0

Is it secure to pass a variable Amount to a Smart PayPal Button script?

If we assume that we have basic amount 100 and checkbox option, if user selects it, it will increase the total amount by 20 to become 120

var totalAmount = 100;

$('form').change(function(){

  totalAmount =+ $(this).find("input").val();

})
  
  
  
  paypal.Buttons({
    createOrder: function(data, actions) {
      // Set up the transaction
      return actions.order.create({
        purchase_units: [{
          amount: {
            value: totalAmount
          }
        }]
      });
    }
  }).render('#paypal-button-container');

It works fine and PayPal takes it as 120 and all okay, but is it secure enough ? or is there a better practice?

Many Thanks

Saif Obeidat
  • 128
  • 1
  • 2
  • 16

2 Answers2

0

since it is client side, it would be fine, i am not very familiar with paypal but i do not see any security vulnerability in this code

ilia
  • 339
  • 8
  • 23
  • Okay, what if somebody opened the browser inspect tool and changed the amount from the script itself , what will happen ? – Saif Obeidat Mar 13 '19 at 11:55
  • without this code , potential attacker still has opportunity to do the same, if this is only part of your code, validate that number in server and then send back, you can do it in real time with, ajax,fetch API ,axios and etc – ilia Mar 13 '19 at 12:00
  • if you think my answer is correct, mark it as correct – ilia Mar 13 '19 at 12:17
0

It's not secured. If you want a dynamic button, you have to use the HTML form button where you can customize your button and encrypt it so that no one could alter the amount value. It's discussed here. Hope this helps :)

Erlisar Vasquez
  • 460
  • 3
  • 13