[veb]

Can also use a negative price! I wonder what would happen if you went ahead with that. Presumably the payment gateway wouldn't pay me $5. Seems a strange choice to be having those parameters in a GET.

[paulie_a]

> Presumably the payment gateway wouldn't pay me $5

Having dealt with payment gateways, I would not assume that.

[throwaway1909]

Why stop at $5? Try setting quantity or price to -9e999999999. How will you spend your $∞ dollars?

[badsectorlabs]

I agree, the param passing is not ideal. Session storage/local storage is another option.

[marcc]

This is just obfuscation. Making it harder to hack won't prevent hacks. Anything that can be changed by the client, expect the client to change it.

[stdclass]

Everything that can be modified by the user is not suitable. The price must be stored on the server side, everything on the client side is subject to modification.

[badsectorlabs]

The price is checked server side. You have to pass the price somehow to the client in order to display it. This is no different than any other ecommerce site, except that you can see it in a GET param.

I can "change the price" of anything on Amazon with dev tools, but that won't help me when I go to buy it. I appreciate the concern because amazingly this has been a real vulnerability on sites before (recently on a crypto exchange I think).

[gdamjan1]

Storing it, or passing it by the user can be suitable if the data is signed

[NicoJuicy]

Temporary guid on client side, data on server side