paypal encrypted buttons using lc
J. Landman Gay
jacque at hyperactivesw.com
Wed Jul 20 14:35:53 EDT 2016
On 7/20/2016 11:00 AM, Mike Bonner wrote:
> Ah, so I need to find an updated guide.
I misspoke a bit -- it's SHA-256, and the cutover is just beginning.
Test systems were put in place some time ago and the full transition
will be completed Sept 30. Noncompliant servers will fail after that date.
> Currently most of the buttons are clear text. Its not too difficult for my
> friend to copy and paste an item listing and edit the form values to create
> a new item. (or to adjust prices etc) but the clear text part is bad
> because.. well.. People are involved. (cynical I know)
Paypal does quite a bit to assure that the button hasn't been
compromised. It sends a verification message to the CGI on file and your
script must respond with "OK" if the information passes your tests. The
script on your server needs to check that some or all of a dozen or so
details are correct. Paypal will only allow a payout if your script has
verified the info and returned permission. For example, you'd want to
check that the payee is your Paypal merchant ID and that the product
code and price are accurate. The Paypal script on my website checks nine
variables before allowing the transaction to complete.
But that does prohibit your friend from just modifying an existing
button to add new products. If Paypal doesn't have the product code on
file, the transaction will fail.
--
Jacqueline Landman Gay | jacque at hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
More information about the use-livecode
mailing list