Is the standard Javascript button secure enough or do I need a server side check?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://developer.paypal.com/docs/checkout/integrate/
I am using the above javascript code to create a button, send the customer to pay pals checkout page and get confirmation back.
When I get the confirmation back I want to trigger an Ajax command to my page that updates my MySQL database to say the purchase was successful.
However, as javascript is client side is this secure enough? I see two potential security dangers. Are these two actually a problem or is it secure?
1) Can a customer trigger the onApprove part of the code (see below) without PayPal actually sending back a genuine approval?
2) a customer altering the call to trigger my payPalConfirm() method.
The code
<script>
paypal.Buttons({
createOrder: function(data, actions) {
return actions.order.create({
purchase_units: [{
custom_id: '55',
description: "Some description",
amount: { value: ’20’}
}]
});
},
onApprove: function(data, actions) {
return actions.order.capture().then(function(details) {
console.log(details);
console.log(data);
alert("Transaction completed by order id =" + data.orderID+ " our id = " + details.purchase_units.custom_id);
payPalConfirm(details.purchase_units.custom_id); //my ajax call to change my db entry to say payment was made
});
}
}).render('#paypal-button-container');
</script>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would not rely on it - I had the same concern as you and so I implemented the web hooks so that PayPal could tell me if the transaction was completed or not. My web page code just passes the user on to a page that checks the result from the webhook (which I store in my database) so cannot be spoofed.
I posted my code (minus the web hook code) and a bit of an explanation in this thread if it is of help - let me know if you would like the web hook code, but it is in PHP 🙂
Haven't Found your Answer?
It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.
- Getting errors when integrating standard checkout with my web site. Probably a beginner problem. in SDKs
- Change the button from Sandbox to Production in REST APIs
- When I do PayPal capture Order, I keep on getting Invalid Request Connection in REST APIs
- Error: "Unable to change shipping method. Please try again." in PayPal popup in REST APIs
- Hide shipping address in Debit/Credit card form in PayPal Payments Standard