cancel
Showing results for 
Search instead for 
Did you mean: 

Is it secure to pass a variable Amount to a Smart PayPal Button using the client side integration?

Member

Is it secure to pass a variable Amount to a Smart PayPal Button using the client side integration?

Is it secure to pass a variable Amount to a Smart PayPal Button script?

If we assume that we have basic amount 100 and checkbox option, if user selects it, it will increase the total amount by 20 to become 120

 

var totalAmount = 100;

$('form').change(function(){

  totalAmount =+ $(this).find("input").val();

})
  
  
  
  paypal.Buttons({
    createOrder: function(data, actions) {
      // Set up the transaction
      return actions.order.create({
        purchase_units: [{
          amount: {
            value: totalAmount
          }
        }]
      });
    }
  }).render('#paypal-button-container');

It works fine and PayPal takes it as 120 and all okay, but is it secure enough ?  can somebody change the Amount  to 0 from PayPal script by the browser inspect tool or something like this .

 

Please advice, Many Thanks

 

 

1 REPLY 1
Member

Re: Is it secure to pass a variable Amount to a Smart PayPal Button using the client side integratio

I don't believe that it is secure.  When it comes to payments and setting up your order doing it all client side is fine for a demo but, not production (in my opinion).

 

A person can just put a break point on the return statement and make the totalAmount js var equal to any value they want.  Then you need to make sure when you are verifying the order that the amounts match up.  If you do this all server side then you take away this option.

 

I am in the process of implementing this and doing as much server side as possible.  See https://developer.paypal.com/docs/checkout/reference/server-integration/set-up-transaction/#on-the-s...