0

this is my situation.

I had implemented a small shopping kart who uses a PHP file to process the PayPal IPN. The solution works fine, but when I made some verifications I can observe the follow behavior.

My cart doesn't encrypt the PayPal button, I make all the validations in my "notify_url" file.

But, if someone edits the code of the "Pay Now" button and modify for example the amount of the order (amount field), PayPal process the transaction with the changed amount, I can verify the amount when PayPal send the INP to my verification file, but the pay was made with the different amount!

If the buyer has funds PayPal make the pay BEFORE send the IPN to my server?

From now, thank you very much.

telextro
  • 111
  • 2
  • 5
  • 1
    possible duplicate of [Dynamic Paypal button encryption](http://stackoverflow.com/questions/4106376/dynamic-paypal-button-encryption) – Nerdroid Dec 29 '14 at 04:11

2 Answers2

0

If you want to secure your button code, you will need to use "Hosted button". When you create a button at www.paypal.com, make sure you check "Save buttons at PayPal". This will encrypt the button and user cannot update the button code.

user207421
  • 305,947
  • 44
  • 307
  • 483
Vimalnath
  • 6,373
  • 2
  • 26
  • 47
0

If someone is kind enough to fraudulently send you money for a product or service you don't sell at that price, just keep it, along with the proof of fraud, and do nothing. It's their problem. At worst you are up for a reversal if they are bold enough to raise a case with PayPal. Meanwhile you get the use of the funds, which is kind of them.

user207421
  • 305,947
  • 44
  • 307
  • 483