Paypal dynamic button and Linking with IPN

0
votes

I have already seen a few questions like this. But I wanted to get an overall opinion on some of these questions, combined!

I understand how IPN works and how you can listen to make sure it comes from paypal.

My main wonder is if I am going to dynamically generate paypal buttons using the code:

<form name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="[email protected]">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="item_name" value="Teddy Bear">
<input type="hidden" name="amount" value="12.99">
<input type="image" src="http://www.paypal.com/en_US/i/btn/btn_buynow_LG.gif" border="0" `enter code here`name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>

From the paypal developer site: https://www.paypal.com/cgi-bin/webscr?cmd=_pdn_xclick_techview_outside

Is it safe to use this? I was reading up on another post saying it is unsafe since the variables can be tampered with. Do I need to encrypt the form?

Cheers,

Nick

1
phppaypalpaypal-ipn
I don't know if it's safe or not, but I do know that html like that can easily be tampered with. Ever used developer tools in your browser?user849137
Yeah I have used the developer tool. But if it was insecure why would paypal suggest that code. This is pretty much the same question as this: stackoverflow.com/questions/6322247/… My question is do I have to encrypt it.Nick

1 Answers

1
votes

I'm just going to answer my OWN question. The solution is to just compare the "item_name" and "amount" variables and make sure they are exactly the same if say I generated using a database. And if someone tampers it and pays me $1.00 instead of $100.00 then thats a free donation and bad luck for them :P

What I will be doing is this:

  1. Create a database to store item name, amount, currency etc.
  2. On the shopping page I will dynamically generate it using the item_name and amount
  3. Set up my paypal to send transactions made to the IPN listener that I will make
  4. Using the database to compare the item_name and amount, it will validate whether it is a valid form submission or not.

Simple! I like it! WOO!