i’m current building a checkout page where clients can pay the total amount(e.g 200$) through different payment options like paypal(which works fine) but problems comes when i try to use a mobile payment api which only reads the total price which is in a hidden input value which the clients can change through inspect tool.
So my question is how to prevent clients to modify the product price before sending to the server (current running php)? simply because the client can modify the product price from 200$ to 10$
Please help
2
Answers
You don’t. You have no control over what someone else is doing on their own computer.
Clients can send you any request they want. There’s no guarantee that the request is valid, that the data is correct, that the user is who they say they are, or even that the client is using your web page at all. They could be manually building their own requests in code just to mess with your server.
Never implicitly trust information from the client. Every request needs to be validated.
In the case of "product price" the real question is… Why are you allowing the client to tell you the price in the first place? Surely you already have that information on the server?
The client tells you what they’re buying. You then calculate the price of that purchase. What that means on a technical level is that the request to the server is only indicating the items being purchased. The server-side code would then take that information and look up the prices to calculate the total.
Maybe you add the input type to be disabled (https://www.w3schools.com/TAGS/att_input_disabled.asp) or readonly (https://www.w3schools.com/TAGS/att_input_readonly.asp) in which the user may not be able to change the price. Or maybe use a $_SESSION to store the total price as well.