using paypals html api is safe?

Question

im trying out paypals html api where you specify price, item_name, customer information and so on in the html:

    <form action="https://www.paypal.com/cgi-bin/webscr" method="post" id="payPalForm">

        <input type="hidden" name="cmd" value="_cart" />
        <input type="hidden" name="upload" value="1" />

        <input type="hidden" name="no_note" value="1" />
        <input type="hidden" name="business" value="[email protected]" />
        <input type="hidden" name="currency_code" value="SEK" />
        <input type="hidden" name="return" value="http://freelanceswitch.com/payment-complete/" />

        <input type="hidden" name="tax_rate" value="25" />

        <input type="hidden" name="item_name_1" value="Apple Macpro" />
        <input type="hidden" name="item_number_1" value="01 - Product 1" />
        <input type="hidden" name="amount_1" value="25000" />

        <input type="hidden" name="item_name_2" value="Apple Macbook" />
        <input type="hidden" name="item_number_2" value="02 - Product 2" />
        <input type="hidden" name="amount_2" value="12500" />

        <input type="hidden" name="item_name_3" value="Apple Macbook Air" />
        <input type="hidden" name="item_number_3" value="03 - Product 3" />
        <input type="hidden" name="amount_3" value="12500" />

        <input type="submit" name="Submit" value="Submit" />

    </form>

when the user clicks submit it takes him/her to paypals payment page.

but doesn't this mean that a hacker could change the order by manipulating the html code?

i can´t figure out how paypal prevents this security problem.

Answer 1

If this is anything like other html integrations, there should be a callback directly from Paypal to your server with all the fields that were entered. You can compare these to see if any have changed. There are usually various security mechanisms such as a shared hidden key so that you can validate that the callback is genuine.

Answer 2

Of course, it does appear as if someone could just change the HTML and re-submit the form.

I'm not sure about PayPal, but Google Checkout handles this by instead of setting HTML, it gets you to create XML, encrypt it using your merchant key, and use the encrypted string in your HTML to pass across to Google. Google then decrypts it using your merchant key and voila - tamper-free.

Have a look in PayPal's documentation for something along the lines of "cart signing" or "request encryption." They may also do a callback to your server, telling you what was sent and you can compare it to your database to see if the prices are still correct.

Answer 3

It doesn't seem like it is safe by itself. On Paypal's Securing Your Website Payments Standard Buttons page, they talk about being able to create protected payment buttons. However further on they indicate that it doesn't work if Javascript is disabled which makes the protection useless! Then they talk about other manual processes that can be performed including reconciliation and instant notifications which should occur in any sound accounting process anyway.

Encrypted website payments really seems like the only secure option to me.