Open phoenix741 opened 10 years ago
Because of the way Paypal's "Payflow Link" works, you can't prevent the attack you described because your form posts the price info to Paypal's server. You do get a confirmation# back from Paypal though, so you can save the final amount and order info on your web site and then verify the order amount is correct and reject it when you get the confirmation# back from Paypal.
Hi,
I have a little question about security. What about unsure user ? For all process executed on the client side, we can't trust the user. The user can change executed Javascript with the help of greasemonkey script or manually. So if all the process is made by the client, this one can change price before sending it to paypal.
How this case can be resolving without calling paypal from the server side ?