How to prevent inspect element value on submit in php

Question

i faced very weird issue in my web.

i make a product page and its price. When i go to cart and submit the paypal, it submit perfectly but when i get inspect element and change the value the value of input has been changed and when i submit the button the inspected value submited.

i do somthing in code but nothing happen

here is my code

    function wp_paypal_product($atts) {
    extract(shortcode_atts(array(
        'prodname' => 'no value'
                    ), $atts));

    global $wpdb;
    $table = $wpdb->prefix . 'paypal_products';
    $prodname = str_replace('-', ' ', $prodname);
    $shorcode_product = $wpdb->get_row("SELECT * FROM $table WHERE product_name ='$prodname'");
    $product_name = $shorcode_product->product_name;
    $product_price = $shorcode_product->product_price;
    $product_id = $shorcode_product->id;
    $paypalID = get_option('paypalID');
    $currency = get_option('currency');
    $upload_image = get_option('upload_image');
    $return_url = get_option('return_url');
    $email_subject = get_option('email_subject');
    $email_message = get_option('email_message');

    if (!$upload_image) {
        $upload_image = 'http://www.paypalobjects.com/en_US/i/btn/btn_buynow_LG.gif';
    }

    $output = $product_name . '<br>'
            . $product_price . '<br>'
            . $paypalID . '<br>'
            . $currency . '<br>'
            . $upload_image . '<br>'
            . $return_url . '<br>'
            . $email_subject . '<br>'
            . $email_message . '<br>';

    $output = '<form name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_blank">
        <input type="hidden" name="cmd" value="_xclick">
        <input type="hidden" name="business" value="' . $paypalID . '">
        <input type="hidden" name="return" value="' . $return_url . '">
        <input type="hidden" name="currency_code" value="' . $currency . '">
        <input type="hidden" name="item_name" value="' . $product_name . '">
        <input type="hidden" name="amount" value="' . $product_price . '">
        <input name="notify_url" value="' . plugin_dir_url(__FILE__) . 'ipn.php" type="hidden">
        <input type="image" src="' . $upload_image . '" border="0" name="submit" alt="Make payments with PayPal - its fast, free and secure!"> 
        </form>';

    return $output;
}


add_shortcode('wp-paypal-product', 'wp_paypal_product');

How can i prevent the inspected value on submit......PLEASE HELP ME.

Answer 1

Ok, this is for every one you can prevent data save in Inspect Element....this work 100000% work.

This is very helpful for online shoping

Now you can put jQuery code after your Form.

Like this

$output = '<form name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_blank">
        <input type="hidden" name="cmd" value="_xclick">
        <input type="hidden" name="business" value="' . $paypalID . '">
        <input type="hidden" name="return" value="' . $return_url . '">
        <input type="hidden" name="currency_code" value="' . $currency . '">
        <input type="hidden" name="item_name" value="' . $product_name . '">
        <input type="hidden" name="amount" id="p'.$product_id.'" value="' . $product_price . '">
        <input name="notify_url" value="' . plugin_dir_url(__FILE__) . 'ipn.php" type="hidden">
        <input type="image" src="' . $upload_image . '" border="0" name="submit" alt="Make payments with PayPal - its fast, free and secure!"> 
        </form>';

    $output .= "<script>
                    jQuery(document).ready(function(){
                        var a=".$product_price.";
                        jQuery('form[name=_xclick]').submit(function(c){
                            var b=jQuery('input[id=p".$product_id."]').val();
                            if(b==a){
                                return
                            }else{
                                c.preventDefault()
                            }
                        })
                    });
                </script>";

    return $output;

First we make an id in price text field.
We save price from DB in jQuery.
Then we call a form on submit save a value of amount text field.
Then we check if DB value and amount value is same then it proceed else it stop.

if any on can change the value of amount in inspect element, then the form is not submited.

Hope this will help you.

But you should know that, using this method, a determined attacker could still change your prices, even though joe user might not be able to inspect element. So a better option would be to only submit the product id and use a server side process to communicate with PayPal.

Answer 2

You can't prevent that. The correct way would be to only transmit the id of the product to the server and read the price from the database before adding it to the cart. Or, even better, only store the ID in the cart and read the price from the database when you display the cart.

Do not rely on POST data when you transmit crucial data, there are just too many ways the user can modify it. If you use JavaScript to prevent the submit of a form that has been tempered with, the user can just disable JavaScript. Or he can use a proxy application (Paros, Fiddler, WebScarab are examples of proxy apps that are designed to analyze and modify HTTP requests and responses between the browser and the server) to modify the POST data before it is actually transmitted.

Only store crucial data in a session.