How to deny payment via PayPal IPN?

Question

I need to create dynamic 'Pay Now' buttons on my site, and PayPal says the way to do this is via an HTML FORM with preset variables for the price, currency, and item of the purchase. I use PayPal IPN to notify me when a payment has complete.

However, what's to stop someone from modifying the query parameters of the Pay Now button to change the price? Some people have told me to redirect the button through a PHP file that sends you to a PayPal payment page with the parameters in place, but the price could just as easily be manipulated in the Web browser's address bar. My question is, how can I deny a payment if the information I receive from PayPal's IPN service is invalid (if the price doesn't match our records)?

I'm quite confused and couldn't find any documentation on what I'm looking for. Hopefully, you guys can help.

Thanks!

Answer 1

I think you want to enable Encrypted Website Payments. I haven't done this before, but you can read more here: https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments

Answer 2

In your IPN listner, check all your variables you sent to paypal. In paypal response, all the variables which are related to the transaction will be sent back to you (i.e., the amount, receivers email, payment status, etc.).

So, what you can do is check all the values of those variables with expected values and do the appropriate task.

See this for more details .