everytime i send btc to my customer, i also send notification of the txid. so now this practice should be avoided because huge chance that txid can be altered? and we should not store the txid into our database?
what should we do as merchant/developer to anticipate this malleability issue?
You can still rely on txid, but ONLY AFTER SEVERAL CONFIRMATIONS
Confirmation is the king: not just for the safety of the fund, but also for the reliability of txid