paypal encryption

Isn't your price stored on the server, and submitted there?

What you see in your HTML should be a representation of what is stored on the server, so even if someone changes it, the server values should be submitted.

^^No

I don't think so:

The paypal submit form is:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


</head>
<script>
  setTimeout('document.paypalform.submit()',1000); // auto submit form
</script>
<body>

<div class="centerdiv">
<h1>Connecting to Paypal <img src="<?php echo site_url('../img/loader.gif'); ?>" /></h1>
</div>





<form action="https://www.paypal.com/cgi-bin/webscr" method="post" name="paypalform">

<input type="hidden" name="cmd"                 value="_xclick">                                                  <!-- Define Buy Now button -->
<input type="hidden" name="business"            value="<?php echo $mail_business; ?>">                                    <!-- Your paypal email account -->
<input type="hidden" name="return"              value="<?php echo site_url('shop/paymentcomplete') ?>">                       <!-- if payment complete then show "Thanks !" -->
<input type="hidden" name="notify_url"          value="<?php echo site_url('shop/paymentpaypalipn'); ?>">                      <!-- IPN - Notification messages, The URL to which PayPal posts information about the payment.  -->

<input type="hidden" name="item_number"   value="1">                                                              <!-- Number item code, like a id for identificate your product -->
<input type="hidden" name="item_name"           value="<?php echo $_POST['item_name'];?>">                                 <!-- Name item -->
<input type="hidden" name="amount"              value="<?php echo $_POST['amount'];?>">                                    <!-- Amount -->
<input type="hidden" name="quantity"            value="<?php echo $_POST['quantity'];?>">                                  <!-- Quantity items -->

<input type="hidden" name="currency_code" value="GBP">                                                            <!-- Currency code -->

</form>

</body>
</html>

And even this can be edited by the user to change the values...

Please advise?

That form is the last port of call. In other words the very last thing to be processed before accessing paypal?

bump

If you directly post your form to PP, then yes, it may be an issue.

Can't you just do the sending with curl?

prit I've searched high and low and all sources of information point back to using paypal encrypted buttons or ssl certificates as the only reliable means to ensure the transaction 'amounts' have not been tampered with.

The only other way would be to send a hash to the IPN and the ipn script on my server could then validate if the transaction is good or not... however the actual transaction would still have been processed. It is just that on my end I can flag up if the transaction is legit or not...

Hmmm.

A quick update...

Looks like I have two options.

1. Is to accept the tampered paypal payment from user but in my ipn script return a hash. I then do a lookup on the hash and see if it matches the paypal prcie. If the price is different I don't allow the user access/download to my product. note the payment will still be processed but I restrict user access my end and send out an email.

2. A bit more involved, is to generate SSL cert on my site and in my paypal panel. This will ensure the said transaction is legit and cannot be tampered if.

At the moment I'm leaning towards the former option... unless anyone has any brighter ideas I'm all ears.