如何$隐藏字段的对$ pvent编辑与贝宝的网站付款标准? [英] How to prevent editing of hidden field with PayPal's Website Payment Standard?
问题描述
我使用贝宝的网站付款标准在我的ASP.NET网站。
I'm using PayPal's Website Payment Standard in my ASP.NET website.
我做的,当用户点击的是立即付款按钮,我做在codebhind以下内容:
What I do is when the user clicks on the "Pay Now" button, I do the following in the codebhind:
- DB状态更改
- 贝宝形态的生成,为项目隐藏字段
- 呼叫ScriptManager.RegisterClientScriptBlock()来调用提交表单的PayPal贝宝的JavaScript函数。
我担心,用户可以美元的Web浏览器p $ PSS停止,然后在隐蔽的形式编辑的值,然后提交表单。有没有一种方法,以prevent呢?或者更好的选择?
I'm worried that the user can press stop on the web browser and then edit the values in the hidden forms and then submit the form. Is there a way to prevent this? Or a better alternative?
感谢你这么多提前!
推荐答案
我没有做过PP标准。我用网关和Pro / EX preSS结帐,但其相当一段时间 - 然而,你的问题可以在一个更通用的方式处理...
I haven't done PP Standard. I've used Gateway and Pro/Express Checkout but its been quite a while - still, your question can be handled in a more "generic" way...
不幸的是你的计划不会做任何事情来保护你 - 就像在网络上的任何其他HTML表单,HTTP请求和响应可以检查并使用现成的工具篡改
Unfortunately your plan will not do anything to protect you - just like any other HTML Form on the web, HTTP requests and responses can be inspected and tampered with using readily available tools.
要prevent常见的篡改方法是做从任何客户端/浏览器来提交值的服务器端验证(拇指规则是不信任任何人)。在您的情况,您是在服务器端做的事情,但是这仍然之前以数据的实际提交目标 - 这是贝宝。实际的数据发送到目标的步骤仍是浏览器/客户端 - 有位于该问题可以这么说。要验证的数据是为比你(所以你无法验证的PayPal)。
The common way to prevent tampering is to do server-side validation of submitted values coming from any client/browser (the rule of thumb is "trust no one"). In your scenario, you are doing things on the server side, but that's still prior to the actual submission target of the data - which is PayPal. The step that actually sends the data to the "target" is still the browser/client - and there lies the issue so to speak. The data to be validated is meant for a system other than yours (so you can't validate for PayPal).
除非有一个附加的安全层,例如签名或加密,它总是会容易被篡改(查看已成问题,它可以被看作)。
Unless there is an added layer of security, e.g. signature or encryption, it will always be vulnerable to tampering (viewing is a foregone matter, it can be viewed).
我不相信(但我可能是错的)PP标准有一个服务器到服务器张贴数据选项。这将有效地隐藏从客户端/浏览器的完全数据 - 没什么可看的,没有乱动。数据传输是在后台 - 客户端/浏览器并不知道它的
I don't believe (but I could be wrong) PP Standard has a server-to-server option for POSTing data. This would effectively "hide" the data altogether from the client/browser - nothing to see, nothing to tamper with. Data transfer is in the background - client/browser knows nothing of it.
然而,他们的<一个href=\"https://www.x.com/developers/paypal/documentation-tools/getting-started-guides/website-payments-standard-and-button#tryit\"相对=nofollow> PayPal付款标准和Button Manager API 似乎是这样做的正确的/安全的方式。
However, their PayPal Payments Standard and Button Manager API seems to be the right/secure way of doing this.
在本质上,你将创建他们所说的对飞加密按钮 。这样的数据看起来像乱码给任何人检查它 - 它只会是有意义的贝宝,因为他们可以据此对数据进行解密。这就是数据如何保护/篡改保护(不看 - 但同样,有什么方法可以看到的是乱码)...
In essence you will be creating what they call "encrypted buttons" on the fly. This way the data will look like gibberish to anyone inspecting it - it will only make sense to PayPal because they can decrypt the data accordingly. That's how the data is secured/protected from tampering (not viewing - but again, what can be seen is gibberish)...
Hth以上...
的更新的:
此外,你应该考虑的PayPal IPN来存储数据。您正在上面(我认为)的假设,大家谁点击这个按钮实际上与支付经历(或者可以成功支付)。随着IPN,你会监听的数据来自PayPal的未来只有支付成功后,的(这是你应该为了存储相关的数据和/或库存更新等)......
Also, you should consider PayPal IPN for storing data. You are making the assumption above (I think) that everyone who clicks the button will actually go through with the payment (or can pay successfully). With IPN, you will "listen" for data coming from PayPal only after successful payment (which is where you should store order related data and/or inventory updates, etc.) ....
这篇关于如何$隐藏字段的对$ pvent编辑与贝宝的网站付款标准?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
