如何保护使用客户端 PayPal 智能结账按钮进行的交易? [英] How can I secure transactions made with client-side PayPal Smart Checkout buttons?
问题描述
我正在尝试在我的网站上制作一个智能结账按钮,该按钮目前在客户端 100% 运行.
I'm trying to make a Smart Checkout button in my website which is currently running 100% in client-side.
我根据客户端购物车的内容将金额传递给 createOrder 函数.现在,我知道金额可以完全被篡改,而 PayPal 无法知道客户支付的金额不足.
I pass an amount to the createOrder function, based on the contents of the shopping cart, which is client-side. Now, I know that the amount can perfectly be tampered with, and PayPal would have no way of knowing that the customer is underpaying.
我们是一小群人,预计销量会很低,因此我们不会在检测到这些少付款项和取消交易(将已支付的金额退还给客户,而不是运送商品)方面遇到问题.
We are a small group of people and expect a low volume of sales, so we wouldn't have a problem detecting these underpayments and canceling the transaction (refunding the paid amount to the customer, and not shipping the item).
但是,我们仍然需要支付 PayPal 费用,因此很容易被滥用,让我们(卖家)赔钱.
However, we would still have to pay PayPal fees, so this can be easily abused into making us (the seller) lose money.
有什么方法可以制作客户端 PayPal 智能结账按钮,同时还能保护自己免受此类攻击?
Is there any way to make client-side PayPal Smart Checkout buttons, while also protecting myself from this kind of exploits?
推荐答案
有什么方法可以制作客户端 PayPal 智能结账按钮,同时还能保护自己免受此类攻击?
Is there any way to make client-side PayPal Smart Checkout buttons, while also protecting myself from this kind of exploits?
这就是为什么必须进行服务器端验证.在客户端很容易利用这些东西,你也不能在客户端保护它.PayPal 有关于验证付款的服务器端实现的文档.他们也有很多 SDK 可以满足您的需求.例如NodeJS、PHP、Python...
This is why server-side verification is a must. It is very easy to exploit these kind of things client-side and you cannot secure it client side either. PayPal have documentation on server side implementations for verifying payments. They have many SDK's too to suit your needs. e.g. NodeJS, PHP, Python...
这篇关于如何保护使用客户端 PayPal 智能结账按钮进行的交易?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
