Member Avatar for iamthwee

Daft question... but in order to prevent users tampering with the item price(right click inspect element change)

and accept payments via paypal... Is the only way to do this using the encypted form method.

eg. I generate a public and private .pem cert, then change the paypal account to accept only encrypted payments?

It seems a bit long winded but I don't think there is no reliable way to do this otherwise?

Isn't your price stored on the server, and submitted there?

What you see in your HTML should be a representation of what is stored on the server, so even if someone changes it, the server values should be submitted.

Member Avatar for iamthwee

^^No

I don't think so:

The paypal submit form is:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


</head>
<script>
  setTimeout('document.paypalform.submit()',1000); // auto submit form
</script>
<body>

<div class="centerdiv">
<h1>Connecting to Paypal <img src="<?php echo site_url('../img/loader.gif'); ?>" /></h1>
</div>





<form action="https://www.paypal.com/cgi-bin/webscr" method="post" name="paypalform">

<input type="hidden" name="cmd"                 value="_xclick">                                                  <!-- Define Buy Now button -->
<input type="hidden" name="business"            value="<?php echo $mail_business; ?>">                                    <!-- Your paypal email account -->
<input type="hidden" name="return"              value="<?php echo site_url('shop/paymentcomplete') ?>">                       <!-- if payment complete then show "Thanks !" -->
<input type="hidden" name="notify_url"          value="<?php echo site_url('shop/paymentpaypalipn'); ?>">                      <!-- IPN - Notification messages, The URL to which PayPal posts information about the payment.  -->

<input type="hidden" name="item_number"   value="1">                                                              <!-- Number item code, like a id for identificate your product -->
<input type="hidden" name="item_name"           value="<?php echo $_POST['item_name'];?>">                                 <!-- Name item -->
<input type="hidden" name="amount"              value="<?php echo $_POST['amount'];?>">                                    <!-- Amount -->
<input type="hidden" name="quantity"            value="<?php echo $_POST['quantity'];?>">                                  <!-- Quantity items -->

<input type="hidden" name="currency_code" value="GBP">                                                            <!-- Currency code -->

</form>

</body>
</html>

And even this can be edited by the user to change the values...

Please advise?

Member Avatar for iamthwee

That form is the last port of call. In other words the very last thing to be processed before accessing paypal?

Member Avatar for iamthwee

bump

If you directly post your form to PP, then yes, it may be an issue.

Can't you just do the sending with curl?

Member Avatar for iamthwee

prit I've searched high and low and all sources of information point back to using paypal encrypted buttons or ssl certificates as the only reliable means to ensure the transaction 'amounts' have not been tampered with.

The only other way would be to send a hash to the IPN and the ipn script on my server could then validate if the transaction is good or not... however the actual transaction would still have been processed. It is just that on my end I can flag up if the transaction is legit or not...

Hmmm.

Member Avatar for iamthwee

A quick update...

Looks like I have two options.

  1. Is to accept the tampered paypal payment from user but in my ipn script return a hash. I then do a lookup on the hash and see if it matches the paypal prcie. If the price is different I don't allow the user access/download to my product. note the payment will still be processed but I restrict user access my end and send out an email.

  2. A bit more involved, is to generate SSL cert on my site and in my paypal panel. This will ensure the said transaction is legit and cannot be tampered if.

At the moment I'm leaning towards the former option... unless anyone has any brighter ideas I'm all ears.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.