Using payPal button - user can change the price before paying

Question

I have 3 items that I selling on my web site, I dont need to have shopping cart or stuff like that. After the user fill form with data, I navigate him to a new page, where I display all the data he entered, and the price. Now this PayPal button built from hidden input field:

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="[email protected]">
<input type="hidden" name="lc" value="EN">
<input type="hidden" name="item_name" value="aaa">
<input type="hidden" name="item_number" value="12345">
<input type="hidden" name="button_subtype" value="services">
<input type="hidden" name="no_note" value="0">
<input type="hidden" name="amount" value="">
<input type="hidden" name="bn" value="">
<input type="image" src="https://www.paypalobjects.com/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>

With JavaScript I entering the parameters to the new page,and setting price in the amount input (price) of PayPal button.

As you click the button you navigate to a payPal page with the amount from:

<input type="hidden" name="amount" value="199.50">

My question: Is it the right thing to do? any user, not even hacker can simply before pressing the button to change the amount and press the button...as a result he will pay (probably less) different price!

I wanted to use the direct API, but it's only for businesses in USA, Canada.

What is the best thing to do?

Answer 1

You should use encrypted website payments - https://www.paypal.com/cgi-bin/webscr?cmd=p/xcl/rec/ewp-intro-outside . This will ensure that the payment amount can't be changed. You can also update your settings to only allow payments from encrypted buttons to further protect your account / payments from being hacked to lower prices.