Reputation: 329
How to securely send data to the controller?
I have basketball match details page "single.blade.php" and a page to purchase "payment.blade.php". In the match details page, the user can select through a select how many tickets want for each type. For example the user can select 2 tickets for the central bench and 2 for the left side bench and then click "Next".
When the user click "Next", the quantities for each ticket type selected by the user are stored in an array so that is possible to show that info in the payment.blade.php page.
This is working fine with the code below.
But how to pass also the price?
In the match details page I get the price of each ticket type with "{{$ticket->showPrice()}}" as you can see below.
Match details page has the types of tickets listed and for each one there is a select menu so the user can select how many tickets want for each one:
<ul>
@foreach($tickets as $ticket)
<li>
<span>{{$ticket->title}}</span>
<form method="post" action="{{route('matchs.payment', ['id' => $match->id, 'slug' => $match->slug])}}">
<select name=type[{{ $ticket->title }}]>
<option selected>0</option>
...
</select>
</form>
<span>X {{$ticket->showPrice()}}</span>
</li>
@endforeach
<li>
<span>TOTAL</span>
<span>0.00€</span>
</li>
<input type="submit" value="Go To Payment Page"/>
</form>
</ul>
If I give a name to the span like <span name="typePrice">X {{$ticket->showPrice()}}</span> in the controller "dd($request->all());" is not showing the price, it only shows the types and quantities, it dont shows the price:
array:2 [▼
"_token" => ""
"type" => array:2 [▼
"center bench" => "2"
"lateral bench" => "1"
]
]
Controller:
class PaymentController extends Controller
{
public function storeQuantity(Request $request){
dd($request->all());
$selectedRtypes = $request->rtype;
return view('events.registration')->with('selectedRtypes', $selectedRtypes);
}
}
Do you know why the price is not passed to the controller? But also do you know if this approach is ok in terms of security? Because in the match details page where the ticket types are listed and also the price of each ticket type the user can change in the source code the price right? And then the controller will receive a incorrect price and pass a incorrect price to the payment page.
And this is also valid for the quantity types and ticket type names, the user can change in the source code the ticket type name for a name that dont exist, also he can add for example quantity "1000" that should not be possible.
Do you know how to handle this context, how to only allow to send correct data to the controller?
Upvotes: 0
Views: 67
Answers (1)
Reputation: 3772
If I were building this application I would not allow the user to edit the price at all. I would store (whether in the session or database) the seat type and the quantity for each. I wouldn't pass the payment information via the request. I would calculate the price based on the seat cost multiplied by the quantity and store it in the session/database. I would only give the user a read only view of the price.
When you get to the payment page you'd need to pull the information directly from the session or database.
It's the only safe way to do it as if you pass information via the request relating to price, it's open to being abused.
Upvotes: 3
Related Questions
- How to save data in database safe in laravel 5.1?
- Would sending eloquent to view safe in laravel?
- How to secure variable send through URL?
- How Would I Send Data To a Controller
- how to secure route when storing form data using laravel?
- How to secure inputs in laravel 5.4
- Sending data from Laravel Controller to Routes & View
- Laravel Passing Data to Controller
- Laravel send data with view
- codeigniter posting values in secure way