How to properly set the amount when paying with stripe?

I do not fully understand the payment process in Stripe. For example, the user must pay $50. What am I am (my app is) doing:

  1. I show the user a form for entering data about the card.
    <form action="your-server-side-code" method="POST">
      <script
        src="https://checkout.stripe.com/checkout.js" class="stripe-button"
        data-key="pk_test_TYooMQauvdEDq54NiTphI7jx"
        data-amount="50000"
        data-name="Stripe.com"
        data-description="Example charge"
        data-image="https://stripe.com/img/documentation/checkout/marketplace.png"
        data-locale="auto"
        data-zip-code="true">
      </script>
    </form>
  1. After the user has pressed the payment button, I get the object Request and get token from it. And after that I fill parameters and one parameter is amount:
    String token = request.getParameter("stripeToken");

        Map<String, Object> params = new HashMap<String, Object>();
        params.put("amount", 50000);
        params.put("currency", "usd");
        params.put("description", "Example charge");
        params.put("source", token);
        Charge charge = Charge.create(params);

Why do I send the amount twice? First time on form second time from code?

Why can I not get the amount from the request instead?

params.put("amount", request.getParameter("amount")); //always 0

In all attempts, such a method always returns 0 to me.

How does it work? How is the amount generally related in the first and second steps? What if I specify another amount in the second step? I.e. the user will see $50 on the form and then from the code will I randomly install $60?

It would just be logical to send the amount once and get it from the request.

1 answer

  • answered 2018-11-08 09:56 karllekko

    Setting the amount from the frontend is a security and fraud risk. For example, the customer could easily use a browser extension or other tools to change the amount that is sent in the request. If your backend blindly trusts this amount, it's possible for an attacker to create an order on your system, but change the price to $0.01 for example.

    That's why you should determine the price to charge only on your backend based on the items in the order/shopping cart, essentially.

    data-amount is purely for display to the user, and the amount you pass to the Create Charge API is the actual amount they will be charged.