tags:

views:

94

answers:

2

Hello!

I am developing a website which will allow users to pay via Paypal.

Paypal IPN seems to be easy to integrate and it works on my localhost.

Now the problem is that, the amount and the business name are passed to paypal using POST Data.

I know it's very dangerous to put it that way, but I am not sure what are the alternatives.

How can I make Paypal IPN secure?

+1  A: 

The POST data is sent over a secure HTTPS connection which encrypts the data between sender and receiver. It's how all sensitive data is sent over the Internet. If it really was dangerous then Paypal, and every reputable website handling sensitive information, wouldn't be using it.

John Conde
can POST data be edited even on https ?
keithics
The data sent via HTTPS is encrypted so unless the attacker knows how to break the encryption, or they discover some previously unknown security flaw in SSL/TLS, it's virtually impossible to read or alter the data.
John Conde
+1  A: 

Paypal has sample IPN code on their web site. Basically, what you're supposed to do is check that Paypal sent you the notification (by sending back the info you get, with a cmd=notify_validate or something like that...it's been a while since i used IPN), and check your database to make sure the info they sent you back is the same info you intended to have passed to it in the first place. Especially the payee name and payment amount.

If you do those checks, you should be fine whether you use HTTPS or not. But if you're worried about some evil network admin knowing someone paid for an item, you should be able to set IPN up to use HTTPS.

cHao