Home/ Questions/Q 714503
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T05:04:56+00:00

im trying out paypals html api where you specify price, item_name, customer information and

  • 0

im trying out paypals html api where you specify price, item_name, customer information and so on in the html:

    <form action="https://www.paypal.com/cgi-bin/webscr" method="post" id="payPalForm">

        <input type="hidden" name="cmd" value="_cart" />
        <input type="hidden" name="upload" value="1" />

        <input type="hidden" name="no_note" value="1" />
        <input type="hidden" name="business" value="your@paypalaccount.com" />
        <input type="hidden" name="currency_code" value="SEK" />
        <input type="hidden" name="return" value="http://freelanceswitch.com/payment-complete/" />

        <input type="hidden" name="tax_rate" value="25" />

        <input type="hidden" name="item_name_1" value="Apple Macpro" />
        <input type="hidden" name="item_number_1" value="01 - Product 1" />
        <input type="hidden" name="amount_1" value="25000" />

        <input type="hidden" name="item_name_2" value="Apple Macbook" />
        <input type="hidden" name="item_number_2" value="02 - Product 2" />
        <input type="hidden" name="amount_2" value="12500" />

        <input type="hidden" name="item_name_3" value="Apple Macbook Air" />
        <input type="hidden" name="item_number_3" value="03 - Product 3" />
        <input type="hidden" name="amount_3" value="12500" />

        <input type="submit" name="Submit" value="Submit" />

    </form>

when the user clicks submit it takes him/her to paypals payment page.

but doesn’t this mean that a hacker could change the order by manipulating the html code?

i can´t figure out how paypal prevents this security problem.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Of course, it does appear as if someone could just change the HTML and re-submit the form.

    I’m not sure about PayPal, but Google Checkout handles this by instead of setting HTML, it gets you to create XML, encrypt it using your merchant key, and use the encrypted string in your HTML to pass across to Google. Google then decrypts it using your merchant key and voila – tamper-free.

    Have a look in PayPal’s documentation for something along the lines of “cart signing” or “request encryption.” They may also do a callback to your server, telling you what was sent and you can compare it to your database to see if the prices are still correct.

    • 0