The Order Processing pipeline (OPP) requires that data passed from the site to the pipeline, and from the pipeline to the site, be in an OrderForm object. This requirement applies to components included in the default OPP and to components designed to extend it.

The following figure shows an overview of the OrderForm object.

An overview of the OrderForm object.

The OrderForm object is a dictionary containing individual entries, and entries that are Dictionary and SimpleList objects. The structure makes it possible to present a detailed summary of all or part of one or more shopping sessions to the user or to the pipeline. This summary includes user data, such as name, address, and credit-card information, as well as product information related to the purchase.

The first element in the top-level Dictionary object of the OrderForm object is a reference to a SimpleList object of the items that make up the order. Each of these items is itself another Dictionary object. This SimpleList object is referred to as the items list.

The elements that make up both the order Dictionary object and the Dictionary objects in the itemsSimpleList object consist of a key and a value. Each component that you include in the OPP for your site is designed to operate on one or more of these keys and values. Typical operations include:

  • Key and value creation. Several components create keys and values in an OrderForm object. For example, the QueryCatalogInfo component gathers information about a product from a database, prepends _product_ to the column name, and adds the resulting key and value to the OrderForm object.
  • Key and value initialization. The Required components in the OPP fall into this category. These components check to make sure that certain keys are initialized with values, and if they are not, these components initialize them. Thus, the RequiredOrderInitCy component, which is part of the Order Initialization stage, sets the _cy_total_total, _cy_oadjust_subtotal, _cy_shipping_total, _cy_tax_total, and _cy_handling_total keys to NULL.
  • Key and value verification. The OPP fails if certain keys and values in an OrderForm object are not initialized when the pipeline is invoked. For example, the RequiredOrderInitCy component verifies that the itemsSimpleList object on an OrderForm object is not empty. If this SimpleList object is empty, the component returns a status that indicates failure.
  • Key and value calculation. The optional components in the OPP initialize keys and values based on the work performed by other components. For example, the components in the Tax stage calculate the tax on an order, based on the list of items in the itemsSimpleList object of the OrderForm object, and writes the tax to the _tax_total key.

The underscore (_) character that precedes many of the keys in the OrderForm object indicates that the key is not persisted.

Ee810892.note(en-US,CS.20).gif Notes

  • The contents of an OrderForm object can vary, depending on how the pipeline for a site is configured.
  • If you are writing new pipeline components, do not use unfiltered items from any Dictionary that have the potential of being inserted directly into a dynamic SQL statement. Otherwise, you are vulnerable to SQL injection attacks. SQL injection is the act of passing additional (malicious) SQL code into an application which is typically appended to the legitimate SQL code contained within the application. For more information about protection against SQL injection attacks, see http://go.microsoft.com/fwlink/?LinkId=19424 and http://go.microsoft.com/fwlink/?LinkId=19425.
  • If you are writing site code and you are uncertain of how the underlying pipeline code interacts with the database, you should write a filter that will clean the input before adding it to the Dictionary. For example, if you know the input is numeric, you can then put a filter on the input so only numeric input will be placed in a Dictionary. If the input is a string that can match only certain values, make sure the input matches one of those values. There are other generic mitigation strategies that you can employ, but the best strategy is to understand the input data and provide the most rigorous validation possible.

This section contains:

Copyright © 2005 Microsoft Corporation.
All rights reserved.