CODEWITHSUNDEEP
djangopaypaldjango-paypal
dev-jim
dev-jim

Reputation: 2524

django paypal - how to prevent user tampering the amount

I am using Django 1.7 with django-paypal.

I follow the tutorial, everything is working fine.

However,although the payment form is hidden, and yet I found out that user can temper the amount by simply using browser Inspect Element feature.

eg.

<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
<input id="id_business" name="business" type="hidden" value="[email protected]">
<input id="id_amount" name="amount" type="hidden" value="10.0">
<input id="id_item_name" name="item_name" type="hidden" value="2">
<input id="id_notify_url" name="notify_url" type="hidden" value="http://www.example.com/pp/ipn/">
<input id="id_cancel_return" name="cancel_return" type="hidden" value="http://www.example.com/order/21/">
<input id="id_return_url" name="return" type="hidden" value="http://www.example.com/thank-you">
<input id="id_invoice" name="invoice" type="hidden" value="21"><input id="id_cmd" name="cmd" type="hidden" value="_xclick">
<input id="id_charset" name="charset" type="hidden" value="utf-8">
<input id="id_currency_code" name="currency_code" type="hidden" value="USD">
<input id="id_no_shipping" name="no_shipping" type="hidden" value="1">
<input type="image" src="https://www.sandbox.paypal.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="Buy it Now">
</from>

Is it a bug or I missing something here? How do I prevent user fraudulent the payments? Should I verify the payment on the ipn view??

Upvotes: 2

Views: 733

Answers (1)

Vimalnath
Vimalnath

Reputation: 6463

The button code you have created is Clear text button which is not a hosted button. In order to secure the button from tampering, I would suggest you to create a hosted button. Steps to create :

1) login to www.paypal.com

2) Navigate to My Profile->My Selling tools or My selling Preferences

3) Click "Update" beside "PayPal buttons"

4) Create new button and enter all the required information,

5) In Step 2, check the box(Save button at PayPal), click Save

enter image description here

Hosted buttons are stored on PayPal. The parameters associated with this kind of button are secure. Hosted buttons provide the greatest flexibility because you can instruct PayPal to change them dynamically, and PayPal maintains information about their state, such as the inventory level associated with the button.

Upvotes: 1

Related Questions