Dynamic Paypal button encryption

前端 未结 6 1428
日久生厌
日久生厌 2020-11-27 16:52

I\'m designing a Order Site using PHP & Mysql. In the final stage the user is given Paypal buttons to pay for the Orders he has made. So, the Item Name, Value are variab

相关标签:
6条回答
  • 2020-11-27 17:11

    Couldn't anyone with your paypal email adress send you a bogus invoice, asking for product names at the wrong prices? If they are going to go through the trouble of changing your js/html code to send you a bogus invoice... they could just write their own (just a form submit to 'paypal.com/cgi-bin/webscr'). All you really need is the seller's paypal email right?

    So why all the trouble of encrypting buttons?

    0 讨论(0)
  • 2020-11-27 17:25

    From your post you seem very confused about what encryption means and what to apply it to. What is the threat model? (i.e. how can it be subverted).

    There is no way you should expect that paypal will always process the order you sent to the client's browser. You MUST check what Paypal did process.

    You can be better assured of the integrity of the order after it leaves your site, e.g. by adding a hash of the order to the order number (and a salt!) you send to Paypal. This should allow you to verify the order without reference to the PLU/stored order (as long as the script processing the return from paypal knows the salt).

    0 讨论(0)
  • 2020-11-27 17:30

    maybe you could try putting those variables in a temporary table with a unique id. then use that id for the buttons. querying the variables from the table whenever the customer clicks the paypal buttons. I just hope i understood your statement right xD

    0 讨论(0)
  • 2020-11-27 17:32

    What you need to do is fairly complex, first, the intro, paypal encrypted buttons have the following layout:

        <form action="https://www.paypal.com/cgi-bin/webscr" method="post">
    <input type="hidden" name="cmd" value="_s-xclick">
    <input type="hidden" name="encrypted" value="-----BEGIN PKCS7-----MIIIEQYJKo...Encrypted stuff...IF5ioje8JH0LAA+5U7P+tabAMOL37k=-----END PKCS7-----">
    <input type="image" src="https://www.paypalobjects.com/es_XC/MX/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal, la forma más segura y rápida de pagar en línea.">
    <img alt="" border="0" src="https://www.paypalobjects.com/es_XC/i/scr/pixel.gif" width="1" height="1">
        </form>
    

    The cmd field indicates an encrypted Buy Now button (check the values for the buttons you want to create), and the encrypted field is the actual content of the button in the following layout:

        cert_id=ZQCMJTZS27U4F
        cmd=_xclick
        business=contact@mybiz.com
        item_name=Handheld Computer
        item_number=1234
        custom=sc-id-789
        amount=500.00
        currency_code=USD
        tax=41.25
        shipping=20.00
        no_note=1
        cancel_return=http://www.company.com/cancel.htm 
    

    Note, these are in the pair=value format, for a full reference look here: https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_Appx_websitestandard_htmlvariables.

    Now the theory, to get the encrypted field, well encrypted, you need to sign these values with your certificate (x509 certificate) and you private key, then you need to encrypt this signed message with paypal's public certificate.

    Going to the practice, for doing it you can (need) to use the following two PHP functions (part of the OpenSSL extension): openssl_pkcs7_sign and openssl_pkcs7_encrypt.

    I found this last part very tricky to setup, so i recommend you to download the PHP SDK for PayPal avalaible here: https://www.x.com/community/ppx/sdks#WPST and directly here: https://cms.paypal.com/cms_content/US/en_US/files/developer/PP_PHP_WPS_Toolkit.zip, this SDK comes with the class EWPServices who contains the method encryptButton which gives you the encrypted button pretty easy; if you want to look at the bones then look in the PPCrypto class who offers you the signAndEncrypt method which give you only the encrypted string you need for the field and does show you the process of encrypting the button.

    By the way, if you don't know how to get your certificate and your private key (and/or the Paypal's certificate) look here: https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0N30Y4

    0 讨论(0)
  • 2020-11-27 17:32

    The only way you can do this is by dynamically querying PayPal to encrypt the button each time.

    However this method is not efficient, I think it would be much better to use PayPal IPN. There are many examples and classes online on how to do this.

    0 讨论(0)
  • 2020-11-27 17:34

    I developed a PHP integration toolkit with PayPal Website Payments Standard.

    All the issues you mentioned here are handled inside by helper classes. Some basic configuration are provided for easy setup. For example, all encryption variables (your private key, public certificate, ...) and subject to configuration. The article explains in details how to use the classes.

    PS: Only IPN confirmation is implemented by the helper classes.

    0 讨论(0)
提交回复
热议问题