Search code examples
form-submitcheckoutsecure-gateway

What is an accepted way to submit form data to sites like paypal?


I'm setting up a website that uses paypal to process payments.

The easiest way to implement the checkout form would be to create an HTML form that submits directly to paypal, sending the order details and redirecting the user to paypal in order to finalize the transaction.

However, there is a security vulnerability with this process. The client could edit the information submitted to paypal, such as changing the price of the checkout to $0.00.

What is an accepted way to handle this type of situation? Is it to submit the form back to my server, then do some processing in PHP, then submit verified data to paypal and redirect the user to paypal? Is this possible?

Thanks!


Solution

  • There are two main ways to handle this issue.

    1. The first is somewhat like what you outline: You send the filled in form to PayPal, and provide a callback-url. When PayPal has processed the payment, they will call your provided url, and you can check whether or not the information given in that call is the same as what you provided. For this to work, you need to store the information in the meantime, like in a database. You will then only give access to the product after the validation has happened.

    2. You can also encrypt the information you send to PayPal, making it practically impossible to alter information in your form.

    See https://www.x.com/developers/paypal for details.