Is it secure to pass a variable Amount to a Smart PayPal Button using the client side integration?

SaifObeidat
Contributor
Contributor
Posted on
‎Mar-13-2019 11:20 AM

Is it secure to pass a variable Amount to a Smart PayPal Button script?

If we assume that we have basic amount 100 and checkbox option, if user selects it, it will increase the total amount by 20 to become 120

 

var totalAmount = 100;

$('form').change(function(){

  totalAmount =+ $(this).find("input").val();

})
  
  
  
  paypal.Buttons({
    createOrder: function(data, actions) {
      // Set up the transaction
      return actions.order.create({
        purchase_units: [{
          amount: {
            value: totalAmount
          }
        }]
      });
    }
  }).render('#paypal-button-container');

It works fine and PayPal takes it as 120 and all okay, but is it secure enough ?  can somebody change the Amount  to 0 from PayPal script by the browser inspect tool or something like this .

 

Please advice, Many Thanks

 

 

Login to Me Too
0 Kudos
Login to Reply or Kudo
1 REPLY 1

CgyDev0101
Contributor
Contributor
‎Apr-16-2019 10:15 AM

I don't believe that it is secure.  When it comes to payments and setting up your order doing it all client side is fine for a demo but, not production (in my opinion).

 

A person can just put a break point on the return statement and make the totalAmount js var equal to any value they want.  Then you need to make sure when you are verifying the order that the amounts match up.  If you do this all server side then you take away this option.

 

I am in the process of implementing this and doing as much server side as possible.  See https://developer.paypal.com/docs/checkout/reference/server-integration/set-up-transaction/#on-the-s...

 

 

Login to Me Too
0 Kudos
Login to Reply or Kudo

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.