Stripe - how to protect amount variable while POSTing to server side

Hi everyone,

I'm wondering how do you approach passing stripe amount variable from checkout.js to server side please? Yes I know I do not have to do that but since I have 5 stripe buttons and each one has different amount I figure that it makes no sense to build separate routes for each of the charges...

Correct me if I'm wrong but: if I pass - it can be manipulated by user if I pass {id} as route parameter then it also can be manipulated

What em I missing here? How to tell my server side what is the amount?

36864

8 years ago

Best Answer

Level 13

You can either pass the button ID and work out the amount from the button that was pressed, which means even if the user changes the ID they won't be able to do anything that they couldn't do by just pressing another button.

Alternatively, pass the amount, but have an amount whitelist server side, which would do pretty much the same thing as the first method.

There's no point trying to prevent a user from changing a value to another valid value. If a user wants to click the button that says "1" and change it so it sends "5" instead of just pressing the button that says "5", let them.

aurawindsurfing

8 years ago

Level 50

So in other words have a hidden field but instead of using it for an AMOUNT use it for an ID and then based on that id find matching method or amount.

Thanks!

Needed to get my head around that ;-)

Cronix

8 years ago

Level 67

You don't need a hidden field. Just give each button a value.

<button name="submit" type="submit" value="option1">$5</button>
<button name="submit" type="submit" value="option2">$10</button>

$button = $request->submit;

if ($button === 'option1') {
  // $5
} else if ($button === 'option2') {
  // $10
} else {
  // unknown value sent
}

Just as an example. You'd probably be retrieving $button value from the db instead of a bunch of if/elseif/else...

1 like

Please or to participate in this conversation.