Reputation: 471
Stripe security issue
I'm currently integrating Stripe into my online store. As you can see by the code below, the payment form is inserted into the HTML with the values for each form field. This means that the user could basically change the price of the field, and do fraud.
Is this secure? If not, how can I add security measures?
Thanks! :)
<form action="" method="POST">
<script
src="https://checkout.stripe.com/checkout.js" class="stripe-button"
data-key="deleted_for_demonstration"
data-amount="2000"
data-name="Demo Site"
data-description="2 widgets ($20.00)"
data-image="/128x128.png">
</script>
</form>
Upvotes: 1
Views: 245
Answers (1)
Reputation: 2729
I assume you are using Stripe.JS in which case you wouldn't be required to use the price in a form.
I would try and change your code to flow something like the below...
For instance...
User selects product id 123 via post request on the product page.
Then you store that they have selected this product in the session.
When they checkout...
Use stripe JS on the card details on the frontend which exchange the form card details for a token.
Post this token to the server.
The webserver then calculates the amount based on the products in the session, uses mysql tables to get the prices for them then submits this to stripe along with the token returned to process the payment.
hope this makes sense...
Upvotes: 2
Related Questions
- Stripe Checkout Integration
- handleCardPayment Error When Using Stripe
- Stripe Connect : Content Security Policy issue
- Stripe - Payment Intents (3d secure issue)
- Stripe charge issue with stripe payment
- Setting up Stripe Elements in PHP? Seems like my php code is not communicating properly with my JS
- Stripe form not working
- Stripe Secret and Publishable key validation
- Stripe payment won't work
- Working with payment