StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow to pass paypal API credentials SECURELY in with php (and why is this not considered secure)
primarykey
Id
17576444
data
AcceptedAnswerId
17580695
AnswerCount
1
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2013-07-10T16:51:41.867
FavoriteCount
1
LastActivityDate
2013-07-10T20:54:51.687
LastEditDate
2013-07-10T17:00:32.847
LastEditorUserId
1615297
OwnerUserId
1615297
ParentId
0
PostTypeId
1
Score
0
ViewCount
423
LastEditorDisplayName
text
Body
So obviously the paypal API code is not very easy to read or understand, neither is the documentation which is provided. <a href="http://digitalgoods.co/" rel="nofollow">This guy agrees with me.</a> <blockquote> If you’ve spent more than a few minutes in the PayPal documentation, you will know it’s easier to manually decrypt a 1024 bit RSA private key than to understand the PayPal Digital Goods with Express Checkout API. </blockquote> So I finally figured out how to get PHP to communicate with the paypal API through this sample code: <a href="https://ppmts.custhelp.com/app/answers/detail/a_id/945/kw/php" rel="nofollow">https://ppmts.custhelp.com/app/answers/detail/a_id/945/kw/php</a> However PayPal completely distances themselves from the samples they provide, they must have an interest in developers spending hours and hours to figure out the system, rather than to just give them code that's easy to implement and start getting paid. I wonder how they got so successful... As a matter of fact the sample code even says that it's not secure and should not be used for production: <pre><code>// Set API creds and version greater than 65.1, also set endpoint and redirect url //**************************************************// // This is where you would set your API Credentials // // Please note this is not considered "SECURE" this // // is an example only. It is NOT Recommended to use // // this method in production........................// //**************************************************// $APIUSERNAME = "xxxx"; $APIPASSWORD = "xxxx"; $APISIGNATURE = "xxxx"; $ENDPOINT = "https://api-3t.sandbox.paypal.com/nvp"; </code></pre> Essentially what happens is these variables are used to create a string which contains all the information about the purchase as well as the API credentials. The string is made up of each index and value pair and connected with ampersands <code>$req_str = "USER=xxxx&PWD=xxxx";</code> and so on. This string gets passed to a function <code>PPHttpPost($ENDPOINT, $req_str);</code>. This function uses <code>curl_init();</code> and related functions to somehow communicates with the paypal server and returns a unique key to identify the transaction and it's values. I am not exactly sure how this function works but it is listed on the link I provided above under "functions.php". Two questions: 1.) Why is this not considered secure? 2.) If it's not secure to tell the application about your API credentials by writing them into variables, then what is ?
Tags
<php><security><curl><paypal>
Title
How to pass paypal API credentials SECURELY in with php (and why is this not considered secure)
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USolli
UserOwnerUserId
1. USolli
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POHow to pass paypal API credentials SECURELY in with php (and why is this not considered secure)
 UserUserId
 USCodeguy007
 VoteTypeVoteTypeId
 VTFavorite
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.