Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>You're right - dynamic PayPal buttons are easily "hackable" if you pass, for example, the price of the product in clear text.</p> <p>However, PayPal supports public-key button encryption, so that the relevant details can not be easily altered. This is the way it works:</p> <ul> <li>You generate a public/private key pair with an appropriate program such as OpenSSL.</li> <li>You log in to your PayPal account and submit the public key to PayPal, then store the private key securely on your Web server. You will also need to download PayPal's certificate and store it on your server as well. It is also highly recommended to tell PayPal not to accept unsigned/unencrypted transactions (see link at bottom for details).</li> <li>Each time you need to generate a PayPal button, you encrypt the data using PayPal's public key and sign it with your private key, then you display the result on your Web page. When the user clicks the button, PayPal will decrypt the details and check they have not been tampered with since their generation on your server.</li> </ul> <p>This way, as long as your private key is uncompromised, no one will be able to alter the transaction's details.</p> <p>More information and detailed instructions are available at <a href="https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&amp;content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P017Q" rel="noreferrer">https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&amp;content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P017Q</a>. (Although PayPal provides its software to generate encrypted buttons, I think it's possible to create them "on the fly" using appropriate functions, such as <code>openssl_*()</code> in PHP; I haven't tested them personally).</p> <p>An alternative would be implementing Instant Payment Notification (<a href="https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&amp;content_ID=developer/e_howto_admin_IPNIntro" rel="noreferrer">https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&amp;content_ID=developer/e_howto_admin_IPNIntro</a>); you could check that the amount of the transaction performed by the user equals the total order amount.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload