PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

Payment amount spoofed somehow

  1. Hello,

    Yesterday someone somehow purchased a product off my site that should have cost $3 for $0.01. After doing a bit of research online some people are saying it's possible to spoof posted variables and do this.

    The bigger problem is that the Gravity forms entry actually shows the wrong amount, but the purchase still completed! As I'm using the user addon as well to work as a digital delivery system this basically means someone got this product for free.

    Does Gravity forms check that the amount returned from Paypal matches the product value? If it doesn't is there anyway I can implement this?


    Posted 11 years ago on Friday March 16, 2012 | Permalink
  2. Does anyone have an update on this?

    Posted 11 years ago on Monday March 19, 2012 | Permalink
  3. It is not possible to spoof the prices that appears on the form and have those prices submitted and stored as such.

    It IS possible to manipulate the javascript that displays the pricing and the Total price on the form itself. HOWEVER, the form processor doesn't rely on this javascript for the pricing and it calculates the total using server side code when the form is submitted.

    When Gravity Forms processes the PayPal IPN request, it verifies that the PayPal IPN request totals match the totals stored in the form entry data. It will reject the IPN request if they do not match.

    So yes, there is verification in place to prevent users from manipulating pricing data both on the form, and when checking out via PayPal.

    Posted 11 years ago on Tuesday March 20, 2012 | Permalink

This topic has been resolved and has been closed to new replies.