Paypal smart button server side php

Question

i'm new to payment gateways in general im not sure what im doing so what im trying to do is check if the client changed the amount of money to pay on the server side this is the smart button script

    <div id="smart-button-container">
      <div style="text-align: center;">
        <div id="paypal-button-container"></div>
      </div>
    </div>
   <script src="https://www.paypal.com/sdk/js?client-id=sb&enable- 
   funding=venmo&currency=USD" 
    data-sdk-integration-source="button-factory"></script>
   <script>
    function initPayPalButton() {
      paypal.Buttons({
        style: {
          shape: 'rect',
          color: 'gold',
          layout: 'vertical',
          label: 'paypal',

        },

        createOrder: function(data, actions) {
          return actions.order.create({
            purchase_units: [{"amount":{"currency_code":"USD","value":50}}]
          });
        },

        onApprove: function(data, actions) {
          return actions.order.capture().then(function(orderData) {

            // Full available details
            console.log('Capture result', orderData, JSON.stringify(orderData, null, 2));

            // Show a success message within this page, e.g.
            const element = document.getElementById('paypal-button-container');
            element.innerHTML = '';
            element.innerHTML = '<h3>Thank you for your payment!</h3>';

            // Or go to another URL:  actions.redirect('thank_you.html');

          });
        },

        onError: function(err) {
          console.log(err);
        }
      }).render('#paypal-button-container');
    }
    initPayPalButton();
  </script>

As you can see client can change the "value":50 to any amount how can i prevent this i tried searching alot and i didn't find good videos on how to secure it

Answer 1

Your code is a client-side JS SDK integration. To have control over order creation and captures, you need to perform those operations from a server.

Follow the PayPal Checkout integration guide and make 2 routes on your server, one for 'Create Order' and one for 'Capture Order' (see the optional step 5 in 'Add and modify the code'). Both of these routes should return only JSON data (no HTML or text). Inside the 2nd route, when the capture API is successful you should store its resulting payment details in your database (particularly purchase_units[0].payments.captures[0].id , which is the PayPal transaction ID) and perform any necessary business logic (such as sending confirmation emails or reserving product) immediately before forwarding your return JSON to the frontend caller.

Pair those 2 routes with the frontend approval flow: https://developer.paypal.com/demo/checkout/#/pattern/server

---

If you need to transfer any data from the client to the server, add a body object to the fetch parameters. This will become JSON input to your server route (look up how to read JSON input in PHP--you do not use $_POST for this, that is for form encoded inputs).

Your server verifies/controls the amount of the order creation in the create route, and verifies successful payment for the correct amount in the capture route, before propagating the response back to the client JS.