I'm pretty new to JS and I am currently making a simple step-wise checkout system using purely JS and some Ajax and PHP. I have been wondering about the possible security issues that might pose with such a system.
The way it works is as follows:
- Select item, press Next(Hide current div, show next div)
- Use increment/decrement and pick the amount for the item, press Next(Hide current div, show next div)
- Same as 2 just with another item
- Same as 2 and 3 with another item
- Generate invoice
- Proceed to payment(fill in card details and pay using external credit card gateway API)
Now, the thing that bothers me is number 6. What is someone edits the JS and sends different values to the external payment processor? Is that possible? And if it is, how to I securely make sure this does not happen?
Withing my Javascript I make use of several values that I fetch from a simple table from my database, such as price for the items and shipping cost. But I use these values straight in my Javacsript file for the computations and generating the invoice. I have a feeling that I'm approaching the problem in a wrong way. Is there a possibility that the "client" can change the computations as well?
How do I make sure that once the invoice is generated, the correct values are used in calculating the total price so the proper price is sent through the payment gateway, no matter if someone simply messes up with the "front-end" numbers that show up?
Note I have been told that this would be the best place to post this question, please let me know if it's not and I will remove it.
If you want to see the checkout I made, here it is(I haven't put the payment gateway API yet as I'm worried about the security): http://goo.gl/jdN4T0
Thanks :-)