Hey all. Quick question about security. I have my php page sending all the proper values (taken from the mysql database) and have it populate the Paypal fields automatically. When I view the source of the page it is the following (I changes a few values incase it IS a security problem): <html><body> This is a test for the Paypal option.. <br><br> <form action="https://www.paypal.com/cgi-bin/webscr" method="post"> <input type="hidden" name="cmd" value="_xclick"> <input type="hidden" name="business" value="MyAccount@rogers.com"> <input type="hidden" name="item_name" value="ITEM NAME"> <input type="hidden" name="item_number" value="1234"> <input type="hidden" name="amount" value="99.99"> <input type="hidden" name="return" value="http://www.mysite.com/secure/success.php"> <input type="hidden" name="cancel_return" value="http://www.mysite.com/cancel.php"> <input type="hidden" name="no_note" value="1"> <input type="hidden" name="currency_code" value="CAD"> <input type="image" src="https://www.paypal.com/images/x-click-but23.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!"> </form> </body></html> Is it not a security risk to show the value? Couldn't someone copy the page and enter $0.01 or something? Does the source HAVE to show this info or am I not doing something right? Thanks in advance! Paul

You have it correct. Merchants should review all orders either manually or programatically with IPN.

The sample code handles the post-back: http://www.paypal.com/ipn

Correct. You can process the "return" URL but processing the Notification URL is more reliable.

Patrick Breitenbach
PayPal, Inc.
Dev Net: https://www.paypal.com/pdn