0
votes

Hy guys. I just implemented the paypal checkout express into my website. All went good until i had test it live.(without sandbox becouse they didn't send me the confirmation email and i cannot get the api credentials) - i used my own paypal account.

My question is:

Step 1) call "SetExpressCheckout" with required data.

Step 2) get the tocken and redirect the user to pay 0.01 USD. (all good, user saw $0.01)

Step 3) get the buyer details ..."GetExpressCheckoutDetails" and save them (all good )

here is the big problem:

Step 4) call api: "DoExpressCheckoutPayment" with TOKEN, PAYER_ID ...etc also PAYMENT TOTAL AMOUNT

In this step i added the TOTAL AMOUNT by mistake as $500 - hardcoded , after finalizing the order the $500 were transfered to my account from buyers account instead of $0.01.

How this is possible ??? Why paypal doesn't check the total amount from setExpressCheckout with the total amount from DoExpressCheckoutPayment, becouse the tocken is the same one.

In my opinion this is a major security issue.

1

1 Answers

0
votes

That is by design. SetExpressCheckout sets up the payment, but your application won't know (in best practice scenarios) the shipping address of the buyer until after you've called GetExpressCheckoutDetails. At that point you could calculate shipping and sales tax accordingly and add it to the order, display a final review page, and then call DoExpressCheckoutPayment with the final order amount to be charged.

So, yeah, whatever you pass in DECP is what's going to get charged, so you want to make sure that's correct.

As for testing, you just need to create an account at http://developer.paypal.com and then create sandbox accounts within that. You can get the API credentials for sandbox accounts by clicking on the profile of each sandbox account. No need to wait on any confirmation emails or anything. Not sure what you're referring to there, but I definitely recommend testing on the sandbox.