best way to ensure customer didn't mess with price?
46 views
Skip to first unread message
g
Oct 4, 2010, 9:09:50 PM10/4/10
to django-paypal
What is the best way to ensure that the customer didn't tamper with
the unencrypted form before submission? Should I just recalculate the
correct cost after paypal submits the ipn and check it against the
value paypal reports for the payment?
the unencrypted form before submission? Should I just recalculate the
correct cost after paypal submits the ipn and check it against the
value paypal reports for the payment?
g
Oct 5, 2010, 3:18:15 PM10/5/10
to django-paypal
For some reason the following post is not showing up:
>
>My understanding is they cannot. Try manipulating it and see if you can succeed.
>
(I copied the quote out of my email inbox. maybe it was sent directly
to me and to the group? I do not want to put the email address in the
body of the msg though)
Here is my response:
Sure they can? At least I can on the sandbox? An easy test is to
copy the form html into a new html file and change the price. Then
you just open your "tampered" form and submit it to paypal. I just
changed an item from $11.00 to $1.00 and paypal accepted it and posted
it back to my server. The form isn't hashed or anything so there is
no way for paypal to detect tampering that I can see. Maybe I am
doing it wrong but doesn't paypal warn against this on their website
and that is the whole reason for using an encrypted form?
For the particular site I am working I have no control over what is
installed on the system and I cannot use encrypted forms. The nature
of the site doesn't really need it anyways because I don't think any
of the targeted customer base would come up with the idea to try this,
but I would still like to have the best precautions in place.
As of now, I just wrote a simple function and hooked it in to the
payment_success signal to detect if the payment amount is different
from the anticipated amount. I was wondering if there was any better
ways to handle this though.
Thanks
>
>My understanding is they cannot. Try manipulating it and see if you can succeed.
>
(I copied the quote out of my email inbox. maybe it was sent directly
to me and to the group? I do not want to put the email address in the
body of the msg though)
Here is my response:
Sure they can? At least I can on the sandbox? An easy test is to
copy the form html into a new html file and change the price. Then
you just open your "tampered" form and submit it to paypal. I just
changed an item from $11.00 to $1.00 and paypal accepted it and posted
it back to my server. The form isn't hashed or anything so there is
no way for paypal to detect tampering that I can see. Maybe I am
doing it wrong but doesn't paypal warn against this on their website
and that is the whole reason for using an encrypted form?
For the particular site I am working I have no control over what is
installed on the system and I cannot use encrypted forms. The nature
of the site doesn't really need it anyways because I don't think any
of the targeted customer base would come up with the idea to try this,
but I would still like to have the best precautions in place.
As of now, I just wrote a simple function and hooked it in to the
payment_success signal to detect if the payment amount is different
from the anticipated amount. I was wondering if there was any better
ways to handle this though.
Thanks
Kai Timmer
Nov 9, 2010, 4:41:09 AM11/9/10
to django-paypal
On 5 Okt., 20:18, g <pendleto...@gatech.edu> wrote:
> As of now, I just wrote a simple function and hooked it in to the
> payment_success signal to detect if the payment amount is different
> from the anticipated amount. I was wondering if there was any better
> ways to handle this though.
and was wondering if you found a way of doing this. I still would
always check the IPN information for validity, which should be quite
secure, but there might be some other things we can do to prevent
fraud.
Looking into the "Website Payments Standard Integration Guide" it says
that you can safe your created buttons on Paypal. I'm not sure if I
can use this with django-paypal, maybe someone can help me out?
Greetings,
Kai
Reply all
Reply to author
Forward
0 new messages