I have 3 items that I selling on my web site, I dont need to have shopping cart or stuff like that. After the user fill form with data, I navigate him to a new page, where I display all the data he entered, and the price. Now this PayPal button built from hidden input field:
<form action="" method="post" target="_top">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="[email protected]">
<input type="hidden" name="lc" value="EN">
<input type="hidden" name="item_name" value="aaa">
<input type="hidden" name="item_number" value="12345">
<input type="hidden" name="button_subtype" value="services">
<input type="hidden" name="no_note" value="0">
<input type="hidden" name="amount" value="">
<input type="hidden" name="bn" value="">
<input type="image" src=".gif" border="0" name="submit" alt="PayPal">
<img alt="" border="0" src=".gif" width="1" height="1">
</form>
With JavaScript I entering the parameters to the new page,and setting price in the amount input (price) of PayPal button.
As you click the button you navigate to a payPal page with the amount from:
<input type="hidden" name="amount" value="199.50">
My question: Is it the right thing to do? any user, not even hacker can simply before pressing the button to change the amount and press the button...as a result he will pay (probably less) different price!
I wanted to use the direct API, but it's only for businesses in USA, Canada.
What is the best thing to do?
I have 3 items that I selling on my web site, I dont need to have shopping cart or stuff like that. After the user fill form with data, I navigate him to a new page, where I display all the data he entered, and the price. Now this PayPal button built from hidden input field:
<form action="https://www.paypal./cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="[email protected]">
<input type="hidden" name="lc" value="EN">
<input type="hidden" name="item_name" value="aaa">
<input type="hidden" name="item_number" value="12345">
<input type="hidden" name="button_subtype" value="services">
<input type="hidden" name="no_note" value="0">
<input type="hidden" name="amount" value="">
<input type="hidden" name="bn" value="">
<input type="image" src="https://www.paypalobjects./btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal">
<img alt="" border="0" src="https://www.paypalobjects./en_US/i/scr/pixel.gif" width="1" height="1">
</form>
With JavaScript I entering the parameters to the new page,and setting price in the amount input (price) of PayPal button.
As you click the button you navigate to a payPal page with the amount from:
<input type="hidden" name="amount" value="199.50">
My question: Is it the right thing to do? any user, not even hacker can simply before pressing the button to change the amount and press the button...as a result he will pay (probably less) different price!
I wanted to use the direct API, but it's only for businesses in USA, Canada.
What is the best thing to do?
Share Improve this question edited Aug 30, 2018 at 15:33 David 3,3231 gold badge41 silver badges57 bronze badges asked Jun 18, 2013 at 15:12 olegoleg 1312 silver badges9 bronze badges 1- Why do you pass any values into the view? I'm confused about what you are trying to do here... I tried to answer you below - but it might help if you elaborated on why you are using hidden values. – ILikeTurtles Commented Jun 18, 2013 at 15:25
2 Answers
Reset to default 2You should use encrypted website payments - https://www.paypal./cgi-bin/webscr?cmd=p/xcl/rec/ewp-intro-outside . This will ensure that the payment amount can't be changed. You can also update your settings to only allow payments from encrypted buttons to further protect your account / payments from being hacked to lower prices.
First off - I highly remend that you stop using Javascript for any payment related tools. That is a client side technology and any one can easily edit the values being passed. When dealing with payment, I do every thing server side...
Second -
If you are only selling a few items, why are you keeping the price in a hidden value? Wouldn't it be easier to either use an array (which is simple but not always good) or a database (makes it easier to update) in order to keep all the items information and values. Then simply pass that on to paypal?
$orderParams = array(
// Sets event to sale
'PAYMENTREQUEST_0_PAYMENTACTION' => 'Sale',
// Forces Shipping To Accept My Values
'REQCONFIRMSHIPPING' => '0',
'ADDROVERRIDE' => '1',
// Final Cost Totals - Must match with Controller
// Hardcoded - Only accept US Scratch
'PAYMENTREQUEST_0_CURRENCYCODE' => 'USD',
// Payment Costs
'PAYMENTREQUEST_0_AMT' => $total,
'PAYMENTREQUEST_0_SHIPPINGAMT' => $buyer['shippingTotal'],
'PAYMENTREQUEST_0_ITEMAMT' => $subTotal,
// Custom Shipping Information
'PAYMENTREQUEST_0_SHIPTONAME' => $buyer['payName'],
'PAYMENTREQUEST_0_SHIPTOSTREET' => $buyer['payStreet'],
'PAYMENTREQUEST_0_SHIPTOCITY' => $buyer['payCity'],
'PAYMENTREQUEST_0_SHIPTOSTATE' => $state,
'PAYMENTREQUEST_0_SHIPTOZIP' => $buyer['payZip'],
'PAYMENTREQUEST_0_SHIPTOCOUNTRYCODE' => $country,
'PAYMENTREQUEST_0_INVNUM' => $buyer['quoteNumber']
);
/*'PAYMENTREQUEST_0_SHIPTONAME' => $buyer['payName'],
'PAYMENTREQUEST_0_SHIPTOSTREET' => $buyer['payStreet'],
'PAYMENTREQUEST_0_SHIPTOCITY' => $buyer['payCity'],
'PAYMENTREQUEST_0_SHIPTOSTATE' => $buyer['payState'],
'PAYMENTREQUEST_0_SHIPTOZIP' => $buyer['payZip'],
'PAYMENTREQUEST_0_SHIPTOCOUNTRYCODE' => 'US',
'PAYMENTREQUEST_0_INVNUM' => $buyer['quoteNumber']
);*/
// Item Array for wheel
$yoke = array(
'L_PAYMENTREQUEST_0_NAME0' => 'Custom Control Wheel Set',
'L_PAYMENTREQUEST_0_DESC0' => 'Custom Leather Choices',
'L_PAYMENTREQUEST_0_AMT0' => $buyer['payItem'],
'L_PAYMENTREQUEST_0_QTY0' => '1'
);
That is a small collection of PayPal related code I use. Using my own array to populate each item before passing it on to paypal. I highly remend NOT passing any information through Javascript.
Why are you adding price data to the view anyways? Is there a reason for it?