2

Paypal says that protected payment buttons are more secure as they cannot be altered by malicious third parties. I'm trying to figure out what they are supposed to protect against. If the attacker has gained access to your website and can edit your source files, wouldn't they just replace it with their own Paypal button, instead of trying to edit parameters?

Casebash
  • 601
  • 1
  • 7
  • 16

1 Answers1

2

Protected payment button encrypts the payment amount and item details, in such way that your users won't be able to pay for that item but with different payment amount. When using regular pay button, as a vendor you have to check that the amount paid matches your own price list for the item before processing the order, this is because your user can change the payment amount.

Lie Ryan
  • 31,459
  • 6
  • 70
  • 94
  • 1
    Ah, fair enough. I'm using a button for donations, so this doesn't matter. – Casebash Jan 01 '16 at 13:16
  • @Casebash. It still means that people can modify the amount, which means they could alter it to be below your minimum fee, meaning that unless PayPal specifically disallows that, you will lose money. – Patanjali Jun 09 '19 at 04:38
  • For protected buttons, there are only two hidden fields, being cmd=_s-xclick and hosted_button_id=XXXXXXXXXXXXX, the latter being a unique 13 character code. No other identifying info, so easy to set up manually. – Patanjali Jun 09 '19 at 07:14