Welcome to WebmasterWorld Guest from 54.146.59.202

Forum Moderators: buckworks

Message Too Old, No Replies

Need good Pay pal link protection

that can be used right on my desktop.

     
6:37 pm on Dec 11, 2003 (gmt 0)

10+ Year Member



Hi I need to find a good (hopefully not expensive) program that will encrypt my Pay Pal links so that internet scumballs will not steal my stuff.

Anyone know of an EASY p[rogram that will encrypt a html pay pal link right on my desktop? Will that be secure?

Or have some other secure payment suggestions?

Thanks for any help!
Kea

8:00 pm on Dec 11, 2003 (gmt 0)

10+ Year Member



There are a few listed here: http://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/3p-solutions-digital-goods-outside

[edited by: DaveAtIFG at 9:40 pm (utc) on Dec. 11, 2003]
[edit reason] DeLinked [/edit]

8:09 pm on Dec 11, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



How can they steel money for your account with a link?

CompWorld

3:40 am on Dec 12, 2003 (gmt 0)

10+ Year Member



Not steal money, they can steal the product being offered. At least I'm not aware of any way to steal money. I switched to clickbank instead. Fees are higher though.
4:07 am on Dec 12, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



It's called "digital shoplifting" cause people can make up their own prices, etc on checkout by editing your links. It's like slapping on a different barcode on an item at the store to get a lower price.

The proper way to handle this is to use the reverse notification that PayPal gives you to check the sale and pricing before you even print or ship the item (or allow access for digital goods). There are also several easy ways to hide the code on your server using php, etc. to pass the data to PayPal from there instead of the shopper's browser.

6:42 am on Dec 12, 2003 (gmt 0)

10+ Year Member



All you have to do is not pass the item price in the form.

Just have the form pass back the SKU or item number, and have it pull the price from a database.

Simple as that.

-p

4:52 pm on Dec 12, 2003 (gmt 0)

10+ Year Member



Panic, that sort of addresses the situation but there's still the possibility of tampering which is why it's important to review all orders received.
6:50 pm on Dec 12, 2003 (gmt 0)

10+ Year Member



If there's room for tampering with my solution, I'd love to hear it.
6:25 pm on Dec 14, 2003 (gmt 0)

10+ Year Member



If you are using the information from paypal for orders, everything works well. If you are selling an ebook or music, paypal has the flaw that you have to include the return URL in the calling code. Anyone who knows HTML can figure out your return URL...load that in their browser and get the book for free. You could simply check the HTTP referrer of on the final check out page. However, people often dink with the referrer. There really needs to be a server to server call to make the process secure.
7:09 pm on Dec 14, 2003 (gmt 0)

WebmasterWorld Administrator mack is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



You can use htaccess to prevent access to the return page unless the referal is from paypal.

I remember setting up this for a client before but honestly cant remember the htaccess syntax I used, I found it online. Perhaps someone here will have a beter idea.

Mack.

1:47 am on Dec 15, 2003 (gmt 0)

10+ Year Member



Yeah, that return page is not meant to give access to a product or service. It's meant to be a "thank you" page or "post-sales instructions".

To have your service instantly delivered, you should use PayPal IPN (instant payment notification). As far as I know, there is no way to trick this, since you verify the transaction directly via the PayPal server, meaning you can make sure the product and price match up. I don't think it's too awfully hard to work with.

7:55 am on Dec 15, 2003 (gmt 0)

10+ Year Member



What I am understanding is that there are two ways to get ripped off.

1. One is to have someone change the price of your product in the HTML from something like $10.00 to $0.00.

2. The other way is for them to simply bypass the paypal ordering system, copy the link and just go directly to the page where they can download my product.

I am wondering how effective encryption is.
Thanks for the advice everyone! I appreciate the input.
I did check out paypal IPN but I am hoping to find a solution a little easier to use.

How effective is encryption of the codes? Does anyone know anything about this? If I just take the paypal button code and encrypt it on my page...will that solve the problem?

Do I have to encrypt the entire page or can I just do a paragraph or two?

There is a site I just found called www.instantsiteprotection.com and he is supposedly offering free incryption protection. I don't know yet if it works or what is up with it...guess I will try it out.

3:09 pm on Dec 15, 2003 (gmt 0)

10+ Year Member



I'm not entirely sure what you're after, but in terms of links, couldn't you just use a crypt and/or md5 function on links containing sensitive data to pass to PayPal?
This seems to be what most shopping cart systems do, when integrating with PSPs.
5:35 pm on Dec 15, 2003 (gmt 0)

10+ Year Member



If you are using the information from paypal for orders, everything works well. If you are selling an ebook or music, paypal has the flaw that you have to include the return URL in the calling code. Anyone who knows HTML can figure out your return URL...load that in their browser and get the book for free. You could simply check the HTTP referrer of on the final check out page. However, people often dink with the referrer. There really needs to be a server to server call to make the process secure.

That's why they have authentication, to see if it was a legit transaction. You might want to read up on the PayPal API.

To have your service instantly delivered, you should use PayPal IPN (instant payment notification). As far as I know, there is no way to trick this, since you verify the transaction directly via the PayPal server, meaning you can make sure the product and price match up. I don't think it's too awfully hard to work with.

You don't set anything up on the PayPal side. You don't set any prices or anything like that... you do that using the method that I suggested earlier in this thread.

1. One is to have someone change the price of your product in the HTML from something like $10.00 to $0.00.

Again, they can't tamper with anything if you use a database as suggested earlier.

2. The other way is for them to simply bypass the paypal ordering system, copy the link and just go directly to the page where they can download my product.

If you use PayPal authentication, this shouldn't be a problem.

I am wondering how effective encryption is.

Encryption is always good, but it does nothing for you in this situation.

couldn't you just use a crypt and/or md5 function on links containing sensitive data to pass to PayPal?

What would he be decrypting?

This seems to be what most shopping cart systems do, when integrating with PSPs.

Only the shopping carts not run off of a database of some sort.

3:18 pm on Dec 16, 2003 (gmt 0)

10+ Year Member



What would he be decrypting?

Well, nothing, I guess, but he seemed concerned that passing a price in a query string was occuring and that it would be easy to spoof any price. Using somesort of scramble code on the outgoing link would negate this possible effect. I'm not aware of any system that fails to do this though - the only prices I've seen in query strings are in ridiculous bespoke systems.

Only the shopping carts not run off of a database of some sort.
When passing the data to a PSP (for example, worldpay, or paypal) the querystring is always a jumbled mess, in every system I've used (x-cart, osCommerce, Actinic), and all of these use a DB of somesort. I've not bothered looking at the code lying behind these, but it would be logical to presume that they use a crypt() function or similar. Perhaps I'm not understanding the original problem clearly and I'm just talking about completely irrelevent things though.
6:06 pm on Dec 16, 2003 (gmt 0)

10+ Year Member



Using somesort of scramble code on the outgoing link would negate this possible effect.

I'm sure if he MD5'ed or encrypted it somehow, someone would still find out how to decrypt it. It's still insecure.

the only prices I've seen in query strings are in ridiculous bespoke systems.

You'll never see a price in any of my querystrings, bud :)

When passing the data to a PSP (for example, worldpay, or paypal) the querystring is always a jumbled mess, in every system I've used (x-cart, osCommerce, Actinic), and all of these use a DB of somesort.

I'm talking about an INTERNAL database, not the PSP's database.

I've not bothered looking at the code lying behind these, but it would be logical to presume that they use a crypt() function or similar.

How can you determine what's logical and what's not if you've never looked at the code, nor know how the programs work?

I'm just talking about completely irrelevent things though.

Believe me... you are.

9:32 am on Dec 17, 2003 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Validate that all variable values are what you originally assigned them to be:
[mals-e.com...]

I don't Paypal was designed with "digital" products in mind.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month