Hello,
- Background -
I have a few questions in regards to other plugin integration. I just purchased an ecommerce plugin called Cart66 (formally called PHPurchase) from http://www.cart66.com. One of their main selling points was their integration with Gravity Forms(GF) as a solution for complex product options configuration. Using their plugin, you build a form for your product your selling, then associate the new form when you add your product. You embed the new form on a post or page like any other GF. When the customer completes the form and adds the product to the shopping cart, a GF entry is submitted to the DB. If the customer completes the purchase, you now have an order with an associated GF entry that you can view. So far, everything is sweet.
- Issue -
The problem I discovered with their implementation is if the customer doesn't manually remove the item out of the cart and just abandons it you now have orphaned GF entries not associated to any order. When I communicated the issue with the cart plugin vendor, their response was they have no way of knowing if a customer just walked away from their computer or if they abandoned the cart. At this point, I'm thinking about transaction processing, session timeouts and cookies. But hey, what do I know. As well, they indicated that normally you view the order you receive from their admin orders page and you can click link(s) to view the associated GF entries for that order. Also, they will someday add a feature request for a CRON job to clean out these orphaned records.
- Question -
In an ideal world, the GF entries would not be submitted until the order is completed. Do any of the filters and hooks you have documented provide a mechanism that would allow them to implement such a solution?
I am less concerned about the orphaned records then about the possiblity of an attacker becoming aware of the potential spam possibilities which I believe is a security hole in itself. I would hate to have my client report back to me they've had a MySQL denial of service attack stemming from this issue. At least with a contact form, you can add spam protection as well as being notified. There is no way I am setting up a captcha or sending out a notification for every "add to cart" entry to mitigate that possibility.
Any thoughts on this matter would be very much appreciated.
Thank you,
Todd