This may not be a HUGE problem...but what I've noticed is that when using paypal submit, the paypal submit page gets loaded with a bunch of hidden fields right before the submit (these are coming from the includes/global_config.inc.php file). Amongst these fields is the "amount" value...which if I were clever I could easily use Firebug to edit before the form submits to paypal, making the amount 1 cent if I wanted.
The form I'm creating needs to be a certain amount of money, no more, no less. Now, I also have a coupon field that lowers the price...but someone could easily lower the price manually and then claim they entered the coupon code.
This isn't the biggest concern since I can just cross-check with the save data and verify if they did, in fact, enter the coupon code, because I'm saving that field as well. But I'd like it to be nearly impossible for the user to be able to edit those fields...and putting them in as hidden fields seems to be a little lacking in security.
The form I'm creating needs to be a certain amount of money, no more, no less. Now, I also have a coupon field that lowers the price...but someone could easily lower the price manually and then claim they entered the coupon code.
This isn't the biggest concern since I can just cross-check with the save data and verify if they did, in fact, enter the coupon code, because I'm saving that field as well. But I'd like it to be nearly impossible for the user to be able to edit those fields...and putting them in as hidden fields seems to be a little lacking in security.