X-Cart Order Status without logging in

mcanitano · #1 04-24-2015, 07:46 AM

We are wondering how to implement a way for customers to check their current order status without logging in. I know some customers either forget their passwords and don't reset it so they can login, and others aren't registered so they have no way of checking it if they delete their email we send them when it is updated.

Would any security issues arrive if we allowed customers to search through the order database by Order ID AND email (only showing results if the order ID corresponds to the input email address).

If not, where should we start? We're not really sure of the best method to do this.

We were thinking:

1. Create a PHP file that searches the entire order database using the two inputs from customer on our site (orderID & email)
2. find a match
3. return the results (limited results).
We wouldn't return valuable or secure information (we don't store CC data) such as any customer information, or anything that we might see as a security issue.

cflsystems · #2 04-24-2015, 07:57 AM

I have done this as a module to few clients. Check order status based on ordered and email. There are no security issues with this approach.
Just create a page with form to supply ordered and email, you can add date if you want to but you will have make sure there is only one way of customer to have the date entered or if any format is allowed your script has to be flexible at converting it to unix timestamp.
Make sure your script runs as part of XC - that way XC security will check for any issues with entries and strip out if anything.
Then check orders table for matching ordered and email (and date if needed). You should get only one or 0 results. Done.
And of course output only order status info - there is no need of what was ordered, price, etc.

mcanitano · #3 04-24-2015, 08:00 AM

Thanks Steve, that's the approach we were going to do. Just weren't sure if any security issues would appear.

Will be working on this next week

totaltec · #4 04-24-2015, 12:45 PM

I can't see a security concern. Whenever you make a form anywhere on the web, always remember to sanitize your inputs.

As Steve said I would limit the results. I think you can use func_query_first_cell() to ensure only one result is returned, and it should pop out a simple variable rather than an array.

I wouldn't return anything besides the status and the original order id that was submitted. I'm sure you could figure out how to link that order id to the order itself, but they would need to login to view it.

cflsystems · #5 04-24-2015, 12:59 PM

Quote:

Originally Posted by totaltec

I can't see a security concern. Whenever you make a form anywhere on the web, always remember to sanitize your inputs.

That's where the

"Make sure your script runs as part of XC - that way XC security will check for any issues with entries and strip out if anything."

comes to play. I think XC is as secure as possible so just let it do its work

mcanitano · #6 04-28-2015, 06:25 AM

UPDATE:

Went ahead and did this, check it out let me know what you think!

https://www.silverhorseracing.com/order_status.php

Returns: Order ID, email submitted, tracking number (if available), and order status.

thebluedoorboutique · #7 05-07-2015, 12:23 PM

Quote:

Originally Posted by mcanitano

UPDATE:

Went ahead and did this, check it out let me know what you think!

https://www.silverhorseracing.com/order_status.php

Returns: Order ID, email submitted, tracking number (if available), and order status.

Looks good - have a test order ID and e-mail address we can use?

mcanitano · #8 05-08-2015, 05:10 AM

Quote:

Originally Posted by thebluedoorboutique

Looks good - have a test order ID and e-mail address we can use?

Thanks!

Ah whoops, forgot to include that! You can test with ...

Order ID: 34432
Email: test@silverhorseracing.com

Change the order number or email to view how it looks if incorrectly entered!

thebluedoorboutique · #9 06-15-2015, 12:42 PM

Quote:

Originally Posted by cflsystems

I have done this as a module to few clients. Check order status based on ordered and email. There are no security issues with this approach.
Just create a page with form to supply ordered and email, you can add date if you want to but you will have make sure there is only one way of customer to have the date entered or if any format is allowed your script has to be flexible at converting it to unix timestamp.
Make sure your script runs as part of XC - that way XC security will check for any issues with entries and strip out if anything.
Then check orders table for matching ordered and email (and date if needed). You should get only one or 0 results. Done.
And of course output only order status info - there is no need of what was ordered, price, etc.

Steve, I'd be interested in seeing your implementation.

cflsystems · #10 06-15-2015, 01:03 PM

Quote:

Originally Posted by thebluedoorboutique

Steve, I'd be interested in seeing your implementation.

I posted in the ticket for the ongoing project...