PayPal 'Buy Now' Integration

[kendo451]

This is still vulnerable to hacking, because the attacker can capture the unique string from the return url and then change the quantity and product info.  So they could pay for a $10 product and change the return string to say they bought 20 of a $150 product --> $3000 worth of stuff!  Of course they would need a special browser to do this - one that captures the return url from PayPal but doesn't immediately redirect. I'm sure hackers have such things.

So, to make this more secure, you want to include the product number, quantity, and payment amount in the md5 hash.  Now, if they change any of the parameters in the return string Calguy's method will detect it.

[Pierre M.]

Hello kendo,

Of course they would need a special browser to do this - one that captures the return url from PayPal but doesn't immediately redirect. I'm sure hackers have such things.

Sure.

So, to make this more secure, you want to include the product number, quantity, and payment amount in the md5 hash.  Now, if they change any of the parameters in the return string Calguy's method will detect it.

Your suggestion reminds me of some "webservice API" which stated : all parameters are sorted, then concateneted (url&param=...) and a last &cryptokey=HashOfAll is appended. And the webservice exposed a public key used to participate in the hash computation too.

Pierre M.

[kendo451]

Right, Pierre,

The two secure methods of making sure the returned data matches what was paid for are:

A. Use public key pairs and digital signatures, like PayPal's encryption API.

B. You store a shared secret key with the payment provider when you setup the account.  Your payment details are encrypted to that key, as are the details on return.  Goldmoney.com uses that method.

Those methods are only as secure as the private/secret key file on the server.

All else is just playing the "add more info to make it more secure" game, like Visa and the banks constantly requiring MORE info to verify a card payment, which is just as quickly collected by identity thieves as the old days of just the card number.

Ken

[JeremyBASS]

@kendo451 I have a mod that may calm your fears on this issue here, PayPalButtonMaker.  It should take care of the issues of easily reverse engineering or intercepting... thou any good webmaster that knows how to  use fiddler can tell you what the code was, but I don't think there are going to be able to do anything with that information as you only know the peices after the fact... but that is My2Cents there.... Hope that helps

Cheers
Jeremy

[wapcamer]

Hi all,
I'm upping the topic because I have an issue regarding a paypal 'buy now' button.

I'm trying to use the PaypalButtonMaker mod, which I find very convenient and well designed (thanx JeremyBass).

What I would like to do, is after completion of a payement, have my site notified via the IPN interface. I have an IPN script which I have tested with the paypal IPN simulator and works fine. The goal of it, is to automatically generate and send a license code to the purchaser email - I'm trying to sell softwares licenses.

Do you have any ideaof a way to achieve that with the use of PaypalButtonMaker or any other mean ?
Thanks in advance

[JeremyBASS]

I have not had time to add the IPN interface... sorry PPBM will not do that atm.. it's on the list behind the cart... but you can use the return and post to have cmsms make and send the license code... Cheers -Jeremy

[wapcamer]

Thanks for your reply JeremyBASS
Actually, after checking again in my paypal account, there is a field at the end of the button creation form which is called 'custom' in which you can specify several things, amongst them a line like:
notify_url=http://blabla/myIPNlistener.php

Hence I thought you just had to add a textfield in PPBM button maker in order to take it into account - no need to develop something specific to IPN.
But I understand you have other priorities

Hence so far, I'll stick with static button generated by paypal, wich is a shame because I can't test with the sandbox and your module is just so cool otherwise. And I'm really not in the mood of getting back to further php developments, I already have enough with the site creation and my softs developments 

Thanks anyway

[daz]

Indeed the only way to actually determine if a payment was valid is to use paypal's IPN system. I found a script somewhere online a while back that stores info from paypal into a database, then used the smarty PHP tag to determine if the user paid for the product.

Unless you want to lose money, don't rely on data that goes through someone else's computer first.