CODEWITHSUNDEEP
javascripthtmlpaypal
oleg
oleg

Reputation: 131

Using payPal button - user can change the price before paying

I have 3 items that I selling on my web site, I dont need to have shopping cart or stuff like that. After the user fill form with data, I navigate him to a new page, where I display all the data he entered, and the price. Now this PayPal button built from hidden input field:

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="[email protected]">
<input type="hidden" name="lc" value="EN">
<input type="hidden" name="item_name" value="aaa">
<input type="hidden" name="item_number" value="12345">
<input type="hidden" name="button_subtype" value="services">
<input type="hidden" name="no_note" value="0">
<input type="hidden" name="amount" value="">
<input type="hidden" name="bn" value="">
<input type="image" src="https://www.paypalobjects.com/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>

With JavaScript I entering the parameters to the new page,and setting price in the amount input (price) of PayPal button.

As you click the button you navigate to a payPal page with the amount from:

<input type="hidden" name="amount" value="199.50">

My question: Is it the right thing to do? any user, not even hacker can simply before pressing the button to change the amount and press the button...as a result he will pay (probably less) different price!

I wanted to use the direct API, but it's only for businesses in USA, Canada.

What is the best thing to do?

Upvotes: 6

Views: 7484

Answers (2)

ILikeTurtles
ILikeTurtles

Reputation: 1022

First off - I highly recommend that you stop using Javascript for any payment related tools. That is a client side technology and any one can easily edit the values being passed. When dealing with payment, I do every thing server side...

Second -

If you are only selling a few items, why are you keeping the price in a hidden value? Wouldn't it be easier to either use an array (which is simple but not always good) or a database (makes it easier to update) in order to keep all the items information and values. Then simply pass that on to paypal?

    $orderParams    = array(
    // Sets event to sale
    'PAYMENTREQUEST_0_PAYMENTACTION'        => 'Sale',
    // Forces Shipping To Accept My Values
    'REQCONFIRMSHIPPING'                    => '0',
    'ADDROVERRIDE'                          => '1',
    // Final Cost Totals - Must match with Controller
    // Hardcoded - Only accept US Scratch
    'PAYMENTREQUEST_0_CURRENCYCODE'         => 'USD',
    // Payment Costs
    'PAYMENTREQUEST_0_AMT'                  => $total,
    'PAYMENTREQUEST_0_SHIPPINGAMT'          => $buyer['shippingTotal'],
    'PAYMENTREQUEST_0_ITEMAMT'              => $subTotal,
    // Custom Shipping Information
    'PAYMENTREQUEST_0_SHIPTONAME'           => $buyer['payName'],
    'PAYMENTREQUEST_0_SHIPTOSTREET'         => $buyer['payStreet'],
    'PAYMENTREQUEST_0_SHIPTOCITY'           => $buyer['payCity'],
    'PAYMENTREQUEST_0_SHIPTOSTATE'          => $state,
    'PAYMENTREQUEST_0_SHIPTOZIP'            => $buyer['payZip'],
    'PAYMENTREQUEST_0_SHIPTOCOUNTRYCODE'    => $country,
    'PAYMENTREQUEST_0_INVNUM'               => $buyer['quoteNumber']
    );
    /*'PAYMENTREQUEST_0_SHIPTONAME'         => $buyer['payName'],
    'PAYMENTREQUEST_0_SHIPTOSTREET'         => $buyer['payStreet'],
    'PAYMENTREQUEST_0_SHIPTOCITY'           => $buyer['payCity'],
    'PAYMENTREQUEST_0_SHIPTOSTATE'          => $buyer['payState'],
    'PAYMENTREQUEST_0_SHIPTOZIP'            => $buyer['payZip'],
    'PAYMENTREQUEST_0_SHIPTOCOUNTRYCODE'    => 'US',
    'PAYMENTREQUEST_0_INVNUM'               => $buyer['quoteNumber']
    );*/

    // Item Array for wheel
    $yoke = array(
    'L_PAYMENTREQUEST_0_NAME0'  => 'Custom Control Wheel Set',
    'L_PAYMENTREQUEST_0_DESC0'  => 'Custom Leather Choices',
    'L_PAYMENTREQUEST_0_AMT0'   => $buyer['payItem'],
    'L_PAYMENTREQUEST_0_QTY0'   => '1'
    );

That is a small collection of PayPal related code I use. Using my own array to populate each item before passing it on to paypal. I highly recommend NOT passing any information through Javascript.

Why are you adding price data to the view anyways? Is there a reason for it?

Upvotes: 1

streetlogics
streetlogics

Reputation: 4730

You should use encrypted website payments - https://www.paypal.com/cgi-bin/webscr?cmd=p/xcl/rec/ewp-intro-outside . This will ensure that the payment amount can't be changed. You can also update your settings to only allow payments from encrypted buttons to further protect your account / payments from being hacked to lower prices.

Upvotes: 2

Related Questions