Yes, they can modify the price in the webpage, but paychecker.php will just reject orders with the wrong price and not deliver them a product key.
Does that make sense?
Concern about Paypal script
Hi all
I'm trying to set up the script to use Paypal and auto key creation. I have a concern about the following code and I'm curious if there is a way to make it more secure.
if ($UsePayPal) { ?> <input type="hidden" name="cmd" value="_xclick"/> <input type="hidden" name="business" value="<?=$PayPalEmail?>"/> <input type="hidden" name="undefined_quantity" value="1"/> <input type="hidden" name="item_name" value="<?=$AppName?> license"/> <input type="hidden" name="item_number" value="1"/> <input type="hidden" name="no_shipping" value="1"/> <input type="hidden" name="no_note" value="1"/> <input type="hidden" name="currency_code" value="<?=$Currency?>"/> <input type="hidden" name="lc" value="US"/> <input type="hidden" name="rm" value="2"/> <input type="hidden" name="return" value="<?=$ThankYouPage?>"/> <input type="hidden" name="cancel_return" value="<?=$BuyPage?>"/> <input type="hidden" name="notify_url" value="<?=$CheckScript.'?paypal=1'?>"/>
When this code is rendered in the browser, it creates this code in plain text as the following
<p> <input type="hidden" name="amount" value="35.00" id="mb_amt"/><br /> <input type="hidden" name="cmd" value="_xclick"/><br /> <input type="hidden" name="business" value=".sell@gmail.com"/><br /> <input type="hidden" name="undefined_quantity" value="1"/><br /> <input type="hidden" name="item_name" value="Learning Live license"/><br /> <input type="hidden" name="item_number" value="1"/><br /> <input type="hidden" name="no_shipping" value="1"/><br /> <input type="hidden" name="no_note" value="1"/><br /> <input type="hidden" name="currency_code" value="USD"/><br /> <input type="hidden" name="lc" value="US"/><br /> <input type="hidden" name="rm" value="2"/><br /> <input type="hidden" name="return" value="http://.com/pay-thankyou.php"/><br /> <input type="hidden" name="cancel_return" value="http://.com/payment/"/><br /> <input type="hidden" name="notify_url" value="http://www.com/paychecker.php?paypal=1"/></p>
Now, if I copy the entire code from "Viewed Source", and create a local PHP file, I can change the priceOriginal<p> <input type="hidden" name="amount" value="35.00" id="mb_amt"/><br />Changed<p> <input type="hidden" name="amount" value="20.00" id="mb_amt"/><br />
Then if I open the file in a browser and click Purchase, it opens to Paypal, with the updated price. Obviously with automatic key creation, this would be a concern. Is there a way that this form information can be done in the background so it's not an attack vector for such a modification?
Thanks for any help
Cheers
That's fantastic. Thanks
Also, is there a way to be able to see exactly what the PayPal IPN is sending?
Thanks
Yes, by adding logging to paychecker.php