PayPal Standard allows the product costs to be changed before being submitted

[ClearThinking]

I just had this happen on my 1.5.4.1 store with the default PayPal standard, where the order total was $0.01 in PayPal but correct in OpenCart. I assume because the product costs are in a hidden fields, they can be changed before being submitted.

I thought this was solved in the past? Maybe at some point it reverted to an earlier version, or I'm misremembering. I haven't looked into a fix yet, but I'll let you know if I find one.

[mhcwebdesign]

Interesting. I just managed to easily reproduce it myself, all I had to do was to dynamically change the hidden price field to '0.01', using Firebug, before clicking on the final 'Confirm Order'. This will be an issue with many other payment methods, too, whenever they use hidden price fields.

I think the only way to fix it is by tightening the validation in the respective callback methods, e.g. in the case of pp_standard, the catalog/controller/payment/pp_standard.php needs a stricter validation of what is being sent back to its callback method from PayPals IPN message. In particular, it has to check the total amount paid with the order total in OpenCart before regarding the order as complete.

[opencart]

it is fixed the order will never reach the complete order status. just the default order status.

this is the line that fixes it:

                    if ((strtolower($this->request->post['receiver_email']) == strtolower($this->config->get('pp_standard_email'))) && ((float)$this->request->post['mc_gross'] == $this->currency->format($order_info['total'], $order_info['currency_code'], $order_info['currency_value'], false))) {