paypal encrypted buttons using lc

J. Landman Gay jacque at hyperactivesw.com
Wed Jul 20 14:35:53 EDT 2016


On 7/20/2016 11:00 AM, Mike Bonner wrote:
> Ah, so I need to find an updated guide.

I misspoke a bit -- it's SHA-256, and the cutover is just beginning. 
Test systems were put in place some time ago and the full transition 
will be completed Sept 30. Noncompliant servers will fail after that date.

> Currently most of the buttons are clear text.  Its not too difficult for my
> friend to copy and paste an item listing and edit the form values to create
> a new item. (or to adjust prices etc) but the clear text part is bad
> because.. well.. People are involved. (cynical I know)

Paypal does quite a bit to assure that the button hasn't been 
compromised. It sends a verification message to the CGI on file and your 
script must respond with "OK" if the information passes your tests. The 
script on your server needs to check that some or all of a dozen or so 
details are correct. Paypal will only allow a payout if your script has 
verified the info and returned permission. For example, you'd want to 
check that the payee is your Paypal merchant ID and that the product 
code and price are accurate. The Paypal script on my website checks nine 
variables before allowing the transaction to complete.

But that does prohibit your friend from just modifying an existing 
button to add new products. If Paypal doesn't have the product code on 
file, the transaction will fail.

-- 
Jacqueline Landman Gay         |     jacque at hyperactivesw.com
HyperActive Software           |     http://www.hyperactivesw.com




More information about the use-livecode mailing list