d2jsp
Log InRegister
d2jsp Forums > Off-Topic > Computers & IT > Programming & Development > Paypal Integration (php) > Security Problem
Add Reply New Topic New Poll
Member
Posts: 5,269
Joined: Oct 18 2006
Gold: 21,400.00
May 19 2014 04:03pm
I am trying to integrate paypal into my website and here is what paypal says to use (https://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/howto_checkout-outside):

Code
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="you@youremail.com">
<input type="hidden" name="item_name" value="Item Name">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="amount" value="0.00">
<input type="image" src="http://www.paypal.com/en_US/i/btn/x-click-but01.gif" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>


Maybe I am not understanding something, but it seems like anyone who uses that code has a security risk. Can't any user simply edit the hidden fields (say amount) and ruin your checkout system?

How can I send a form like this without ever displaying the form to the user (with php)?
Member
Posts: 5,269
Joined: Oct 18 2006
Gold: 21,400.00
May 19 2014 05:05pm
Never mind, I think I figured it out...

Yes this is an unsecure way since the user can change it. However, after the user pays, paypal sends you a POST stating order information which contains what the user paid. For security, you should check there to make sure the $ amount lines up.

:locked:
Go Back To Programming & Development Topic List
Add Reply New Topic New Poll