如何解决使用 django-paypal 安全吗?
我正在使用 django-paypal
包来实现我的网站付款
settings.py
INSTALLED_APPS = [
# other apps
"paypal.standard.ipn","payment","...."
]
....
PAYPAL_RECEIVER_EMAIL = "receiverEmail@gmail.com"
PAYPAL_TEST = True
views.py
...
def payment_process(request):
host = request.get_host()
paypal_dict = {
"business": settings.PAYPAL_RECEIVER_EMAIL,"amount": "99","item_name": "python_book22","invoice": "some invice name22","currency_code": "USD","notify_url": "http://{}{}".format(host,reverse("paypal-ipn")),"return_url": "http://{}{}".format(host,reverse("payment:done")),"cancel_return": "http://{}{}".format(host,reverse("payment:cancel")),}
form = PayPalPaymentsForm(initial=paypal_dict)
return render(request,"payment/payment_process.html",{"form": form})
@csrf_exempt
def Done(request):
return render(request,"payment/done.html")
@csrf_exempt
def Cancel(request):
return render(request,"payment/cancel.html")
我不知道这有多安全,因为在客户端它呈现这样的表单
<form action="https://www.sandBox.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick" id="id_cmd">
<input type="hidden" name="charset" value="utf-8" id="id_charset">
<input type="hidden" name="currency_code" value="USD" id="id_currency_code">
<input type="hidden" name="no_shipping" value="1" id="id_no_shipping">
<input type="hidden" name="business" value="reciverEmail@gmail.com" id="id_business">
<input type="hidden" name="amount" value="99" id="id_amount">
<input type="hidden" name="item_name" value="python_book22" id="id_item_name">
<input type="hidden" name="invoice" value="some invice name22" id="id_invoice">
<input type="hidden" name="notify_url" value="http://127.0.0.1:8000/paypal/" id="id_notify_url">
<input type="hidden" name="cancel_return" value="http://127.0.0.1:8000/payment/cancel/" id="id_cancel_return">
<input type="hidden" name="return" value="http://127.0.0.1:8000/payment/done/" id="id_return">
<input type="image" src="https://www.paypal.com/en_US/i/btn/btn_buyNowCC_LG.gif" name="submit" alt="Buy it Now">
</form>
任何人都可以轻松更改 <input type="hidden" name="business" value="reciverEmail@gmail.com" id="id_business">
并编写其他电子邮件,而系统(无法/不)检测到它,并且在向其他帐户付款后它会返回成功网址(但是付款是到其他帐户)。
有什么想法吗?? 对不起,如果我错过了什么或有误会
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。