With google analytics you can track ecommerce events,
http://code.google.com/apis/analytics/docs/tracking/gaTrackingEcommerce.html
I was wondering if this is a safe and dependable way of keeping track of these transactions.
The problem I see with this is that an attacker can add new events, so if this is your way of storing financial transactions, they can be changed by anyone seeing your javascript code.
Here is the scenario in which this code can be abused.
You have a client named Client C, he goes to the website and buys product P, then you store the transaction using this tool. Then an attacker goes to your website and modifies your javascript and tracks 10 other purchases, this way your data shows that Client C has bought 10 Ps, and when you invoice client C, he will be mad at you.
This way an attacker can basically attack your clients, and damage your reputation.
Am I wrong in saying this? Is there a way you could fix this? It seems to me tracking anything with Javascript can be prone to these kind of attacks, or there could be any ways of making them secure or not. I don't know if they can be called a request forgery attack or not. What do you think?
Woah! I would never use analytics as an aid to invoicing a client for the exact reasons you've just stated! It's great if you want to keep an eye on transactions and maybe do some reporting on those transactions, but the data should never been taking 100% literally because there are plenty of reasons why some transactions might not track, and others might be slightly wrong/duplicated. You should have a system in place that stores transactions and builds invoices from that stored securely on a server.