PayPal金额篡改
我以前从未做过贝宝集成,但我曾与其他网关合作过.
对于其他网关,有一个散列也在表单帖子中发送,这可以防止人们篡改数据,即更改数量.
paypal 是如何阻止这种篡改的,似乎没有任何哈希值.
那么我怎样才能阻止人们在发帖到贝宝之前修改金额?即金额应为 100,但人们将其更改为 1.
解决方案有几种方法可以防止这种情况发生.第一种是使用 PayPal 的,用于创建动态、加密的 按钮.这些嵌入到您的页面中,用户单击它以进行订购.由于它是加密的,用户无法在交易过程中可靠地修改源代码.这个answer一>.此外,您可以将其与上面列出的 IPN 选项结合起来,作为对交易的良好审计
I've never done a paypal integration before, however i have worked with other gateways.
With other gateways there is a hash which is also sent in the form post, this stops people from tampering with the data ie changing the amount.
How is this tampering stopped with paypal, there doesnt appear to be any hash.
<form method="post" action="https://www.sandbox.paypal.com/cgi-bin/webscr">
<input type="hidden" value="_xclick" name="cmd">
<input type="hidden" value="online****@theg*****.com" name="business">
<!-- <input type="hidden" name="undefined_quantity" value="1" /> -->
<input type="hidden" value="Order" name="item_name">
<input type="hidden" value="NA" name="item_number">
<input type="hidden" value="22.16" name="amount">
<input type="hidden" value="5.17" name="shipping">
<input type="hidden" value="0" name="discount_amount">
<input type="hidden" value="0" name="no_shipping">
<input type="hidden" value="No comments" name="cn">
<input type="hidden" value="USD" name="currency_code">
<input type="hidden" value="http://XXX/XXX/XXX/paypal/return" name="return">
<input type="hidden" value="2" name="rm">
<input type="hidden" value="11255XXX" name="invoice">
<input type="hidden" value="US" name="lc">
<input type="hidden" value="PP-BuyNowBF" name="bn">
<input type="submit" value="Place Order!" name="finalizeOrder" id="finalizeOrder" class="submitButton">
</form>
So how can i stop people amending the amount before posting to paypal? I.e amount should be 100 but people changing it to 1.
解决方案There are a couple ways to prevent this. The first is using PayPal's Instant Payment Notification (IPN). Using this, you would compare the prices that PayPal posts back to you to confirm that they match what you are expecting. If they don't match, you cancel the order.
Example Workflow:
- User Orders an item and modifies price to $0.01
- Order is posted to PayPal, which shows price of $0.01
- User accepts price and pays $0.01
- PayPal calls your IPN URL and posts transaction details, showing that the user paid $0.01 for a thing
- Your IPN checks the price that PayPal received ($0.01) verus what you were expecting ( > $0.01). Since they don't match, you cancel the order
Another option, is to use PayPal's Button API, to create dynamic, encrypted buttons. These are embedded into your page and the user clicks it to make their order. Since it is encrypted, the user is unable to reliably modify the source code during the transaction. A nice example of this is available in this answer. Additionally, you are able to combine this with the IPN option listed above to serve as a nice audit of the transaction
相关文章