PHP stopping tamper data in html form -


back story: hey, i've @ few , couldn't quit find fix this, user's been spoofing value $price let's $5 firefox addon tamper data can change $_post value whatever wish $0.01, i'm trying prevent this.

code:

<?php $price = "5.00"; ?> <input type="hidden" name="cmd" value="_donations">     <input type="hidden" name="upload" value="1">     <input type="hidden" name="business" value="paypal@email.com">     <input type="hidden" name="item_name" value="ap">     <input type="hidden" name="amount" value="<?php if($price != "5.00") { $price = "5.00"; echo $price; } else { echo $price; } ?>">     <input type="hidden" name="notify_url" value="/ipn/ipn.php?user=<?php echo $username; ?>"index.php?thank=yes">     <input type="hidden" name="cancel_return" value="index.php">     <input type="hidden" name="custom" value="<?php echo $username; ?>">     <input class="button" type="submit" name="pp" value="buy subscription" /> <?php if (isset($_post['pp'])) { if($price != "5.00") { $price = "5.00"; echo $price . " debug: scammer"; } else { echo $price . " nothing found"; } } ?> 

you can't influence - form sent directly paypal, , never touches server.

you should check in ipn notification php script whether amount received matches amount expecting, , take whatever steps necessary if doesn't.


Comments

Popular posts from this blog

php - regexp cyrillic filename not matches -

c# - OpenXML hanging while writing elements -

sql - Select Query has unexpected multiple records (MS Access) -