问题描述
我正在使用 django-paypal
包来实现我的网站付款
settings.py
INSTALLED_APPS = [
# other apps
"paypal.standard.ipn","payment","...."
]
....
PAYPAL_RECEIVER_EMAIL = "receiverEmail@gmail.com"
PAYPAL_TEST = True
views.py
...
def payment_process(request):
host = request.get_host()
paypal_dict = {
"business": settings.PAYPAL_RECEIVER_EMAIL,"amount": "99","item_name": "python_book22","invoice": "some invice name22","currency_code": "USD","notify_url": "http://{}{}".format(host,reverse("paypal-ipn")),"return_url": "http://{}{}".format(host,reverse("payment:done")),"cancel_return": "http://{}{}".format(host,reverse("payment:cancel")),}
form = PayPalPaymentsForm(initial=paypal_dict)
return render(request,"payment/payment_process.html",{"form": form})
@csrf_exempt
def Done(request):
return render(request,"payment/done.html")
@csrf_exempt
def Cancel(request):
return render(request,"payment/cancel.html")
我不知道这有多安全,因为在客户端它呈现这样的表单
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick" id="id_cmd">
<input type="hidden" name="charset" value="utf-8" id="id_charset">
<input type="hidden" name="currency_code" value="USD" id="id_currency_code">
<input type="hidden" name="no_shipping" value="1" id="id_no_shipping">
<input type="hidden" name="business" value="reciverEmail@gmail.com" id="id_business">
<input type="hidden" name="amount" value="99" id="id_amount">
<input type="hidden" name="item_name" value="python_book22" id="id_item_name">
<input type="hidden" name="invoice" value="some invice name22" id="id_invoice">
<input type="hidden" name="notify_url" value="http://127.0.0.1:8000/paypal/" id="id_notify_url">
<input type="hidden" name="cancel_return" value="http://127.0.0.1:8000/payment/cancel/" id="id_cancel_return">
<input type="hidden" name="return" value="http://127.0.0.1:8000/payment/done/" id="id_return">
<input type="image" src="https://www.paypal.com/en_US/i/btn/btn_buynowCC_LG.gif" name="submit" alt="Buy it Now">
</form>
任何人都可以轻松更改 <input type="hidden" name="business" value="reciverEmail@gmail.com" id="id_business">
并编写其他电子邮件,而系统(无法/不)检测到它,并且在向其他帐户付款后它会返回成功网址(但是付款是到其他帐户)。
有什么想法吗?? 对不起,如果我错过了什么或有误会
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)