贝宝篡改金额 [英] PayPal amount tampering

问题描述

我以前从未做过Paypal集成，但是我曾与其他网关合作过.

I've never done a paypal integration before, however i have worked with other gateways.

与其他网关一起，在表单发布中还会发送一个哈希，这可以防止人们篡改数据，即更改数量.

With other gateways there is a hash which is also sent in the form post, this stops people from tampering with the data ie changing the amount.

如何通过Paypal停止这种篡改，似乎没有任何哈希值.

How is this tampering stopped with paypal, there doesnt appear to be any hash.

<form method="post" action="https://www.sandbox.paypal.com/cgi-bin/webscr">
  <input type="hidden" value="_xclick" name="cmd">
  <input type="hidden" value="online****@theg*****.com" name="business">
  <!-- <input type="hidden" name="undefined_quantity" value="1" /> -->
  <input type="hidden" value="Order" name="item_name">
  <input type="hidden" value="NA" name="item_number">
  <input type="hidden" value="22.16" name="amount">
  <input type="hidden" value="5.17" name="shipping">
  <input type="hidden" value="0" name="discount_amount">        
  <input type="hidden" value="0" name="no_shipping">
  <input type="hidden" value="No comments" name="cn">
  <input type="hidden" value="USD" name="currency_code">
  <input type="hidden" value="http://XXX/XXX/XXX/paypal/return" name="return">
  <input type="hidden" value="2" name="rm">      
  <input type="hidden" value="11255XXX" name="invoice">
  <input type="hidden" value="US" name="lc">
  <input type="hidden" value="PP-BuyNowBF" name="bn">
  <input type="submit" value="Place Order!" name="finalizeOrder" id="finalizeOrder" class="submitButton">
</form>

那么，在发布到Paypal之前，我该如何阻止人们修改金额?即金额应为100，但人们将其更改为1.

So how can i stop people amending the amount before posting to paypal? I.e amount should be 100 but people changing it to 1.

推荐答案

有两种方法可以防止这种情况发生.第一种是使用PayPal的即时付款通知(IPN).使用此功能，您可以比较PayPal发回给您的价格，以确认它们符合您的期望.如果不匹配，则取消订单.

There are a couple ways to prevent this. The first is using PayPal's Instant Payment Notification (IPN). Using this, you would compare the prices that PayPal posts back to you to confirm that they match what you are expecting. If they don't match, you cancel the order.

示例工作流程:

• 用户订购商品并将价格修改为$ 0.01
• 订单已过帐到PayPal，显示价格为0.01美元
• 用户接受价格并支付$ 0.01
• PayPal调用您的IPN URL并发布交易详细信息，显示用户为某件事支付了0.01美元
• 您的IPN会检查PayPal收到的价格($ 0.01)和您的期望价格(> $ 0.01).由于它们不匹配，您可以取消订单

另一种选择是使用PayPal的按钮.这些被嵌入到您的页面中，用户单击它进行订购.由于已加密，因此用户在交易期间无法可靠地修改源代码. 答案 answer 一个>.此外，您可以将其与上面列出的IPN选项结合使用，以很好地审核交易

Another option, is to use PayPal's Button API, to create dynamic, encrypted buttons. These are embedded into your page and the user clicks it to make their order. Since it is encrypted, the user is unable to reliably modify the source code during the transaction. A nice example of this is available in this answer. Additionally, you are able to combine this with the IPN option listed above to serve as a nice audit of the transaction

这篇关于贝宝篡改金额的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！