| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
X-Cart Order Status without logging in | |||
|
|
Thread Tools | Search this Thread |
#1
|
|||||||||
|
|||||||||
X-Cart Order Status without logging in
We are wondering how to implement a way for customers to check their current order status without logging in. I know some customers either forget their passwords and don't reset it so they can login, and others aren't registered so they have no way of checking it if they delete their email we send them when it is updated.
Would any security issues arrive if we allowed customers to search through the order database by Order ID AND email (only showing results if the order ID corresponds to the input email address). If not, where should we start? We're not really sure of the best method to do this. We were thinking: 1. Create a PHP file that searches the entire order database using the two inputs from customer on our site (orderID & email) 2. find a match 3. return the results (limited results). We wouldn't return valuable or secure information (we don't store CC data) such as any customer information, or anything that we might see as a security issue.
__________________
Marcello Canitano New Site: X-Cart v4.5.5 GOLD X-Cart Mobile v1.4.3 X-Payments v1.0.6 CDSEO Pro v2 Total Server Solutions xCDN www.silverhorseracing.com |
|||||||||
#2
|
|||||||||
|
|||||||||
Re: X-Cart Order Status without logging in
I have done this as a module to few clients. Check order status based on ordered and email. There are no security issues with this approach.
Just create a page with form to supply ordered and email, you can add date if you want to but you will have make sure there is only one way of customer to have the date entered or if any format is allowed your script has to be flexible at converting it to unix timestamp. Make sure your script runs as part of XC - that way XC security will check for any issues with entries and strip out if anything. Then check orders table for matching ordered and email (and date if needed). You should get only one or 0 results. Done. And of course output only order status info - there is no need of what was ordered, price, etc.
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
|
#3
|
|||||||||
|
|||||||||
Re: X-Cart Order Status without logging in
Thanks Steve, that's the approach we were going to do. Just weren't sure if any security issues would appear.
Will be working on this next week
__________________
Marcello Canitano New Site: X-Cart v4.5.5 GOLD X-Cart Mobile v1.4.3 X-Payments v1.0.6 CDSEO Pro v2 Total Server Solutions xCDN www.silverhorseracing.com |
|||||||||
#4
|
|||||||||
|
|||||||||
Re: X-Cart Order Status without logging in
I can't see a security concern. Whenever you make a form anywhere on the web, always remember to sanitize your inputs.
As Steve said I would limit the results. I think you can use func_query_first_cell() to ensure only one result is returned, and it should pop out a simple variable rather than an array. I wouldn't return anything besides the status and the original order id that was submitted. I'm sure you could figure out how to link that order id to the order itself, but they would need to login to view it.
__________________
Mike White - Now Accepting new clients and projects! Work with the best, get a US based development team for just $125 an hour. Call 1-502-773-6454, email mike at babymonkeystudios.com, or skype b8bym0nkey XcartGuru X-cart Tutorials | X-cart 5 Tutorials Check out the responsive template for X-cart. |
|||||||||
#5
|
|||||||||
|
|||||||||
Re: X-Cart Order Status without logging in
Quote:
That's where the "Make sure your script runs as part of XC - that way XC security will check for any issues with entries and strip out if anything." comes to play. I think XC is as secure as possible so just let it do its work
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
#6
|
|||||||||
|
|||||||||
Re: X-Cart Order Status without logging in
UPDATE:
Went ahead and did this, check it out let me know what you think! https://www.silverhorseracing.com/order_status.php Returns: Order ID, email submitted, tracking number (if available), and order status.
__________________
Marcello Canitano New Site: X-Cart v4.5.5 GOLD X-Cart Mobile v1.4.3 X-Payments v1.0.6 CDSEO Pro v2 Total Server Solutions xCDN www.silverhorseracing.com |
|||||||||
|
#7
|
|||||||
|
|||||||
Re: X-Cart Order Status without logging in
Quote:
Looks good - have a test order ID and e-mail address we can use?
__________________
X-Cart Classic 4.4.X |
|||||||
#8
|
|||||||||
|
|||||||||
Re: X-Cart Order Status without logging in
Quote:
Thanks! Ah whoops, forgot to include that! You can test with ... Order ID: 34432 Email: test@silverhorseracing.com Change the order number or email to view how it looks if incorrectly entered!
__________________
Marcello Canitano New Site: X-Cart v4.5.5 GOLD X-Cart Mobile v1.4.3 X-Payments v1.0.6 CDSEO Pro v2 Total Server Solutions xCDN www.silverhorseracing.com |
|||||||||
#9
|
|||||||
|
|||||||
Re: X-Cart Order Status without logging in
Quote:
Steve, I'd be interested in seeing your implementation.
__________________
X-Cart Classic 4.4.X |
|||||||
#10
|
|||||||||
|
|||||||||
Re: X-Cart Order Status without logging in
Quote:
__________________
Steve Stoyanov CFLSystems.com Web Development |
|||||||||
|
|||
X-Cart forums © 2001-2020
|