I am using paypal for checkout on my website using PHP. Its working fine but I have one concern. As I am not using on site checkout so I go to paypal website for checkout so I have to pass hidden values. As the amount is also sent using hidden value so If someone changes the amount using firebug and then go to paypal then he will be able to pay that amount. I am handling this issue in notify url to verify the payment but is there anyway to do this without sending hidden variables? I know user is changing the values so if he pays thats his headache that his money will be for nothing as I am verifying in notify url but I want the site to prevent going to checkout. Similarly receiver email can be changed as well, I am verifying this also on notify url but this is critical, it should not allow.
Consider If I am the user, I have two paypal accounts, I change to my one paypal email in firebug, I enter price $1 and checkout using my second email and if someone hasn't verified on the backend it I will get that product for free. Or if I only change the amount, I will get the product for $1.
What is the way around? I want my site not go to the checkout page if any value is changed.
Thanks
Save the prices in your own database. Compare the money paid with the price in your database. This way you can detect edited payments and cancel them.
To prevent users from changing hidden values or URL variables I normally pass a hash and verify it before processing.
I.e.
//Combine values that you want to protect and create a hash.
$email = 'someone@domain.com';
$cost = 15;
$hash = sha1(md5($email.$cost.'some-secret-key'));
On the other page I will verify the hash,
$hash = sha1(md5($_REQUEST['email'].$_REQUEST['cost'].'some-secret-key'));
if($_REQUEST['hash'] != $hash){
echo 'Values changed';
exit();
}
You can pass the hash into URL, POST, Form Hidden variables or SESSION. Hope this helps.