I'm using the standard php paypal form for payments on my e-commerce app.
I noticed that people with just firebug can change the paypal form data before sending the request for paying by the "PAY NOW" button.
So I'm wondering, is it a "standard" to have a payment's form that can be "edited" by a newbie :/ ?
What we can do to prevent this?
This isn't a huge security risk, as you should be checking what was actually paid anyway! Anyone can post data to anything. It has little to do with your form, or even Firebug.
You can store that button information on PayPal's server, but then it cannot be dynamically generated. There is an option for this when you use their wizard to create the button code for you.
I disagree; I do think it's something you should prevent in the first place. The amount a buyer should pay shouldn't be publicly sent over the internet. The time where we could get away with that is long past.
Additionally, a check will not prevent the transaction from going through for a different amount. It'll only prevent any post-transaction drama.
And yes, you should definitely run checks after the transaction has completed, but that should happen even if someone weren't able to manipulate the
amount
theoretically.There are several options, you can choose what suits you best depending on your requirements,
Do nothing and only implement a post-transaction check (e.g. with IPN).
The easiest. Your PayPal integration will look shabby from a code point of view, and you'll still get all those $0.01 fraudulent transactions.
Tick the 'Host button with PayPal' option in the button generator, and use PayPal's BMUpdateButton API to dynamically alter the amount of the button.
An example request for BMUpdateButton would look as follows:
USER=Your API username
PWD=Your API password
SIGNATURE=Your API signature
METHOD=BMUpdateButton
VERSION=82.0
HOSTEDUBTTONID=The value of
BUTTONTYPE=The type of button. E.g. BUYNOW
BUTTONCODE=The type of code you want to get back. E.g. HOSTED
L_BUTTONVAR0=amount=The new amount with a period as separator
L_BUTTONVAR1=item_name=Optional: a new item name if you wish
Use both the BMCreateButton and BMUpdateButton API's to both create and update your buttons with PayPal.
You could also use the BMCreateButton API to create a new button, or use the BMButtonSearch API to search through a list of all your stored hosted buttons (to find the hosted_button_id of your button automatically, for example).
Implement PayPal Express Checkout instead
It may be the 'hardest' to implement as it consists of 2-3 API calls for a single transaction, it's also the most flexible. Where with Website Payments Standard (the 'buttons') the transaction is finalized as soon as the buyer clicks on 'Pay now', Express Checkout lets the buyer 'agree' to the transaction on the PayPal website, and you can finalize it at any time 0 - 3 hours after the buyer initially agreed to the payment by calling the
DoExpressCheckoutPayment
API call.For a quick rundown on integrating Express Checkout, see my answer on Checkout my order basket with PayPal