Search code examples
javascriptlocal-storageshopping-cart

A better way to utilise local storage to store shopping cart details

I am currently developing an e-commerce website. The website will not have a login-page as we are not keeping the user details in the database. Instead, we will be keeping the user's email to contact them. Hence, we will not be having a user table in the database. In order to persist data in the user's shopping cart, we will be storing it using local storage. However, I was afraid that some malicious users will tamper with the contents in the cart, such as the product price. Hence, I might consider storing the productIDs in the local storage instead and then retrieve the specific products from my database as the user reloads the page.

Is this solution robust? Is there a better way to utilise local storage to store the user's shopping cart, or is there an alternative to local storage?

Solution

  • The quick and simple answer:

    "Sanitize the user's cart data BEFORE sending it to the back-end and check it against a pre-defined product database to make sure the products exist and that they actually cost what's specified by the cart data."

    The long, detailed answer:

    You should implement a three stage system to verify the user's cart data:

    1. Check the user's email against your email list / database
    2. Sanitize the user's cart data BEFORE sending it to the back-end
    3. Verify the cart's products against pre-defined database of products

    By doing so you prevent hackers from:

    1. Using fake user data to purchase products
    2. Modifying product data
    3. Making products more/less expensive
    4. Using the user's cart data to inject malicious code into your back-end
    5. Creating/purchasing fake/non-existent products

    You should also use the browser's built in features to escape user input:

    function escape_input(data) {
  var div = document.createElement("div");
  div.appendChild(document.createTextNode(data));
  return div.innerHTML;
}

    Because (according to the linked website):

    "It's important to be constantly vigilant with the handling of user data. To avoid SQL injection, never build database queries by concatenating user-supplied data. These measures protect the integrity of the data on our servers."

    I'd also suggest having some sort of identification verification system that's required BEFORE the user can make a purchase.

    A good example of this is Google's two step verification system, which requires you to input a code sent to you via text message/phone call into an input form.

    This is done to verify the identity of the user and to prevent people from accessing/using other people's accounts, this system is almost impossible to fraud but it's also easy to implement it incorrectly, so I'd take that advice with a grain of salt.

    Unfortunately, as you have not specified any code, I cannot determine how secure your site is.

    If you create a new question with that code and link it here, I'd be more than happy to try and help you out with your application's security flaws (if there are any).

    Good luck and stay safe.