Change the way order nubmer is generated

[Cindy2010]

Does anyone know if there is a way to change how the order number is generated? I believe currently it is just a sequence, which is really bad since people can easily guess how many orders you have.

I think, at least, we can change it to something like:
Current_timestamp-A_random_number
Or something like that.

This is also the case for customer ID: I can easily sign up as a customer today, and sign up as another customer 1 week later, then know how many customers the site has during this week. This is really bad.

Thanks.

[stevesh]

You'd have to rewrite the code which assigns those numbers - not exactly a simple job.

I guess I don't understand why either of those things would be 'really bad'. Most customers don't care how much business you're doing as long as your site looks professional and your prices are good, and I can't think of a way your competitors could use the information to your disadvantage.

[PatF]

Place an order yourself and then at regular intervals update that order number. If you jump it by a 1000 or so whatever level of traffic you want to imply every couple of days you will have the effect of implying a busier site.

[Cindy2010]

You'd have to rewrite the code which assigns those numbers - not exactly a simple job.

Do you know where is the code for that? (order number, and customer number)

[DrByte]

I guess I don't understand why either of those things would be 'really bad'. Most customers don't care how much business you're doing as long as your site looks professional and your prices are good, and I can't think of a way your competitors could use the information to your disadvantage.

Valid points!

[Cindy2010]

Valid points!

So you think, all major website, Amazon, buy.com, etc., never use simple sequence as customer id or order id, they just did it for fun and for no reason?

From technical point of view, it is not a good idea that a hacker can easily guess out all the IDs.

Anyway, this is off the topic. Let's focus how to do it. Not why to do it.

[DrByte]

The current version of Zen Cart exerts no control over order numbers or customer numbers. It leaves that up to the database to handle via an auto-increment counter. That means when a new record is added, the database automatically picks the next integer number greater than the last one used. That's all handled by MySQL, not Zen Cart.

I guess you're welcome to rewrite how MySQL works when adding +1 to numbers. You'll need a dedicated server to install your own customized C++ code, then compile the new code after you've written the new functionality, and then run your site from that. Of course, then all the *other* database tables that do other auto-incrementing will grow exponentially large and blow out capacity too.

Assuming you're probably not interested in tackling it that way, we come back to finding a solid reason for thinking it's needed in the first place.
I see no threat with regard to a hacker guessing customer IDs or order IDs. How exactly do you think those can be abused if they can be guessed? I'd be very interested in exactly what threat you think exists.

[gjh42]

I'm sure they had good reasons for generating customer and order ids in a different way, but with the volume of business they do, how could sequential numbers hurt them? I suppose a hacker could guess a valid number more easily if that would benefit them... but it would probably not be hard to guess a valid number like the actual ones, for a hacker who actually knows coding.

Not sure about the customer id, but the order id is a primary key in the database, and needs to be sequential, unless you change the way the db works.

Edit: Yeah, what DrByte said... :)

[stevesh]

So you think, all major website, Amazon, buy.com, etc., never use simple sequence as customer id or order id, they just did it for fun and for no reason?

From technical point of view, it is not a good idea that a hacker can easily guess out all the IDs.

Anyway, this is off the topic. Let's focus how to do it. Not why to do it.

I can't speak for Amazon, etc., but custom shopping cart software can do a lot of stuff a standard open source cart can't do, and at a much greater expense.

As I mentiioned, you would have to write considerable code to accomplish what you're asking. You might try posting in the Commercial Help wanted forum.

Most importantly, this forum isn't a Knowledge Base where you get pre-written answers depending on keywords in your question. It's a community, and the why is often more important than the how.

I and (apparently) others think your approach doesn't make sense, and we'll be pleased to say so.