Skip to content
Search Articles/

less than a minute read • Updated 2 hours ago

Sign product forms with HMAC

How to sign your add to cart form inputs with HMAC to prevent tampering.

Signing a product form with HMAC means generating a SHA-256 hash for each input and appending it to the input’s name attribute. Foxy checks these hashes when the form is submitted — any unsigned or modified value is rejected.

How signing works

For each input, concatenate three values in this order:

  1. 1

    The product code

  2. 2

    The input’s name

  3. 3

    The input’s value

Then HMAC SHA-256 that string using your store’s API key, and append the resulting 64-character hash to the name attribute using double pipes (||).

For example, a product with code of abc123 and name of Example T-Shirt:

hash_hmac('sha256', 'abc123nameExample T-Shirt', $api_key);

The signed input looks like this:

<input type="hidden" name="name||f8d3b7b993380dee31ee467984397ed8dc5feec3eb464bc55264cbe33fd691ac" value="Example T-Shirt" />

Steps

  1. 1

    For each product input, concatenate the product code, input name, and input value into a single string.

  2. 2

    Generate an HMAC SHA-256 hash of that string using your store’s API key.

  3. 3

    Append || and the hash to the input’s name attribute.

  4. 4

    Repeat for every input on every add-to-cart form.

Select and radio inputs

For <select> and <radio> elements, append the hash to the value attribute of each <option> rather than the name. The concatenation is the same — code, name, and value:

<select name="size">
  <option value="small{p-2}||14696b9ff099727a798a5b59d71bc1540a5481adfd957ed2252acf8aec83914a">Small</option>
  <option value="medium||713800d729f987d4609a8b83b60932e64f64690b4c2842b7d6522a62fe514af4">Medium</option>
  <option value="large{p+3}||c8d37d7c32c3c4fc9fe9703e8cc3456020aa9319dd18816d7f887c6f9c616708">Large</option>
</select>

PHP helper function

If you are using PHP, you can use this helper function to generate signed name or value attributes:

function get_verification($var_name, $var_value, $var_code, $var_parent_code = "", $for_value = false) {
    $api_key = "your_api_key_here";
    $encodingval = htmlspecialchars($var_code . $var_parent_code . $var_name . $var_value);
    $label = ($for_value) ? $var_value : $var_name;
    return $label . '||' . hash_hmac('sha256', $encodingval, $api_key) . ($var_value === "--OPEN--" ? "||open" : "");
}

Pass true as the fifth argument ($for_value) when signing select or radio option values:

<option value="<?php echo get_verification('size', 'small{p-2}', 'abc123', '', true); ?>">Small</option>

For a fully automatic approach that signs an entire HTML page at once, see the FoxyCart Cart Validation PHP library on GitHub.

Notes

Need Help?

Did this article answer your questions? Need help with anything? Please click below to contact us.