0

I'm looking for the proper way to pass a payment amount to BrainTree.

Here's a link

<a href="/charge?amount=10">charge me $10</a>

Here's some php that can handle this link

Braintree_Transaction::sale(array(
  'amount' => Input::get('amount'),
  'paymentMethodToken' => Auth::user()->creditcard->token
));

This is obviously unsafe because the client can change the amount.

So you can have an item in the database and an amount attached to that

<a href="/charge?item=1">Charge for Item 1</a>

... And similar code to handle it

$item  = Input::get('item');
$price = Product::find($item)->price;

Braintree_Transaction::sale(array(
  'amount' => $price,
  'paymentMethodToken' => Auth::user()->creditcard->token
));

The thing about this is that what if the client accidentaly puts ?item=45. I'm guessing this shouldn't be able to be manipulated by the client.

What's the right way to do this?

drew schmaltz
  • 1,584
  • 4
  • 19
  • 29
  • I can see that this is why you use a cart. Add items to the cart with the ?item=1, let the user see that the right item is in the cart and then process the cart. Is there a way to bypass the cart concept? – drew schmaltz Mar 14 '14 at 07:33
  • Generally, the goal of the person is to purchase a specific item, so why would it be a problem if they can change the item ID, so long as you only accept valid ones? Two pieces of advice. First, do you really need to write your own checkout form if you're doing something pretty straightforward? Second, you should avoid exposing database IDs, and instead use a random "public ID" or pseudorandom one based on a sequence other than the PK sequence. – agf Mar 14 '14 at 14:01
  • Thank you for the advice. As far as the first piece, why not write my own checkout form? Are you suggesting I use some pre-built solution? – drew schmaltz Mar 14 '14 at 16:09

0 Answers0