How to keep PayPal variables secure

I'm trying to link my 3rd party shopping cart to PayPal, and in the process I'm finding that my variables are extremely exposed, such that, if someone uses, say, Firebug, to manipulate the values of my variables, they can change the cost of the items in the transaction.

I'm very new to online carts and shopping, so my question is how do I keep t开发者_如何学Gohis layer of exposure away from users and secure for the website?

The answer is in the Instant Payment Notification service.

Upon completing the transaction, PayPal notifies you, in a separate process, of the payment details for the last transaction.

You can check these details against the data you stored locally. If they match, all is fine. If they do not match, you will need to investigate the issue.

Never understood why PayPal does not allow the data to be signed with some sort of hash + shared secret... but that does not help you any further.

If you POST the variables to PayPal, you can encrypt the data. Unfortunately, this is not possible for a GET request, triggered from a redirect.

There is a way of getting PayPal to host the button variables on their side. Look out for PayPal Hosted Buttons in their documentation:

https://cms.paypal.com/uk/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_ButtonMgrAPIIntro#id093VD0JE0Y4

Otherwise verify with IPN as mentioned bu Jacco.

Use the PayPal NVP or SOAP API to create an encrypted button. Basically you set all the information using PHP and then the API gives you the HTML. Alternatively if you only have a couple of products you can make custom buttons.

The API's are well documented and easy to use. Personally I used the NVP as it was recommended for less experienced programmers. You can also use both in with the IPN (Instant Payment Notification) system so that for example digital products can be automatically emailed.