Pass a variable to an encrypted (paypal) button on html form

Question

User876561910 posted

It’s simple to pass a variable (JS, VB, etc) to an input box on a form

But, on a PayPal button which is encrypted at source (by PayPal) how would you pass a number of variables? So let’s say on your form you sell cups of tea, cakes and apples

A user can only buy one at a time (so there is no cart)

The Item_Name Value is a variable which needs passing

The Amount Vale is a variable which needs passing

 

<input type="hidden" name="amount" value="123.45"/>

<input type="hidden" name="item_name" value="Cup of tea"/>

 

How are these passed to the button?

(or am I misunderstanding how PP buttons work?)`

Thanks

Answer 1

User475983607 posted

PayPal has a few ways to for developers to configure payments from point and click to using an API.  

If you are building a "buy Now" button then please see PayPal support.

https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/buy_now_step_1/

Answer 2

User876561910 posted

Hmmmmmm

I did look at that - and even made some test pages.
But this is so easy to hack I can't see the point
I hacked my friends site payment page (with her permission) to change the payment amount for the product's she sells - it was simple.

So I think I'll look at the sandbox - just as the script is passed and not the html.  Can still be seen and changed, but not so simply by an average user.

But from an asp form how would I allocate a value into the script "Total Value" section?

Something like this

paypal.Button.render({
  env: 'production', // Optional: specify 'sandbox' environment
  client: {
    sandbox:    'xxxxxxxxx',
    production: 'xxxxxxxxx'
  },
  commit: true, // Optional: show a 'Pay Now' button in the checkout flow
  payment: function (data, actions) {
    return actions.payment.create({
      payment: {
        transactions: [
          {
            amount: {
              total: '1.00',
              currency: 'USD'
            }
          }
        ]
      }
    });
  },
  onAuthorize: function (data, actions) {
    // Get the payment details
    return actions.payment.get()
      .then(function (paymentDetails) {
        // Show a confirmation using the details from paymentDetails
        // Then listen for a click on your confirm button
        document.querySelector('#confirm-button')
          .addEventListener('click', function () {
            // Execute the payment
            return actions.payment.execute()
              .then(function () {
                // Show a success page to the buyer
              });
          });
      });
  }
}, '#paypal-button');

Answer 3

User475983607 posted

janehollin

Hmmmmmm

I did look at that - and even made some test pages.
But this is so easy to hack I can't see the point
I hacked my friends site payment page (with her permission) to change the payment amount for the product's she sells - it was simple.

So I think I'll look at the sandbox - just as the script is passed and not the html.  Can still be seen and changed, but not so simply by an average user.

But from an asp form how would I allocate a value into the script "Total Value" section?

Something like this

paypal.Button.render({
  env: 'production', // Optional: specify 'sandbox' environment
  client: {
    sandbox:    'xxxxxxxxx',
    production: 'xxxxxxxxx'
  },
  commit: true, // Optional: show a 'Pay Now' button in the checkout flow
  payment: function (data, actions) {
    return actions.payment.create({
      payment: {
        transactions: [
          {
            amount: {
              total: '1.00',
              currency: 'USD'
            }
          }
        ]
      }
    });
  },
  onAuthorize: function (data, actions) {
    // Get the payment details
    return actions.payment.get()
      .then(function (paymentDetails) {
        // Show a confirmation using the details from paymentDetails
        // Then listen for a click on your confirm button
        document.querySelector('#confirm-button')
          .addEventListener('click', function () {
            // Execute the payment
            return actions.payment.execute()
              .then(function () {
                // Show a success page to the buyer
              });
          });
      });
  }
}, '#paypal-button');

I suggest that you contact PayPal if you found a vulnerability with the PayPal API.  

Do you have an ASP.NET question?

Answer 4

User876561910 posted

Right click the vast majority of ad-hoc PP buttons and you will get it. Oh and they (PP) already know about this which is why the suggest downloading the EWP – but most people don’t. https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/encryptedwebpayments/#id08A3I0QC0X4

 

My question was (in ASP – which I would have thought was obvious in an ASP forum) pass a variable via code to an encrypted input.

As this is not possible then I’m now looking as pass the value to the source script – which I’ll work out myself.

Answer 5

User475983607 posted

My question was (in ASP – which I would have thought was obvious in an ASP forum) pass a variable via code to an encrypted input.

Passing values is pretty basic with HTTP but passing an encrypted values means you have to know the encryption being used.  That's a PayPal support question.

As this is not possible then I’m now looking as pass the value to the source script – which I’ll work out myself.

I would simply read the PayPal support docs and take advantage of the REST API. The API takes advantage of OAuth which has built-in validation security.

https://developer.paypal.com/docs/api/payments/v1/#authorization