Chapter 10: Launch
303
If you look behind the scenes at the HTML markup for this particular page, you ’ ll see this:
< form method=”POST”
action=”https://checkout.google.com/api/checkout/v2/checkoutForm/Merchant/change-
this-now” accept-charset=”utf-8” >< p >
< b > 5 Shirt 1 @ 23.95 < br/ >
< input type=’hidden’ name=’item_name_1’ value=’Shirt 1’/ >
< input type=’hidden’ name=’item_quantity_1’ value=’5’/ >
< input type=’hidden’ name=’item_price_1’ value=’23.95’/ >
< input type=’hidden’ name=’item_currency_1’ value=’USD’/ >< input type=’hidden’ name=’ship_method_name_1’ value=’UPS Ground’/ >
< input type=’hidden’ name=’ship_method_price_1’ value=’5.00’/ >< b > 4 Dress 2 @ 43.95 < br/ >
< input type=’hidden’ name=’item_name_2’ value=’Dress 2’/ >
< input type=’hidden’ name=’item_quantity_2’ value=’4’/ >
< input type=’hidden’ name=’item_price_2’ value=’43.95’/ >
< input type=’hidden’ name=’item_currency_2’ value=’USD’/ >
< input type=’hidden’ name=’ship_method_name_2’ value=’UPS Ground’/ >
< input type=’hidden’ name=’ship_method_price_2’ value=’5.00’/ >
< b > TOTAL (w/shipping): 305.55 < /p >< input type=”image” name=”Google Checkout” alt=”Fast checkout through Google”
src=”http://checkout.google.com/buttons/checkout.gif?merchant_id=
change-this-now & w=180 & h=46 & style=white & variant=text & loc=en_US”
height=”46” width=”180”/ >< /form >In other words, anyone in the world could take this HTML markup, create her own form, mess with the
prices at will (making everything cost one penny and abolishing shipping), and then submit that form
from anywhere, right?
That is 100 percent correct. At this point, this information is just in plain HTML for anyone to
manipulate, and you need to do an extra bit of work to ensure that it doesn ’ t happen. Google Checkout ’ s
XML API and digital signatures are good counters to this kind of tampering. Another safeguard is to
monitor and review incoming orders before approving them (which is a good idea regardless of which
vendor you use).
Google (and each of the other vendors, frankly) maintains an extensive knowledge base on how to
secure shopping cart communications. You can explore the Google knowledge base to modify the
code for various information and pointers that are specific to security when working with Google
Checkout.