them when it is updated.
Would any security issues arrive if we allowed customers to search through the order database by Order ID AND email (only showing results if the order ID corresponds to the input email address). If not, where should we start? We're not really sure of the best method to do this. We were thinking: 1. Create a PHP file that searches the entire order database using the two inputs from customer on our site (orderID & email) 2. find a match 3. return the results (limited results). We wouldn't return valuable or secure information (we don't store CC data) such as any customer information, or anything that we might see as a security issue. |
Re: X-Cart Order Status without logging in
I have done this as a module to few clients. Check order status based on ordered and email. There are no security issues with this approach.
Just create a page with form to supply ordered and email, you can add date if you want to but you will have make sure there is only one way of customer to have the date entered or if any format is allowed your script has to be flexible at converting it to unix timestamp. Make sure your script runs as part of XC - that way XC security will check for any issues with entries and strip out if anything. Then check orders table for matching ordered and email (and date if needed). You should get only one or 0 results. Done. And of course output only order status info - there is no need of what was ordered, price, etc. |
Re: X-Cart Order Status without logging in
Thanks Steve, that's the approach we were going to do. Just weren't sure if any security issues would appear.
Will be working on this next week :) |
Re: X-Cart Order Status without logging in
I can't see a security concern. Whenever you make a form anywhere on the web, always remember to sanitize your inputs.
As Steve said I would limit the results. I think you can use func_query_first_cell() to ensure only one result is returned, and it should pop out a simple variable rather than an array. I wouldn't return anything besides the status and the original order id that was submitted. I'm sure you could figure out how to link that order id to the order itself, but they would need to login to view it. |
Re: X-Cart Order Status without logging in
Quote:
That's where the "Make sure your script runs as part of XC - that way XC security will check for any issues with entries and strip out if anything." comes to play. I think XC is as secure as possible so just let it do its work :) |
Re: X-Cart Order Status without logging in
UPDATE:
Went ahead and did this, check it out let me know what you think! https://www.silverhorseracing.com/order_status.php Returns: Order ID, email submitted, tracking number (if available), and order status. |
Re: X-Cart Order Status without logging in
Quote:
Looks good - have a test order ID and e-mail address we can use? :) |
Re: X-Cart Order Status without logging in
Quote:
Thanks! Ah whoops, forgot to include that! You can test with ... Order ID: 34432 Email: test@silverhorseracing.com Change the order number or email to view how it looks if incorrectly entered! |
Re: X-Cart Order Status without logging in
Quote:
Steve, I'd be interested in seeing your implementation. |
Re: X-Cart Order Status without logging in
Quote:
|
All times are GMT -8. The time now is 09:01 PM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.