tags:

views:

83

answers:

2
Q: 

Encoding amount in paypal payment

I'm having trouble figuring out how to prevent people from editing the amount in my shopping cart with tools such as firebug. How do I make sure users can't edit the hidden field? Can I encode the amount before sending it to paypal?

Thanks!

Francois

+1  A: 

I'm sorry to say, but you can not prevent people from fiddling with the html / post variables. One common security mantra is "Don't trust the client".

The process should be to have the client post back to your server. It recomputes the totals or whatever, then send that to paypal. Obviously there should be some sanity checks like preventing zero or negative quantities; however, the client itself should NOT have control of the totals.

Chris Lively  2009-10-13 14:19:59
Yeah, that's what I'm doing on the new version of the site but I was wondering if there was a quick fix for my current system.Anyhow, thanks for the reply!
Farbour  2009-10-13 14:25:05
Thanks for the answer, BTW... Do you know how i can edit question here? I made a mistake in the question title and can't find where the edit button is.
Farbour  2009-10-13 14:40:47
There should be an edit button just below the question.
Chris Lively  2009-10-13 20:37:43
A: 

Okay, turning comment into answer...

Don't encode the hidden file! When a customer makes a payment, PayPal will handle the transaction and tell your automated system that it has received the payment. It should also tell you how much the customer paid you! You then compare the amount paid with the original invoice and if there's a difference, you just tell the user that the payment is incomplete. (Unless they paid too much, of course.)

As Chris Lively tells you, don't trust the customer! Always check the amount that has been paid. Once you do this, it doesn't matter if the user hacks into any hidden fields, since you check it afterwards.

If your security depends on keeping your users away from hidden fields, your security will fail! Your security should depend on your contact with PayPal directly. Only when PayPal confirms the payment, you should send the product.

Workshop Alex  2009-10-13 14:38:27

related questions

C++ strings: UTF-8 or 16-bit encoding?
Can you Distribute a Ruby on Rails Application without Source?
Does C# have an equivalent to JavaScript's encodeURIComponent()?
Best he-aac encoder on linux ?
Changing the default encoding for String(byte[])
How to: Pass an ampersand in a lousy filename to a flash object on a webpage
What is the best way to change the encoding of text in PHP
How to send SOAP requests in ISO-8859-1 with Flex ?
Powershell: Setting Encoding for Get-Content Pipeline
Best practice: escape, or encodeURI / encodeURIComponent
Trying to convert bunch of jpegs into a movie
Problem with unicode String literal in unit test
ASP.NET WebService Returns Gibberish Characters When Throwing Exceptions
JavaFX video encoding
Real-time wmv video encoding in C#
PHP Include function outputting unknown char
Base64 Encoding Image
How can I generate a unique, small, random, and user-friendly key?
Problems while submitting a UTF-8 form textarea with JQuery/AJAX
How do you troubleshoot character encoding problems?
How does Ruby 1.9 handle character cases in source code?
How do you remove invalid hexadecimal characters from an XML-based data source prior to constructing an XmlReader or XPathDocument that uses the data?
Strange characters in PHP
Html entities inside asp.net page
Test serialization encoding