Product ID injection in Add to cart URL

[WhiskyMoon]

Hi

 

I'm managing the tech side of a prestashop store that has some free products that the owners use for promotion and giveaways, those are not available in the front store as you can imagine. Yet, lately there have been, with an increasing number, new orders coming with those free products, and some have been sent generating loses for the store.

 

As I started checking configs, security and such, I think I discovered how this has been done. When you're in the products page the buttons/links to "Add to cart" shows the URL: "shop.com/en/cart?add=1&id_product=1&token=xxxxxxxx", so you can copy and paste that URL on your browser and just change the "id_product". Somehow (trial and error I guess) they discovered the IDs of the free products and have been placing orders that way.

 

So for the time being, I made them disable the free products so no more orders can be placed, but they want them back ASAP since as I mentioned they use them heavily for promotions and such.

 

Now, the question is: what is the best way to keep those products and yet avoid the product ID injection on the mentioned URL?

 

Thank you!

Edited April 13, 2015 by WhiskyMoon (see edit history)