Hello!
I am developing a website which will allow users to pay via Paypal.
Paypal IPN seems to be easy to integrate and it works on my localhost.
Now the problem is that, the amount and the business name are passed to paypal using POST Data.
I know it's very dangerous to put it that way, but I am not sure what are the alternatives.
How can I make Paypal IPN secure?
The POST data is sent over a secure HTTPS connection which encrypts the data between sender and receiver. It's how all sensitive data is sent over the Internet. If it really was dangerous then Paypal, and every reputable website handling sensitive information, wouldn't be using it.
Paypal has sample IPN code on their web site. Basically, what you're supposed to do is check that Paypal sent you the notification (by sending back the info you get, with a cmd=notify_validate or something like that...it's been a while since i used IPN), and check your database to make sure the info they sent you back is the same info you intended to have passed to it in the first place. Especially the payee name and payment amount.
If you do those checks, you should be fine whether you use HTTPS or not. But if you're worried about some evil network admin knowing someone paid for an item, you should be able to set IPN up to use HTTPS.