Hi all. I would really appreciate it if someone with knowledge of Javascript and/or ecommerce could help me out a bit

So, I'm a web designer who's pretending to be a developer (i.e. total programming noob), and a client just asked me to make them a shopping cart feature for their online store. They don't have a database or anything, so I thought I'd store the cart contents (basically an array of the product SKUs and prices) in a cookie. Does that pose any kind of security risk?

I imagine storing credit card numbers and such in a cookie is a bad idea, but wasn't sure if the order itself would be a problem...

Beyond that, I have absolutely no idea how to actually handle the payment process. But that's a whole 'nother can of worms. ;

It really depends on if you design pages with a CMS or make up one from scratch.
I used an addon system for Joomla/Mambo systems a while back called VirtueMart that works quiet well and stores all the details in a standard SQL database.

The potential problem with storing cart contents in a cookie is an obvious exploit.
Using cookies one can trick the system into repricing items just by altering the cookie slightly.
Now that might not be a problem if the client will process orders manually after recieving, but if they use an automated system (An example is if they have a system set to notify their factory that item X is ordered and has to be shipped out) that tells them "item paid, ship item" without allowing them to check the payment details thats where you have problems.

So your best bet is a small database using a system like the one I mentioned above.
VirtueMart also allows for PayPal, credit card, and other payment system integration so that could kill 2 birds with 1 stone as they say.
Hope this helps some

Thanks for the advice!

Unfortunately their host does not offer SQL or any kind of database, so it looks like Virtuemart's not going to be an option. (It's a free hosting service, though, so... not much room to complain. ; ) But they are planning on processing orders manually, so I guess they'll just have to be careful to double check everything. Shouldn't be a big problem since they're pretty small right now.

As long as it's not going to like, open a hole for some hacker to upload a trojan to their server or something, it should be no problem. (I don't even know how that kind of thing works, so that may have sounded totally dumb to the computer-literate crowd.)

If their company grows enough that it gets out of hand, I'll definitely recommend that they get a database and try Virtuemart. Hopefully they'll be able to afford to upgrade their hosting package by then! (Or the manufacturer has their own shopping cart thing that they offer, but they charge $200/month plus setup fees, and that doesn't include a payment gateway. x.x )

Ack, I'm rambling. Anyway, thanks for the tip! Hmm, I should look into this Joomla thing more... looks handy.

No problems.

Im not completly up to date on the whole cookie thing, but so long as you have it limited and make it that it can only affect the final output receipt (possibly so that no hard copy is stored on their server but instead is forwarded to their email as well as customers email? might save some server storage space that way too) it shouldnt be a big risk.
But dont quote me on it

But yeah, once a company gets above a certain level a content management system can be a good idea.
Just remember the free ones like Joomla and Mambo need some tweaking for extra security.

Cookies are fine to use however you are only limited to 20 of them I believe so use them sparingly. Why not use paypal? No cookies needed, it has loads of security, and you don't need a database for it however a database will really help out with it all.

For example, I just made a shopping cart. Instead of having to re-enter the pricing and product information for each button you can simply extract all the data to that button with one page and one query.

Making a manual shopping cart on free hosting space is a bad idea especially if you try to process orders yourself. Plus it looks bad if your trying to sell stuff on a free hosting site anyways so the odds are stacked against you.

Storing product numbers and price isn't much of a concern since those are always public but whatever you do don't ask for their credit card info unless you got SSL or if your using something like PayPal cause that can be a major security risk.

Well the way I understand it the cookie it a temp measure to use until the cart contents get to the checkout.
Basically just something to store items in a shopping cart till the customer is finished shopping, which paypal could then take over.

I agree on if their going with whatever is cheapest to use a basic paypal account, they might have to put a surcharge because of paypals withdraw fees, thats one drawback, but they would have to weight the pros of paypals security against it as well.