I've been looking through the following PayPal guide (as it's the only available document I could find that details PHP implementation AND can handle basket/cart/multiple purchases):
I'm however thinking that something is seriously wrong. It suggests sending payment information in hidden form inputs, like so:
<input type="hidden" name="cmd" value="_ext-enter">
<form action="https://www.paypal.com/us/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="you@youremail.com">
<input type="hidden" name="item_name" value="Item Name">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="amount" value="0.00">
<input type="image" src="http://www.paypal.com/en_US/i/btn/x-click-but01.gif" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>
But that seems seriously wrong. Can't a website user remove the "hidden" property using basic tools and then manipulate the price to whatever they want? Or edit the price directly?
I understand that the merchant would then receive an invoice with an incorrect price and would have to double check it and cancel the order if necessary, but surely that is not standard practice? Because if large numbers of users attempt to abuse this exploit and therefore cause a large number of cancellations, would such a thing cause PayPal to terminate it's services with the merchant?
I have found the following documentation also: https://developer.paypal.com/docs/platforms/checkout/set-up-payments/#step-1-add-payment-buttons-to-accept-payments
This seems to be using a completely different method, but this is in Javascript and doesn't support basket/cart/multiple purchases. It also would seem to have the same problem, in that someone could edit the JavaScript to manipulate the price (if I'm not mistaken).
So is the initial method just standard practice and I should follow that, or is there an alternate more secure method that I have been unable to find?
