Paypal checkout php: how to securise a cart?

Question

I have to build a paypal cart in php (this is the tutorial I used: http://jdmweb.com/how-to-easily-integrate-a-paypal-checkout-with-php).

At the end I have a HTML form like this:

<form id="paypal_checkout" action="https://www.paypal.com/cgi-bin/webscr" method="post">
    <!-- Paypal: Valeurs définissant que les produits appartiennent à un panier -->
    <input type="hidden" name="cmd" value="_cart">
        <input type="hidden" name="upload" value="1">           
        <input type="hidden" name="no_note" value="0">                      
        <input type="hidden" name="bn" value="PP-BuyNowBF">                 
        <input type="hidden" name="tax" value="0">          
        <input type="hidden" name="rm" value="2">

    <!-- Paypal: Valeurs de configurations du compte paypal créditeur -->
    <input type="hidden" name="business" value="projet.license.info@gmail.com">
        <input type="hidden" name="handling_cart" value="6.1">
        <input type="hidden" name="currency_code" value="EUR">
        <input type="hidden" name="lc" value="FR">
        <input type="hidden" name="return" value="http://localhost/site-web-commercial/controllers/ControllerCommande.php?action=retourPaypal">         
        <input type="hidden" name="cbt" value="Revenir chez Home Lampe">
        <input type="hidden" name="cancel_return" value="http://localhost/site-web-commercial/controllers/ControllerCommande.php?action=cancelPaypal">          
        <input type="hidden" name="custom" value="">

            <div id="item_1" class="itemwrap">
            <input type="hidden" name="item_name_1" value="produit1">
            <input type="hidden" name="quantity_1" value="4">
            <input type="hidden" name="amount_1" value="18.67">
            <input type="hidden" name="shipping_1" value="0">
        </div>
            <div id="item_2" class="itemwrap">
            <input type="hidden" name="item_name_2" value="produit3">
            <input type="hidden" name="quantity_2" value="2">
            <input type="hidden" name="amount_2" value="22.22">
            <input type="hidden" name="shipping_2" value="0">
        </div>

         <input id="ppcheckoutbtn" type="button" name="submitPaiement" value="Checkout" class="button">
</form>

My problem is that an experimented user can modify the amount of the form before sending it( with firebug for example).

Is there a way to securise a form like this?

What I thought is to get the form in ajax and then submiting it to Paypal. in that way a user can't modify amounts of items. I don't know if it is the best choice.

This is a website for someone who don't want to create items in Paypal website but only on its website backoffice.

Thanks in advance for any help.

Answer 1

Id doesn't matter if you will use ajax or not. Always user will have a way to change the data that he is sending to you. The ground rule when you develop applications is never trust the data from the user.

In this case the trick is to just gather main data, so item id and amount. You don't take prices from the form. Before sending you check the prices of chosen products in your database and send those to Paypal.

So the only variables that he can modify are product and amount. If he will change the amount from 1 to 10 he will just pay for 10 so it's not a problem :)

I don't know this class that you are using but it's very unsafe, and you shouldn't use it. You send data to Paypal using curl for example and not directly from the form.

You should read how to use express checkout or direct payments.