微信公众号搜"智元新知"关注
微信扫一扫可直接关注哦!

使用 django-paypal 安全吗?

分类:编程问答

如何解决使用 django-paypal 安全吗?

我正在使用 django-paypal 包来实现我的网站付款

settings.py

INSTALLED_APPS = [
    # other apps
    "paypal.standard.ipn","payment","...."
]
....
PAYPAL_RECEIVER_EMAIL = "receiverEmail@gmail.com"
PAYPAL_TEST = True

views.py

...
def payment_process(request):
    host = request.get_host()
    paypal_dict = {
        "business": settings.PAYPAL_RECEIVER_EMAIL,"amount": "99","item_name": "python_book22","invoice": "some invice name22","currency_code": "USD","notify_url": "http://{}{}".format(host,reverse("paypal-ipn")),"return_url": "http://{}{}".format(host,reverse("payment:done")),"cancel_return": "http://{}{}".format(host,reverse("payment:cancel")),}
    form = PayPalPaymentsForm(initial=paypal_dict)
    return render(request,"payment/payment_process.html",{"form": form})


@csrf_exempt
def Done(request):
    return render(request,"payment/done.html")


@csrf_exempt
def Cancel(request):
    return render(request,"payment/cancel.html")

我不知道这有多安全,因为在客户端它呈现这样的表单

<form action="https://www.sandBox.paypal.com/cgi-bin/webscr" method="post">
    <input type="hidden" name="cmd" value="_xclick" id="id_cmd">
    <input type="hidden" name="charset" value="utf-8" id="id_charset">
    <input type="hidden" name="currency_code" value="USD" id="id_currency_code">
    <input type="hidden" name="no_shipping" value="1" id="id_no_shipping">
    <input type="hidden" name="business" value="reciverEmail@gmail.com" id="id_business">                 
    <input type="hidden" name="amount" value="99" id="id_amount">
    <input type="hidden" name="item_name" value="python_book22" id="id_item_name">
    <input type="hidden" name="invoice" value="some invice name22" id="id_invoice">
    <input type="hidden" name="notify_url" value="http://127.0.0.1:8000/paypal/" id="id_notify_url">
    <input type="hidden" name="cancel_return" value="http://127.0.0.1:8000/payment/cancel/" id="id_cancel_return">
    <input type="hidden" name="return" value="http://127.0.0.1:8000/payment/done/" id="id_return">
    <input type="image" src="https://www.paypal.com/en_US/i/btn/btn_buyNowCC_LG.gif" name="submit" alt="Buy it Now">
</form>

任何人都可以轻松更改 <input type="hidden" name="business" value="reciverEmail@gmail.com" id="id_business"> 并编写其他电子邮件,而系统(无法/不)检测到它,并且在向其他帐户付款后它会返回成功网址(但是付款是到其他帐户)。

有什么想法吗?? 对不起,如果我错过了什么或有误会

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。

苹果市值2025年有望达4万亿美元
pythonJavaScriptjavaHTMLPHPreactjsC#AndroidCSSNode.jssqlrpython-3.xMysqLjQueryc++pandasFlutterangularIOSdjangolinuxswifttypescript路由器JSON路由器设置无线路由器h3c华三华三路由器设置华三路由器电脑软件教程arraysdocker软件图文教程Cvue.jslaravelspring-boot