Kryptronic Software Support Forum
You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.
#1 03-15-2004 13:15:03
- puresignal
- Member
- Registered: 03-15-2004
- Posts: 2
Negative Quantities
I am evaluating this product and was strongly considering buying it, but then I noticed it allows negative quantities to be entered, leading to an apparent net credit for the order. There are no errors generated or anything; it sends an email saying the order was completed, etc. While I realize orders with negative quantities can't be properly fulfilled, it seems like all negative quantities should automatically be converted to zero. A credit could still be applied via a negative price. If this were integrating with some sort of automated system, for example, one could seemingly get several items at regular price, combine them with an expensive negative-quantity item and end up getting the first items for free. Am I overlooking some obvious configuration setting or something here?
thanks,
-dave
Offline
#2 03-15-2004 14:32:28
- scoutch
- Banned
- Registered: 07-03-2003
- Posts: 3167
Re: Negative Quantities
No, actually, you're not overlooking . . . at least not anymore.
ATS can manage special requests for users and all you'd need to do is to send him a quote so he could re-program the quantity values for you quick and fair. 
Does this answer your question ?
______________________________________________
THIS USER HAS BEEN BANNED FROM THIS FORUM.
If this post contains any language related to
code samples, advice, etc., please read this
entire thread before making a decision to use
this post as a basis for any change to your
software installation.
______________________________________________
Offline
#3 03-15-2004 17:42:50
- puresignal
- Member
- Registered: 03-15-2004
- Posts: 2
Re: Negative Quantities
I'm afraid so.
I can do the programming; I've already built a couple of Perl-based e-commerce systems. The whole point of buying was to avoid that work (I neither own nor would reuse the systems I worked on). I wanted to be able to concentrate on special customizations, but preventing negative quantities seems like an extremely fundamental feature. Its absence makes me wonder what other modifications would be necessary.
I guess I'll have to keep looking.
thanks for the reply though.
Offline
#4 03-19-2004 11:39:57
Re: Negative Quantities
Interesting. To address this in the code is simple. In the file ./cgi-bin/library/modules/ste_cart.pl in the routine 'ste_cart_update_proc' look for:
Code:
if ($formdata eq "0" || $formdata eq "") {
And change to:
Code:
if ($formdata <= "0" || $formdata eq "") {
I'll be sure this is addressed in the next release.
Nick Hendler
Offline
#5 04-01-2004 18:23:35
Re: Negative Quantities
This sounds like a pretty HUGE security hole here. Would it actualy issue a credit to a credit card if you were processing transactions online?
Is there any place where security holes like this and the relevent patches are announced and released so that I am made aware that I need to patch my site? If not there should be!
On something as basicly as a quantity field you should be verifying the input from the form field on the server by making sure the value entered was a numeric value. Client side verification isn't secure as it can be spoofed.
$data =~ /^\d+$/
That way it has be be number, and it wouldn't accept negative numbers either, as would be in appropriate for a quantity field.
Perl, MySQL, XHTML, CSS, Web Usability, XML
Matt Johnson
Offline