Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: buckworks
"We cannot be responsible for errors in typography or photography. We reserve the right to cancel any order at any time."
You're under no obligation to sell your product at the wrong price. So tell the customer he can have it for the correct amount or the order will be cancelled.
The next step is to figure out how they managed to get an item in the cart for an amount other than the "correct" price -- it shouldn't be possible if you're looking up prices from a database; if you're using whatever is hard-coded on the product page, you're open to all sorts of potential problems.
Say I run a traditional shop I place a price tag on something that has the decimal place out of whack. The customer picks it up an brings it to the till, they are offering to buy it, at that stage I can refuse to sell it (if I notice a mistake) This is the offer/consideration/acceptance process.
This is suggested with no warranties, OK, just an obseravtion on UK contract law which i did a little of some years ago.
You do need to get your form validation sorted though, to prevent this happenng again.
My shopping cart said in the e-mail:
Always verify price accuracy. Order from IP# xx.xx.xx.#*$! Warning! A page was submitted from an unfamiliar URL: Probable local file submit or browser location bar manipulation. Double check prices. This may indicate shopper tampering.
I expect your cart uses basic Form inputs to send data to a shopping cart (i.e. it is not database driven.), so it would be easy for someone to manipulate the code.
[edited by: lorax at 3:37 pm (utc) on Feb. 27, 2005]
[edit reason] delinked [/edit]
The only thing for you to focus on is eliminating the bug that lets it happen.
wouldnt a simple change of the form method from "Get" to "Post" help to solve this problem?
No because any coder can write their own code to post their own price into your receiving page.
Depending on what your selling this is either simple as pie of can get very complex. For example if your selling this widget:
Your form should ONLY post the Sku and Color. Price should never be passed. Those attributes should then be tested at the database side. Here's a simple example:
if exists(select widgetid from products where sku = 'widget001' and color = 'Green')
-- Get the price for widget001 from the Products Table not the FORM POST
declare @ItemPrice money
set @ItemPrice = price from products where sku = 'widget001' and color = 'Green'
-- now that we have a Price, Sku & valid color write this into the basket table
insert into basket(....)