RequiredTotalCy, RequiredTotal

Use these components to verify that values on a page have not been tampered with or reset. The components compare values in the order against values in the _Verify_With dictionary.

The RequiredTotal component is for backward compatibility only. The RequiredTotalCy component operates in Site Server 3.0 Commerce Edition, Commerce Server 2000, and Commerce Server 2002 compatibility mode pipelines. For more information, see Currency Enhancements.

Intended use: Order Processing pipeline, Order Total stage.

Configuration Values

None.

Values Read

The RequiredTotalCy and RequiredTotal components read the following values from the indicated dictionaries.

Key Dictionary Description
_Verify_With Order A dictionary whose keys and values will be tested against keys and values in the order form.
MessageManager Context A reference to a MessageManager object that is used to retrieve the verification error constant (pur_badverify) in case of an error.

Values Written

The RequiredTotalCy and RequiredTotal components write the following value to the Order dictionary.

Key Description
_Purchase_Errors Error messages are written to this SimpleList object.

Errors

The RequiredTotalCy and RequiredTotal components return error level 2 (OPPERRORLEV_WARN) when one or more of the keys and values in the _Verify_With dictionary do not match the corresponding order form entries. Other errors return error level 3 (OPPERRORLEV_FAIL).

The components write error messages to the _Purchase_Errors collection. The components use a MessageManager object to retrieve user warning message text.

Constant Condition
pur_badverify At least one of the keys and values in the _Verify_With dictionary did not match the corresponding pair in the order form.

Remarks

The RequiredTotalCy and RequiredTotal components go through the keys and values in the _Verify_With dictionary to ensure that the keys exists in the order form and have the same values.

You can use these components to verify that values on a page have not been tampered with or reset. To verify values on a page, add a hidden field for each item named _VERIFY_WITH that contains the item and the associated value. For, example to verify that the value ship_to_zip has not been altered, you would create a tag on the page similar this:

<INPUT TYPE="HIDDEN" NAME="_VERIFY_WITH"
       VALUE="<% = "ship_to_zip=" & CStr(mmsOrderForm.ship_to_zip) %>">

When the page is posted, the name and value will be added as a key and value to the _Verify_With dictionary in the OrderForm object.

You can use the VerifyWith method of the Page object to create the hidden tags. The ProcessVerifyWith method of the Page object copies the values of the hidden fields into the _Verify_With dictionary in the OrderForm object.

The Order Total stage always performs a _VERIFY_WITH check. Any fields in the post that appear as _VERIFY_WITH="value=key" will verify that the order has such a key and it is set to that value. This prevents a malicious resetting of addresses or contents. If _VERIFY_WITH is not on the order form, no check is performed.

For example, order._total_total should equal (order._VERIFY_WITH)._total_total if _total.total is in the _VERIFY_WITH clause.

See Also

Page.ProcessVerifyWith

Page.VerifyWith

Copyright © 2005 Microsoft Corporation.
All rights reserved.