PHP stopping tamper data in html form -
back story: hey, i've @ few , couldn't quit find fix this, user's been spoofing value $price let's $5 firefox addon tamper data can change $_post value whatever wish $0.01, i'm trying prevent this.
code:
<?php $price = "5.00"; ?> <input type="hidden" name="cmd" value="_donations"> <input type="hidden" name="upload" value="1"> <input type="hidden" name="business" value="paypal@email.com"> <input type="hidden" name="item_name" value="ap"> <input type="hidden" name="amount" value="<?php if($price != "5.00") { $price = "5.00"; echo $price; } else { echo $price; } ?>"> <input type="hidden" name="notify_url" value="/ipn/ipn.php?user=<?php echo $username; ?>"index.php?thank=yes"> <input type="hidden" name="cancel_return" value="index.php"> <input type="hidden" name="custom" value="<?php echo $username; ?>"> <input class="button" type="submit" name="pp" value="buy subscription" /> <?php if (isset($_post['pp'])) { if($price != "5.00") { $price = "5.00"; echo $price . " debug: scammer"; } else { echo $price . " nothing found"; } } ?>
you can't influence - form sent directly paypal, , never touches server.
you should check in ipn notification php script whether amount received matches amount expecting, , take whatever steps necessary if doesn't.
Comments
Post a Comment