I have a webform that posts to paypal all the paypal variables for user payment :
<input type="hidden" name="item_name" value="Digital Download" />
<input type="hidden" name="amount" value="9.99" />
<input type="hidden" name="on0" value="Payment For" />
<input type="hidden" name="os0" value="My Product Description" />
and many more. However, the user can very easily modify these variables and the data sent to paypal would be wrong.
I know I can still check the IPN response for whether the payment does match or not, but I would like to be able to also protect the user from tampering with these variables.
From what I can see, paypal has a "create a buy now button" form on their site which does the same thing, but generates an encrypted form data which is then decrypted at paypal.
Is it possible for me to somehow use this encryption and decryption in the data I send to paypal ?
You can enrypt the buttons yourself using php, while it takes a bit of work it definatly does the job.
You can check their documentation for using their NVP API (Name Value Pair) to generate secure buttons.
While generating encrypted buttons still works, it requires far more work, this approach is simpler and provides also security.