Showing results for 
Search instead for 
Did you mean: 

Shopping cart form key security

Shopping cart form key security

I added a shopping cart button to my catalog list.phtml page using the following code which I saw suggested several places online:


<button type="button" style="(styles here)" title="<?php echo $this->__('Add to Cart') ?>" onclick="setLocation('<?php echo $this->helper('checkout/cart')->getAddUrl($_product) ?>')"><span><span><?php echo $this->__('Add to Cart') ?></span></span></button>


It worked perfectly, but I then got chewed out by another web developer at my work because, in his words: "in your coding, you left a big security risk. you show the secret security key of the site. the form key is the 'code' to log into the database. in your coding you revealed it.'"


He was referring to HTML output that looks like /form_key/SomeRandomString.


I tried researching this (I'll admit I know little about website security) but I don't understand how the form key can also be used to "log in" to the Magento database. Isn't it a random string of numbers and letters that's unique to each user session? Can someone explain this to me?


I'm using Magento EE 1.13.