I have a serious problem in my Oscommerce ebook store where when a customer purchase the product they are changing the paypal value by changing the price of the product and getting it for $0.01 eventhough the price of the product fixed is $17. Another person got the product without paying through paypal. In the admin area I can see the order details are successfully completed. I am totally confused with the security level of oscommerce ebook store site. Any one can help me to stop this nonsense from the site? I feel there was a loophole in the php script of Oscommerce source.
I identified the issue that causes this problem, I made a test purchase and found it. When I select a product and go to check out and then to paypal, in the paypal landing page when I paste the site's success page it takes me to the download page with success message and it takes it as status completed sale. I think we have to validate with the paypal's token in the site's success page, Am I correct?
Yes you should validate whatever paypal sends back to you. Sounds like you don't have IPN implemented? Ideally the payment amount should not be used when passed back. The success page should have access to the payment total and compare it to what was charged at paypal.