Is the standard Javascript button secure enough or do I need a server side check?

whitedragon101
Contributor
Contributor
Posted on
‎Jan-21-2021 08:16 AM

https://developer.paypal.com/docs/checkout/integrate/

 

I am using the above javascript code to create a button, send the customer to pay pals checkout page and get confirmation back.

When I get the confirmation back I want to trigger an Ajax command to my page that updates my MySQL database to say the purchase was successful.

 

However, as javascript is client side is this secure enough? I see two potential security dangers.  Are these two actually a problem or is it secure?

 

1) Can a customer trigger the onApprove part of the code (see below) without PayPal actually sending back a genuine approval?

2) a customer altering the call to trigger my payPalConfirm() method.

 

The code

 

 

 

 

<script>
      
paypal.Buttons({
    createOrder: function(data, actions) {
       return actions.order.create({
          purchase_units: [{
            custom_id: '55',
            description: "Some description",
            amount: { value: ’20’}  
          }]
       });
    },
          
    onApprove: function(data, actions) {
       return actions.order.capture().then(function(details) {
	    console.log(details);
            console.log(data);
            alert("Transaction completed by order id =" + data.orderID+ " our id = " + details.purchase_units.custom_id);
            payPalConfirm(details.purchase_units.custom_id); //my ajax call to change my db entry to say payment was made                        
       });                       
    }
}).render('#paypal-button-container');
                        
</script>

 

 

 

 

Login to Me Too
0 Kudos
Login to Reply or Kudo
1 REPLY 1

FixItDik
Contributor
Contributor
‎Jan-22-2021 05:21 AM

I would not rely on it - I had the same concern as you and so I implemented the web hooks so that PayPal could tell me if the transaction was completed or not. My web page code just passes the user on to a page that checks the result from the webhook (which I store in my database) so cannot be spoofed.

 

I posted my code (minus the web hook code) and a bit of an explanation in this thread if it is of help - let me know if you would like the web hook code, but it is in PHP 🙂

 

https://www.paypal-community.com/t5/PayPal-Payments-Standard/Using-a-custom-id-to-match-a-PayPal-tra...

Login to Me Too
0 Kudos
Login to Reply or Kudo

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.