Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Jan 2007
    Posts
    217
    Thanks
    9
    Thanked 0 Times in 0 Posts

    Insecure Paypal script

    Hey guys,

    I use a premade script to allow users of my site to buy virtual credits. The only problem is(as i found out yesterday) users are able to hack it.

    The problem arises when users edit the hidden form data in the html and make it so they spend only 0.01 for something that is worth $5.00

    Script basics:

    Code:
    <form method="post" name="paypal_form" action="https://www.paypal.com/cgi-bin/webscr">
    <input type="hidden" name="rm" value="2"/>
    <input type="hidden" name="cmd" value="_xclick"/>
    <input type="hidden" name="business" value="eviltyd@hotmail.com"/>
    <input type="hidden" name="return" value="http://www.ichumon.com/ichu_cash5k.php?action=success"/>
    <input type="hidden" name="cancel_return" value="http://www.ichumon.com/ichu_cash5k.php?action=cancel"/>
    <input type="hidden" name="notify_url" value="http://www.ichumon.com/ichu_cash5k.php?action=ipn"/>
    <input type="hidden" name="item_name" value="50 IchuCash"/>
    <input type="hidden" name="amount" value="5.00"/>
    <input type="hidden" name="custom" value="1"/>
    <center><br/><br/>If you are not automatically redirected to paypal within 5 seconds...<br/><br/>
    
    <input type="submit" value="Click Here"></center>
    </form>
    this is the code they are editting. What i want to know is if there is a way to make sure that it only allows to send $5.00 for the amount. or for that matter, any of the other values. I don't know how to get them sent to paypal without forms but all forms can be editted :X

    I am using the premade script : PHP Paypal IPN Integration Class Demonstration File

    Any help on how to fix this? thanks!

  • #2
    UE Antagonizer Fumigator's Avatar
    Join Date
    Dec 2005
    Location
    Utah, USA, Northwestern hemisphere, Earth, Solar System, Milky Way Galaxy, Alpha Quadrant
    Posts
    7,691
    Thanks
    42
    Thanked 637 Times in 625 Posts
    You should do a couple of things. The first is to go into Paypal, find their button builder, and make sure you choose "encrypted code". You get fewer features but the code on the button is encrypted and more difficult to alter.

    The second choice is something you should be doing anyway, and that is verify all purchases using IPN (Instant Payment Notification). With IPN activated, Paypal sends you a POST request to a script you've written, with all the details of a payment. You can then check the product ID against the price actually paid for the product and make sure it matches your database. There's no way to hack this cross-check.

  • #3
    Regular Coder
    Join Date
    May 2008
    Location
    Ohio
    Posts
    231
    Thanks
    3
    Thanked 21 Times in 21 Posts
    This is why you should look into an eCommerse solution - an app that's rather robust and actually built for this.

    The best way to secure it is to use a database to store all of your products and prices. When you put the price inside of the HTML, you're essentially asking the user what the item's price is. You want to tell them. If you store the info in a database, you can simply send the product's ID number to the submit page. The submit page can look up the rest of the information with the ID from the database.
    zok@zoklet:~$ whereis zok
    zok: http://zoklet.net | http://zoklet.net/otg | /derzok/at/gmail/dot/com

  • #4
    Master Coder mlseim's Avatar
    Join Date
    Jun 2003
    Location
    Cottage Grove, Minnesota
    Posts
    9,397
    Thanks
    8
    Thanked 1,078 Times in 1,069 Posts
    Whichever PHP shopping cart system you use, OSCommerce, CubeCart, whatever ...
    go to the PayPal Development Site and create a free "sandbox" where
    you can test-out your scripts with a "real" PayPal transaction ... but the
    buyer/seller and credit card is fake, so it's a good way to test it out.
    Once you get it working, you switch account info to your REAL PayPal account.

    https://developer.paypal.com/

  • Users who have thanked mlseim for this post:

    derzok (08-04-2008)

  • #5
    Regular Coder
    Join Date
    May 2008
    Location
    Ohio
    Posts
    231
    Thanks
    3
    Thanked 21 Times in 21 Posts
    Quote Originally Posted by mlseim View Post
    Whichever PHP shopping cart system you use, OSCommerce, CubeCart, whatever ...
    go to the PayPal Development Site and create a free "sandbox" where
    you can test-out your scripts with a "real" PayPal transaction ... but the
    buyer/seller and credit card is fake, so it's a good way to test it out.
    Once you get it working, you switch account info to your REAL PayPal account.

    https://developer.paypal.com/
    That's cool! I did not know they offered this feature. +1 for the good find.
    zok@zoklet:~$ whereis zok
    zok: http://zoklet.net | http://zoklet.net/otg | /derzok/at/gmail/dot/com


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •