Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m having trouble figuring out how to prevent people from editing the amount in my shopping cart with tools such as firebug. How do I make sure users can’t edit the hidden field? Can I encode the amount before sending it to paypal?
Thanks!
Francois
Okay, turning comment into answer…
Don’t encode the hidden file! When a customer makes a payment, PayPal will handle the transaction and tell your automated system that it has received the payment. It should also tell you how much the customer paid you! You then compare the amount paid with the original invoice and if there’s a difference, you just tell the user that the payment is incomplete. (Unless they paid too much, of course.)
As Chris Lively tells you, don’t trust the customer! Always check the amount that has been paid. Once you do this, it doesn’t matter if the user hacks into any hidden fields, since you check it afterwards.
If your security depends on keeping your users away from hidden fields, your security will fail! Your security should depend on your contact with PayPal directly. Only when PayPal confirms the payment, you should send the product.