I have been looking at the various tutorials which focus on how to use PayPal integration (Hint - some of the links don't work, so I had to work out what the URL is meant to be).

It seems that when calculating the total amount payable for a set of products and calculating a discount (based on a promo code) the calculation is done client side, with the total amount to be billed stored in a hidden field.

Doesn't this present a risk of someone ordering many products, but overriding the total, by using firebug or something similar, to update the hidden value to "$1" and then proceeding to PayPal? The PayPal transaction would complete successfully, leading to the payment confirmed events to be processed even if the amount paid has been hacked.

Have I misunderstood how the client side calculation is being used, or is there a way to make this work securely?

Thanks

Matt