Secure One-Page Order Form and Backroom Order Manager
------------------------------------------------------------------
(c)Speedsoft
All rights reserved.  Unauthorized use of this script is strictly
forbidden without the express consent of Speedsoft.
------------------------------------------------------------------

The order.pl and backroom.pl Perl scripts work together to provide a simple solution for a secure single-page order form and secure order "manager".  The order.shtml file is a non-SSI-parsed page containing form fields in which the viewer enters information such as name, address, etc., how many items of each of your products they want to order, and credit card information.  The order.pl script takes this information, checks for required fields, valid email address and valid credit card information.  Once all of these criteria are met, the order is emailed to the store owner (you) and the purchaser minus any sensitive information such as credit card numbers.  The entire invoice including sensitive information is stored to a file in a password protected directory.  The email sent to the store owner serves as notification that an order has been placed.  The store owner may then access the backroom.pl script (located in a password protected directory) to view, print, and delete the order(s) securely using a SSL browser (such as Netscape or MS IE).

The invoice format is hard-coded into the order.pl script.  With a little bit of programming knowledge (not much) and a text editor, you could modify the script to add extra customized fields.  The meat of the script however is in its order processing code which accounts for taxes, shipping, and item quantity bookkeeping which you will most likely not want to touch.  Many items of this system are customizable and/or required for you to provide.  These items are explained in detail below.  Become familiar with all of them before jumping into editing your order form.

------------------------------------------------------------------
ORDER.PL
------------------------------------------------------------------

At the top of the order.pl script are several variables which you will need to customize for your particular order form.  (When transferring script files via FTP make sure to do so in ASCII mode!)  Here are a list of the variables with a description of each.  For discussion sake, we will say the user's directory is "widget".

  $base_dir = '/usr/local/etc/httpd/vhosts/widget';

This is the "root" directory of the user's account, where the "order.shtml" file resides.

  $order_dir = $base_dir.'/cgi-bin/backroom/orders';

This is the password protected directory where the order files are stored securely.  This is normally under the cgi-bin directory so that the orders are not readable by a browser.  Further, the "backroom" directory is password protected to prevent unwanted people from running the backroom.pl script.  Since the "orders" directory is under the "backroom" directory, it is protected by the same password as the "backroom" directory.

  $cgibin_dir = 'widget/cgi-bin';

The cgi-bin directory from the server's document root.

  $body_tag = '<body bgcolor="white" text="black">';

The color and appearance of the return confirmation page, invoice page and error message pages.

  $secret_code = 'MySecretCode';

This is a "password" type string which is handy for testing out your order form without actually entering a valid Credit Card Number.  It's a pain to have to enter a valid CC number if all you want to do is test a new product.  Type this "secret code" in place of the credit card number, put a period in place of the other credit card information and the order.pl script will allow you to bypass the credit card validity check.

$address = 
'Widget, Inc.
PO Box 12
Widgetville, TX  749021';

This is the address just as it should appear on the invoice.

------------------------------------------------------------------
ORDER.SHTML
------------------------------------------------------------------

The order.shtml page is where you will set all of your product information.  The order.pl script requires hidden form fields to pick up the necessary information for processing.  Here are the basic ones:

  <input type="hidden" name="emailto" value="sales@widget.com">

The store owner's email address where the non-secure invoice will be emailed as notification of the order.

  <input type="hidden" name="subject" value="Widget Order Form">

The subject line of the invoice which will be emailed to both the store owner and the purchaser.

  <input type="hidden" name="required" value="name,email,address,city,zip">

Form fields on the order.shtml page which you require for the purchaser to fill out.  These should be exactly as they are entered on the form name including capitalization if any and should be separated by commas.

  <input type="hidden" name="tax_rate" value="8.25">

Your state sales tax.

  <input type="hidden" name="state_to_tax" value="TX">

Your state.  If the purchaser enters the same state (2 letter abbreviation) as the state in which your business is located, sales tax will be added to the order.

  <input type="hidden" name="currency" value="£">

This field is optional.  The default for the order.pl script is "$".  If you are using another currency you can specify it here.  Alternately, you can include the currency in the actual price field (shown further below) and it will be picked up from there.

PRODUCT FIELDS

This is the part that you will most likely be modifying the most as your products change or are added.  Each product works off of three fields: name, price, and quantity.  These are self-explanatory.  The key is that the name and price fields are hidden while the quantity field is entered by the purchaser.  A sample order form might look like this:

  <input type="hidden" name="name101" value="Triangle Widget">
  <input type="hidden" name="price101" value="12.00">
  <input type=text size=3 name="quantity101"> Triangle Widget - $12.00<P>

  <input type="hidden" name="name102" value="Square Widget">
  <input type="hidden" name="price102" value="8.00">
  <input type=text size=3 name="quantity102"> Square Widget - $8.00<P>

Notice that the name and price information actually appear on the order form twice.  Once in the hidden form fields so that the script has access to them and again as normal text so that the customer knows what they're ordering.  It is highly suggested that you enter the order form using tables.  The tables were omitted here for clarity.

The numbers "101" and "102" are the product identification numbers and are necessary for the order.pl script to track each product individually.  They don't have to be "101".  They can consist of any characters including numbers, dashes, underlines, letters, etc.  These are case sensitive.  These are your "product id's" and should match up to the ID's you use in your business to track each item.

As mentioned above, if your currency is different that "$", you may specify it in a hidden field called "currency".  Alternately, you may specify it in the price field and all currencies on the invoice page will be denoted with this currency marker.  Note that the order form cannot be used to order items of more than one currency per order.  However, you may have different currency items on the same order.shtml page using this method of currency marking.  If the purchaser tries to order products of two different currencies on the same order, an error message will result, notifying them that they can only place an order for a single currency at a time.

  <input type="hidden" name="name101" value="Triangle Widget">
  <input type=text size=3 name="quantity101"><BR>
  Triangle Widget - US Orders - $15.00
  <input type="radio" name="price101" value="$15.00"><BR>
  Triangle Widget - Foreign Orders - £8.00
  <input type="radio" name="price101" value="£8.00">

While we're on the subject of allowing the purchaser to specify something like currency, how about if we want them to specify a certain type of an item.  Here is an example of different shirt sizes:

  Widget Shirt - $15.00 (select size and quantity)<BR>
  <input type=text size=3 name="quantity103">
  <select name="name103">
    <option>Widget Shirt - XL</option>
    <option>Widget Shirt - L</option>
    <option>Widget Shirt - M</option>
    <option>Widget Shirt - S</option>
  </select>
  <input type="hidden" name="price103" value="$15.00">

SHIPPING

The order.pl script does not perform individual product shipping and handling additions.  If you have per product S&H charges, simply note them on the order.shtml page so the purchaser sees the price breakdown, but include the S&H as the total cost in the "price..." field.  For instance, if we needed to charge $1.50 for S&H on item 101, it would look like this:

  <input type="hidden" name="name101" value="Triangle Widget">
  <input type="hidden" name="price101" value="13.50">
  <input type=text size=3 name="quantity101">
  Triangle Widget: $12.00 + $1.50(S&H) = total: $13.50<P>

ADDITIONAL SHIPPING COSTS (optional)

The order.pl script does provide for additional shipping costs which would be applied to the total order.  This does not change based upon the quantity of the order.  It is a one-time charge added at the end of the invoice.  As such, it is not extremely powerful, but it is provided for certain cases.  To use it, you will need a section of the order.shtml page to prompt the purchaser to select a shipping method.  You can add the "shipmethod" string to the list of "required" fields to ensure the purchaser does select a shipping method.  Most likely you'll want the shipping method to use radio buttons, but you could also do it with a pull down menu.  Here is what the order.shtml might look like:

  <input type=radio name=shipmethod value=1> UPS - $5.00
  <input type=hidden name=shipcost1 value="5.00">
  <input type=hidden name=shipname1 value="UPS">

  <input type=radio name=shipmethod value=2> UPS Overnight - $10.00
  <input type=hidden name=shipcost2 value="10.00">
  <input type=hidden name=shipname2 value="UPS Overnight">

  <input type=radio name=shipmethod value=3> Fedex - $15.00
  <input type=hidden name=shipcost3 value="15.00">
  <input type=hidden name=shipname3 value="Fedex">

Notice you have a user selected field name "shipmethod" and each shipmethod requires a hidden form field named "shipcost#" where the "#" must be replaced by the shipmethod number.

------------------------------------------------------------------
BACKROOM.PL
------------------------------------------------------------------

This script is used for viewing, printing, and deleting the orders via a secure browser.  A typical URL of this would be https://www.speedsoft.com/widget/cgi-bin/backroom/backroom.pl
Notice the "https", not "http".  This causes the browser to be in secure mode with the Speedsoft server.  (In Netscape you will see a closed padlock in the bottom left corner of the browser if it is secure).

The "backroom" directory below the cgi-bin directory should be password protected using the server files ".htaccess" and ".htpasswd".  This should already be done upon installation.  FYI, you may read about this method at http://www.speedsoft.com/ss/support/password.html.

The backroom.pl script is very self-explanatory.  Buttons for viewing and deleting orders are displayed.  Once you "view" an order, you may print the order using your browser or save the order using the browser's file menu commands.  Do not use "FTP" to transfer the invoice files directly from the order directory or the security of the information in the files will not be insured.