Code: Select all
<form action='https://www.paypal.com/cgi-bin/webscr' method='post' name='paynow'>
<input type='hidden' name='cmd' value='_xclick'>
<input type='hidden' name='business' value='$selleremail'>
<input type='hidden' name='lc' value='GB'>
<input type='hidden' name='item_name' value='Domain trader: $row->title'>
<input type='hidden' name='amount' value='$row->price'>
<input type='hidden' name='currency_code' value='GBP'>
<input type='hidden' name='return' value='http://domain.local/purchased&paid=y'>
<input type='hidden' name='cancel_return' value='http://domain.local/purchased&paid=n'>
<a href=\"javascript:buynow();\">
<img alt='Buy Now' border='0' src='/images/btn_buynow.png' width='103' height='32'></a>
</form>Got this code from PayPal so a buyer can buy something directly from the seller. Issue is, as you can see, the price, button, and almost the worse part - the Return URL is all exposed.
I have no means of encrypting this that I know of, and the fact their email address is exposed is a worry. It's down to the seller to ensure the right price is paid for their item.
But what worries me the most, is that the 'return' URL could just be pasted into there screen, and the item be marked as sold on the site. Doesn't matter if no money is passed, the whole site could be "sold".
Is there a sneaky PHP way I can stop that? I did think of a sessionID, but even then, that session would be captured on the buy now page I think.
Help!!