Geek Answers Handbook

Increase security when paying with Paypal

I have this code on my website:

<form method="post" action="process.php"> <input type="hidden" name="itemname" value="1" /> <input type="hidden" name="itemnumber" value="2" /> <input type="hidden" name="itemQty" value="1" /> <input type="hidden" name="itemprice" value="17"> </form>

This code sends a POST to process.php, which opens the PayPal class for payment.

Everything works fine, but I have very big problems. The fact is that if I edit any value using FireBug, say, for example, "itemprice", anyone can change the default value and replace the product price with any other value at the time of payment processing.

How can i fix this? Any ideas?

Thanks.

+4
source share
3 answers

Encryption is the only way to prevent this; you cannot do anything on the client side. You can try to add some side of the validation server or use _SESSION, but these are your only options.

0
source

You can use PayPal Instant Notification (IPN). You specify a script url on your website that can handle the payment. It is located somewhere when you log in to your PayPal account.

Each time a new payment is made, PayPal will send a request to your IPN script with all the payment details (product ID, name, price, everything you want, and then you can check in the script using your database if the prices match specified product identifiers.

It is very easy to implement in my opinion and very flexible. It is also well documented on the PayPal website. It does not take too long to figure it out.

0
source

You should never rely on the price of a web form. Since the element has its own identifier, it is great for sending only the identifier and the required amount to process.php. This, in turn, should receive prices directly from the source (database, config ...), and not from (possibly forged) web form data.

0
source

More articles:


All Articles