Page 1 of 6
PayPal buttons: how do I protect sellers' sales?
Posted: Tue Nov 12, 2013 3:54 am
by simonmlewis
Code: Select all
<form action='https://www.paypal.com/cgi-bin/webscr' method='post' name='paynow'>
<input type='hidden' name='cmd' value='_xclick'>
<input type='hidden' name='business' value='$selleremail'>
<input type='hidden' name='lc' value='GB'>
<input type='hidden' name='item_name' value='Domain trader: $row->title'>
<input type='hidden' name='amount' value='$row->price'>
<input type='hidden' name='currency_code' value='GBP'>
<input type='hidden' name='return' value='http://domain.local/purchased&paid=y'>
<input type='hidden' name='cancel_return' value='http://domain.local/purchased&paid=n'>
<a href=\"javascript:buynow();\">
<img alt='Buy Now' border='0' src='/images/btn_buynow.png' width='103' height='32'></a>
</form>
Hi
Got this code from PayPal so a buyer can buy something directly from the seller. Issue is, as you can see, the price, button, and almost the worse part - the Return URL is all exposed.
I have no means of encrypting this that I know of, and the fact their email address is exposed is a worry. It's down to the seller to ensure the right price is paid for their item.
But what worries me the most, is that the 'return' URL could just be pasted into there screen, and the item be marked as sold on the site. Doesn't matter if no money is passed, the whole site could be "sold".
Is there a sneaky PHP way I can stop that? I did think of a sessionID, but even then, that session would be captured on the buy now page I think.
Help!!
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Tue Nov 12, 2013 5:47 am
by Celauran
PayPal's IPN sends a POST request containing information about the payment, including whether or not it was successful. There's absolutely no reason for a simple URL to mark anything as paid.
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Tue Nov 12, 2013 5:49 am
by simonmlewis
Do you know where in PayPal's help center it gives instruction on this please?
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Tue Nov 12, 2013 6:11 am
by Celauran
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Tue Nov 12, 2013 6:19 am
by simonmlewis
Thanks. I've spotted this:
return_url The URL to which the sender's browser is redirected after approving a payment on paypal.com. Use the pay key to identify the payment as follows: payKey=${payKey}.
But this is what I am using, however I don't know how to use "paykey", and encrypt or whatever I should do, to use that return url, without showing the buyer the URL in the view source.
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Tue Nov 12, 2013 6:27 am
by Celauran
I haven't worked with the Pay or AdaptivePay APIs. I have typically used order number to query our database and retrieve any pertinent information about the buyer.
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Tue Nov 12, 2013 6:33 am
by simonmlewis
Mmmmm we aren't using order numbers.
This is between the buyer and the seller - not us. I'll have to consult with PayPal over it. Thanks.
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Tue Nov 12, 2013 5:52 pm
by Eric!
This style of paypal technique is very insecure and is no longer used by most sites. The purchased item should never be accessible directly via URL without a login or some kind of authorization code. In other words even if you're using encrypted buttons, don't have a return_url that allows access to your items.
The
classic API uses the IPN method, where a successful payment generates a long list of data that is sent to a specific URL on your server. Your server then verifies with with Paypal to avoid spoofs, and authorizes a specific user access to the purchased item.
Access can be granted by sending an email with a login code, or a randomly generated token that expires after one use and/or a certain amount of time. This url with token serves up the item they bought but does not link to it directly.
Access can also be granted by including a random token in the button that identifies the user (assuming you are using an account/login system) using the "custom" field in the button. This will then be passed back via IPN data (after a purchase). This can be used to identify the user's account (via some kind of account/login system) and grant them access.
More advanced methods allow you to integrate the payment gateway of Paypal directly into your site so users do not need to redirect to paypal. They can do it right on your site or even run credit cards without redirecting (or even know that paypal is processing their card). If you are doing CC's then check that your code/site is PCI compliant.
You can also look at using the
REST API.
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Wed Nov 13, 2013 2:12 am
by simonmlewis
No one is paying US - this is the buyer paying the seller.
So how does that work?
I get the return url issue - but they must pay the seller, not us, and when they hit buy now, it must show in the PayPal screen what they are buying.
How does that work then?
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Wed Nov 13, 2013 2:24 am
by Eric!
I don't understand your problem. You make the button for whatever account you want the money to go to.
The real trick is verifying payment and allowing only the correct buyer access.
One word of caution about Paypal is that often the email provided by paypal is an outdated email address. So if your IPN is sending out links/codes/passwords to buyers using the email that comes with the IPN, there's a chance the user may never see your response giving them access.
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Wed Nov 13, 2013 2:28 am
by simonmlewis
You really don't get it do you - we are not making a button for each individual product.
Think of Ebay - but without the bidding. That is what we are building.
So we are not building thousands of PayPal buttons for each individual idea. The button must be full dynamic.
We don't care who buys - if they are a member, they can buy!
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Wed Nov 13, 2013 2:32 am
by Eric!
Again, make the button for the seller's item so that the money goes to the sellers account. It appears from your post you have already figured this out. But I haven't used the unencrypted buttons in a long time and I don't recall the field names off the top of my head but this could be correct:
Code: Select all
<input type='hidden' name='business' value='$selleremail'>
Is it not working?
If you are doing this as a third party transaction where you take a percentage then distributing the balance, then that is a different type of setup. Paypal supports this too.
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Wed Nov 20, 2013 3:41 am
by simonmlewis
I've just been reading this this:
https://developer.paypal.com/webapps/de ... nsService/
And I am totally lost. It talks about granting us permission from the user, and the code it mentions in the page is beyond my scope by a LONG way.
What's the secret here? Is there some setting in our account, some specific code I must put on the page to make all this work??
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Wed Nov 20, 2013 6:03 am
by Celauran
Looks like pretty standard auth that you'd see on any number of APIs. You set up a cURL request that the user can trigger. The information you send in the headers tells PayPal who you are. User is forwarded to PayPal, authorizes your app, and is then directed back to your site. PayPal sends back a verification code, which you must then send back to the for the final access code, which you store and associate with the user. This access code will be used for future API calls on that user's behalf.
Re: PayPal buttons: how do I protect sellers' sales?
Posted: Wed Nov 20, 2013 6:07 am
by simonmlewis
But how does this protect the Price the user has entered for their product on the web site where they are selling their item?