I know that a POST can be spoofed in terms of originating domain, but what about being able to change the variables of the hidden POST variables in my HTML? I am concerned that someone could alter the "amount" value in my PayPal form from this:
<input type="hidden" name="amount" value="1.00">
to this:
<input type="hidden" name="amount" value="0.01">
or something similar. Thanks.
Yes, it is trivially easy for anyone to modify your form variables. Whether they are GET or POST doesn't matter at all.
Web security rule #1: Never trust any user input. Also stated as "All users are malicious hackers" or some variant thereof.
answer to comment: The solution is to know all of the correct values on the server side, without having to pass them through the client side (Javascript). So regardless of what the form says, you already know the price. Just use the same value you used to populate the form in the first place.