paypal encrypted buttons using lc

Mike Bonner bonnmike at gmail.com
Wed Jul 20 17:13:15 EDT 2016 

That's the thing. It is easy to do things in the way I describe.  Unless
otherwise set (in the paypal profile.. one can choose to only accept
encrypted buttons but this doesn't seem to be the default), any person
anywhere (if they have access to the merchant id or merchant email address)
can whip up a button buying figmentary items at a figmentary price.

Currently we have a mix. Some buttons created with the button builder in
paypal that leave the encryption in place, and others that are just
properly formatted forms in clear text (the original of which was generated
by paypal and choosing to not host on paypal,and not encrypt as part of the
button build process).  Paypal really isn't very picky as you can have
multiple of the same item all with different prices etc. (We don't do it
that way, each has a unique item name)

This is why I'm looking in to doing the encryption on my own.  (not
necessarily on the fly)  as described best here:
https://www.stellarwebsolutions.com/en/articles/paypal_button_encryption_php.php

Basically,generate public/private key pairs, upload a key to paypal, and
download their public key, Encrypt the button fields,and change paypal
settings to "only accept encrypted...."  If done right (fingers crossed) I
and my friend are the only one with all the information required to
encrypt/decrypt my buttons. (and paypal of course since I'll be uploading a
key to my friends paypal for this purpose)
At this point people can create all the fake buttons they want but they
won't work since they will not have been properly encrypted, and only
encrypted buttons will be accepted.

>From the sound of things, even after I figure out how to get the things
encrypted I can add an additional layer of protection, and confirm that
things have indeed have been submitted as they should have been by adding a
backcheck as you described.

I'm starting to wonder if the switch you mention is affecting this
particular part.. The encryption of buttons..

Have I completely misunderstood how all this works?

On Wed, Jul 20, 2016 at 1:47 PM, J. Landman Gay <jacque at hyperactivesw.com>
wrote:

> Not to beat a stubborn dead horse, but...I don't think you can do what you
> want. Paypal makes it pretty hard to modify their buttons. If they didn't,
> anyone could copy and change the Paypal button on any site, which is kind
> of what you're describing.
>
>
> On 7/20/2016 2:18 PM, Mike Bonner wrote:
>
>> Thank you both.   I think i'm in over my head actually, but stubborn makes
>> up for a lot.
>>
>> On Wed, Jul 20, 2016 at 1:12 PM, Richard Gaskin <
>> ambassador at fourthworld.com>
>> wrote:
>>
>> Mike Bonner wrote:
>>>
>>> I just turned the corner on understanding the old method, I suspect
>>>> i'll be able to make it work once sha-256 is implemented.
>>>>
>>>
>>> If it helps, I've found Mark Smith's libHash-Hmac to be quite good, his
>>> sha256 function returning the same values I get when tested against the
>>> command-line tool installed with my OS:
>>>
>>> http://marksmith.on-rev.com/revstuff/
>>>
>>> --
>>>  Richard Gaskin
>>>  Fourth World Systems
>>>  Software Design and Development for the Desktop, Mobile, and the Web
>>>  ____________________________________________________________________
>>>  Ambassador at FourthWorld.com                http://www.FourthWorld.com
>>>
>>>
>>> _______________________________________________
>>> use-livecode mailing list
>>> use-livecode at lists.runrev.com
>>> Please visit this url to subscribe, unsubscribe and manage your
>>> subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>
>>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>>
>
> --
> Jacqueline Landman Gay         |     jacque at hyperactivesw.com
> HyperActive Software           |     http://www.hyperactivesw.com
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>

More information about the use-livecode mailing list