Paypal API Question posted in
The official documentation to get you started can be found here.

Paypal api – Payment amount set with Javascript in PayPal and Stripe

I’ve been working with both the Stripe and PayPal PHP APIs to implement payments. Working with JS APIs is still a bit of a mystery for me. So just this snippet from Braintree Sofort/Klarna as an example:

function createLocalPaymentClickListener(type) {
    return function (event) {
        event.preventDefault();

        localPaymentInstance.startPayment({
              paymentType: type,
              amount: '10.67'
            ...
        }
    };
}

The amount of 10.67 is set via Javascript and I have no way to confirm this amount after the user clicked the Sofort payment button, since an overlay is opened and most of the payment is handled by PayPal / Klarna then. Only a payment token is returned. A user who knows a bit about this could easily manipulate this amount and pay a different amount, that he/she sets himself.

How could I make sure that this amount cannot be changed?

Tags:

2

Answers


  1. 0

    You are right that with simpler client-side integrations, malicious clients can often change the amount they are going to approve. There is no guard against this other than switching over to a more server-side integration scheme, where the amount is set in an API call to the payment gateway.

    However, clients setting the amount they are going to approve isn’t necessarily a problem. With Braintree for example, the actual capture (after client gives approval) happens on your server. And so if the amount or any other details are wrong, you can discard the payment right then and there, and not proceed with any capture that would actually create a transaction.

    Login or Signup to reply.
  2. 0

    Option 1:
    Even the user modifies the amount, follow this mechanism

    Verify the transaction Ref: https://developer.paypal.com/docs/checkout/integrate/

    Server side

    Set up your server to make calls to PayPal
Set up your server to receive a call from the client with the order ID
Call PayPal to get the transaction details
Handle any errors from the call
Validate the transaction details are as expected
// 5. Validate the transaction details are as expected
  if (details.purchase_units[0].amount.value !== '5.77') {
    return response.send(400);
  }
Save the transaction in your database
Return a successful response to the client

    Option 2 :
    See whether you can encrypt the data
    https://www.paypal.com/cgi-bin/webscr?cmd=p/xcl/rec/ewp-techview-outside

    Have a page redirect mechansium and prevent users from viewing the amount. While sending data across different pages, use encryption mechanism as suggested above

    General note, never trust data coming from client side.. Thats why we have server side valiations as well… even though we have client side valdiations in place, users can by pass it.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search