You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.
I am evaluating this product and was strongly considering buying it, but then I noticed it allows negative quantities to be entered, leading to an apparent net credit for the order. There are no errors generated or anything; it sends an email saying the order was completed, etc. While I realize orders with negative quantities can't be properly fulfilled, it seems like all negative quantities should automatically be converted to zero. A credit could still be applied via a negative price. If this were integrating with some sort of automated system, for example, one could seemingly get several items at regular price, combine them with an expensive negative-quantity item and end up getting the first items for free. Am I overlooking some obvious configuration setting or something here?
thanks,
-dave
Offline
No, actually, you're not overlooking . . . at least not anymore.
ATS can manage special requests for users and all you'd need to do is to send him a quote so he could re-program the quantity values for you quick and fair.
Does this answer your question ?
Offline
I'm afraid so.
I can do the programming; I've already built a couple of Perl-based e-commerce systems. The whole point of buying was to avoid that work (I neither own nor would reuse the systems I worked on). I wanted to be able to concentrate on special customizations, but preventing negative quantities seems like an extremely fundamental feature. Its absence makes me wonder what other modifications would be necessary.
I guess I'll have to keep looking.
thanks for the reply though.
Offline
Interesting. To address this in the code is simple. In the file ./cgi-bin/library/modules/ste_cart.pl in the routine 'ste_cart_update_proc' look for:
if ($formdata eq "0" || $formdata eq "") {
And change to:
if ($formdata <= "0" || $formdata eq "") {
I'll be sure this is addressed in the next release.
Offline
This sounds like a pretty HUGE security hole here. Would it actualy issue a credit to a credit card if you were processing transactions online?
Is there any place where security holes like this and the relevent patches are announced and released so that I am made aware that I need to patch my site? If not there should be!
On something as basicly as a quantity field you should be verifying the input from the form field on the server by making sure the value entered was a numeric value. Client side verification isn't secure as it can be spoofed.
$data =~ /^\d+$/
That way it has be be number, and it wouldn't accept negative numbers either, as would be in appropriate for a quantity field.
Offline