1

After following the tutorial here:

https://developer.paypal.com/docs/checkout/

I managed to easily setup the paypal checkout process with their smart buttons. However, I see that in their implementations the price amount is either hardcoded or passed via JS.

As far as I understand, some malicious hacker could easily change my code to modify that price.

Is this actually prevented by paypal? This:

https://developer.paypal.com/docs/checkout/#how-the-buttons-work

doesn't really tell me whether the user can do price tampering or not.

I also checked this:

https://developer.paypal.com/docs/paypal-payments-standard/integration-guide/limitations/

Which I don't really know if this is just outdated, or tackles another checkout type.

So, my question is how does Paypal make those smart buttons client side with javascript? How do they prevent the situation above?

Also, should I use paypal IPN to prevent this, as suggested here? I'd rather make this the simplest integration, and setting up an for this very simple case looks like an overkill to me.

guillemus
  • 91
  • 2
  • 10

1 Answers1

2

Apparently I was overcomplicating things. Fireship simplified my confusion, so that's nice.

The basic workflow is as it follows:

  • The client fills the checkout form or pays with whatever way the paypal buttons allow to.
  • the onApprove callback will be fired with the order id and other details.
  • Simply by making a properly secured api call to your restful service validating the price and the order id should be enought

Therefore, won't matter whether the malicious hacker tries to tamper the price, the server will validate the price and the order id.

For previously confused people like me, use this on your server for validating:

https://developer.paypal.com/docs/checkout/reference/server-integration/get-transaction/

E_net4
  • 27,810
  • 13
  • 101
  • 139
guillemus
  • 91
  • 2
  • 10