Payment amount spoofed somehow « Gravity Support Forums

Gravity Support Forums » Plugin Support » Gravity Forms PayPal Add-On

James
Member

Hello,

Yesterday someone somehow purchased a product off my site that should have cost $3 for $0.01. After doing a bit of research online some people are saying it's possible to spoof posted variables and do this.

The bigger problem is that the Gravity forms entry actually shows the wrong amount, but the purchase still completed! As I'm using the user addon as well to work as a digital delivery system this basically means someone got this product for free.

Does Gravity forms check that the amount returned from Paypal matches the product value? If it doesn't is there anyway I can implement this?

Thanks,
James

Posted 12 years ago on Friday March 16, 2012 | Permalink
James
Member

Does anyone have an update on this?

Posted 12 years ago on Monday March 19, 2012 | Permalink
Carl Hancock
Administrator

It is not possible to spoof the prices that appears on the form and have those prices submitted and stored as such.

It IS possible to manipulate the javascript that displays the pricing and the Total price on the form itself. HOWEVER, the form processor doesn't rely on this javascript for the pricing and it calculates the total using server side code when the form is submitted.

When Gravity Forms processes the PayPal IPN request, it verifies that the PayPal IPN request totals match the totals stored in the form entry data. It will reject the IPN request if they do not match.

So yes, there is verification in place to prevent users from manipulating pricing data both on the form, and when checking out via PayPal.

Posted 12 years ago on Tuesday March 20, 2012 | Permalink

This topic has been resolved and has been closed to new replies.