Security concerns with paypal_adaptive gem

Question

I'm using the paypal_adaptive gem with Rails 3.1 to make chained payments. However, after watching http://railscasts.com/episodes/143-paypal-security I've become concerned that I should perhaps add security measures to my payment request. Specifically, I don't want someone to be able to manipulate the prices of the items which I send in my request. Of course, I'm using the standard paypal_adaptive gem request:

pay_request = PaypalAdaptive::Request.new

data = {
"returnUrl" => "http://testserver.com/payments/completed_payment_request", 
"requestEnvelope" => {"errorLanguage" => "en_US"},
"currencyCode"=>"USD",  
"receiverList"=>{"receiver"=>[{"email"=>"testpp_1261697850_per@nextsprocket.com",     "amount"=>"10.00"}]},
"cancelUrl"=>"http://testserver.com/payments/canceled_payment_request",
"actionType"=>"PAY",
"ipnNotificationUrl"=>"http://testserver.com/payments/ipn_notification"
}

pay_response = pay_request.pay(data)

if pay_response.success?
  redirect_to pay_response.approve_paypal_payment_url
else
  puts pay_response.errors.first['message']
  redirect_to failed_payment_url
end

My question is: do I need to encrypt this request to prevent people from changing prices like Ryan does in his rails cast? If so, how can I manipulate this code in order to do so?

Answer 1

IPN validation is definitely good practice. But with regards to encrypting the variables sent across; no, that's not necessary.

The example listed on http://railscasts.com/episodes/143-paypal-security uses Website Payments Standard, in which case it is good to encrypt it.

But Adaptive Payments is a series of server-to-server API calls (the 'Pay' API), from your server to PayPal's. The only part exposed to the buyer is the payKey, a temporary token which the buyer can't manipulate.