I’m integrating paypal and I have done it correctly. I have set the return URL, so it give me below result set in url $_GET.

Array ( [tx] => 7XV08083GT683520Y [st] => Completed [amt] => 22.16 [cc] => USD [cm] => [item_number] => item_number )

My concern is there is no way to validate the data that has returned from Paypal. I have experienced with other payment gateways. Other payment gateways allow you to do hashMatch which allows to make sure that submitted data by the form has been not edited.

My form is as below.

<form method="post" action="https://www.sandbox.paypal.com/cgi-bin/webscr">
<!-- Identify your business so that you can collect the payments. -->
<input type="hidden" value="dasun_1358759028_biz@archmage.lk" name="business">
<!-- Specify a Buy Now button. -->
<input type="hidden" value="_xclick" name="cmd">
<!-- Specify details about the item that buyers will purchase. -->
<input type="hidden" value="AM Test Item" name="item_name">
<input type="hidden" value="22.16" name="amount">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" value="item_number" name="item_number">
<!-- Display the payment button. -->
<input type="image" name="submit" border="0" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynow_LG.gif" alt="PayPal - The safer, easier way to pay online">
<img alt="" border="0" width="1" height="1" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" >
</form> 

My php code output

 <input type="hidden" value="50.16" name="amount">

But I used firebug and edited it to below & did the payment.

<input type="hidden" value="22.16" name="amount">

Still I get the result as it’s a Completed payment but It should not be since I have made changes manually. Anyone who has a knowledge can edit them. How can I make sure that this is a valid payment ? How can I make sure that form data is not edited like I did ?