Are Stripe API Calls Vulnerable To Attacks If User-Supplied Data Is Passed to Retrieve Objects By ID

Question

I am programming a Stripe integration in PHP. At several points in my integration, it would be convenient to provide user-supplied data and pass it to a call to the Stripe API to retrieve an object.

An example would be:

$id=$_GET['id'];
$stripe->checkout->sessions->retrieve($id);

and there are also similar calls in other scripts referring to other objects.

I don't know what is going on behind the scenes when I make this sort of call. Can I trust Stripe's API to be safe against attacks like this, or is it better to design my application in such a way to avoid making such calls using user-supplied data?

Answer 1

The Stripe API will respond with an error if invalid data is provided. You would need to make sure you're handling those potential errors correctly on your end.

The primary danger in the scenario you're describing is when someone passes in legitimate data that belongs to someone else. If someone gets ahold of another person's Checkout Session ID somehow, for example, you may end up thinking that person is not who they claim to be. This kind of thing should be handled as part of the user authentication process on your end before using the data they provide, showing them any sensitive information, or performing any sensitive operations.

Generally speaking you should always validate/sanitize user input as a best practice before using it do anything, be it a local operation, calling a third-party API, etc.