Creating a Payment Badge

The easiest way to allow customers to purchase an item from your site is to simply place a PayPal image or "badge" on your site, linking to the PayPal payment page (the link is quite complex, because it passes quite a bit of information). The users complete the purchase by either entering their user information or simply entering their credit card information (a PayPal account is not required). Once the transaction is complete, PayPal will notify you of the transaction via its Instant Payment Notification system.

To create a payment badge, log in to the development sandbox and into the business account you created and select the Merchant Tools tab. From within that tab, select the Buy Now Buttons link under the Accepting Website Payments heading in the main column. Here you have several options to describe the product or service being sold. This information will be returned to your server when a purchase is made via the Instant Payment Notification system. For this example I have entered "Professional Web APIs with PHP" as the Item Name/Service, 0764589547 as the Item ID/Number, and $49.99 as the price. I have left currency as U.S. Dollars, and allowed the buyers to choose their own country. Finally, I have selected the default button, and chosen not to encrypt the payment button. The button creation interface is visible in Figure 10-2.

Figure 10-2

Clicking on Create Button gives me the following code:

 <form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post"> <input type="hidden" name="cmd" value="_xclick"> <input type="hidden" name="business" value="stb@preinheimer.com"> <input type="hidden" name="item_name" value="Professional Web APIs with PHP"> <input type="hidden" name="item_number" value="0764589547"> <input type="hidden" name="amount" value="49.99"> <input type="hidden" name="no_note" value="1"> <input type="hidden" name="currency_code" value="USD"> <input type="image" src="/books/4/404/1/html/2/https://www.sandbox.paypal.com/en_US/i/btn/x-click- but23.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast,free and secure!"> </form> 

Most of the information placed in the form comes straight from the information entered when the button was created. The value for business is simply the account name I chose when I created this test account. The no_note value instructs PayPal not to allow purchasers to enter a note while paying. Also notice that both the destination URL and the image URL are for the sandbox; you will need a sandbox account to send payments (real PayPal accounts will not work).

To Encrypt or Not to Encrypt

Had the option to encrypt the button been selected, the resulting code would have looked like this:

 <form action="https://www.sandbox.paypal.com/cgi-bin/webscr"method="post"> <input type="hidden" name="cmd" value="_s-xclick"> <input type="image" src="/books/4/404/1/html/2/https://www.sandbox.paypal.com/en_US/i/btn/x-click- but23.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!"> <input type="hidden" name="encrypted" value="-----BEGIN PKCS7----- MIIHeQYJKoZIhvcNAQcEoIIHajCCB2YCAQExggE6MIIBNgIBADCBnjCBmDELMAkGA1UEBhMCVVMxEzARBgN VBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxQYXlQYWwsIEluYy4xFjAUBg NVBAsUDXNhbmRib3hfY2VydHMxFDASBgNVBAMUC3NhbmRib3hfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwY XlwYWwuY29tAgEAMA0GCSqGSIb3DQEBAQUABIGApKLZV1cHVPGwkBI6Y1WR7ggpr5/bQjJ6A8pRvRgOHt9Q 8Uu16fTpMG0wbT9pBZq+s82r4SRakQoKvJSnbH8tiHnP7S35sgxTMp2+0a1uC/WL8qL1qS1hIg+X8TfS1ei hmHmjE8zP2scLWtU1cGkp7OaF7g5z5X9l2aCuCfNYKUgxCzAJBgUrDgMCGgUAMIHEBgkqhkiG9w0BBwEwFA YIKoZIhvcNAwcECIbH67fnTf+dgIGgyOd3skXL0ghwzex7F/lPVHMdjcIPWh4ihA6hW9/Ei9eGf8ApE/U+T Mb3cu80Lx+ws6icj1i/gO8ssmLNXCRymc+r7Bk7p5rvMB+IJz3hYMUMUr6EsJyyuEN+2nFpVcSHnbzcROXb guIXENtdgIc69eSQNjYOstJSCNd1+wYMOKddvMhGHbfdTv3mLsSmzNod3xy0qQLj+qVweQVKlhqqZKCCA6U wggOhMIIDCqADAgECAgEAMA0GCSqGSIb3DQEBBQUAMIGYMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaW Zvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFBheVBhbCwgSW5jLjEWMBQGA1UECxQNc2FuZ GJveF9jZXJ0czEUMBIGA1UEAxQLc2FuZGJveF9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20w HhcNMDQwNDE5MDcwMjU0WhcNMzUwNDE5MDcwMjU0WjCBmDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGl mb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxQYXlQYWwsIEluYy4xFjAUBgNVBAsUDXNhbm Rib3hfY2VydHMxFDASBgNVBAMUC3NhbmRib3hfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tM IGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3luO//Q3So3dOIEv7X4v8SOk7WN6o9okLV8OL5wLq3q1N tDnk53imhPzGNLM0flLjyId1mHQLsSp8TUw8JzZygmoJKkOrGY6s771BeyMdYCfHqxvp+gcemw+btaBDJSY Ow3BNZPc4ZHf3wRGYHPNygvmjB/fMFKlE/Q2VNaic8wIDAQABo4H4MIH1MB0GA1UdDgQWBBSDLiLZqyqILW unkyzzUPHyd9Wp0jCBxQYDVR0jBIG9MIG6gBSDLiLZqyqILWunkyzzUPHyd9Wp0qGBnqSBmzCBmDELMAkGA 1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxQYXlQ YWwsIEluYy4xFjAUBgNVBAsUDXNhbmRib3hfY2VydHMxFDASBgNVBAMUC3NhbmRib3hfYXBpMRwwGgYJKoZ IhvcNAQkBFg1yZUBwYXlwYWwuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAVzbzwN gZf4Zfb5Y/93B1fB+Jx/6uUb7RX0YE8llgpklDTr1b9lGRS5YVD46l3bKE+md4Z7ObDdpTbbYIat0qE6sEl FFymg7cWMceZdaSqBtCoNZ0btL7+XyfVB8M+n6OlQs6tycYRRjjUiaNklPKVslDVvk8EGMaI/Q+krjxx0Ux ggGkMIIBoAIBATCBnjCBmDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFN hbiBKb3NlMRUwEwYDVQQKEwxQYXlQYWwsIEluYy4xFjAUBgNVBAsUDXNhbmRib3hfY2VydHMxFDASBgNVBA MUC3NhbmRib3hfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tAgEAMAkGBSsOAwIaBQCgXTAYB gkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNTA0MDcxNzM1MDlaMCMGCSqGSIb3 DQEJBDEWBBTsh8xXEk+Bzq7huQtBdVEInsWxQDANBgkqhkiG9w0BAQEFAASBgGeelyrgDIYDCQ0nzC3/Ibd 4O2DteTn5+gTSup72+kUrcDym4Eq5soY55vJGOyFBEp+aSQs9GcjjgpqnPN+XpfIvbD1ps1Wcp66iLM1HLN Bjh4SsNc4LRqxqj4ORd3YT97EzoxbMNJso/va87LP/HwE4+VBiRD6JNcJTWhGLTmkl-----END PKCS7--- -- "> </form> 

Obviously this is a little more unwieldy, but it does have some advantages. The code for the unencrypted form can be easily copied, then modified. For example, an "attacker" (and I use the loosest sense of the term in this case) could change the price from $49.95 to $1.00, save the page locally, and click the button. PayPal doesn't remember what buttons you have created, so everything will work fine, and the attacker will be able to have PayPal send your server an Instant Payment Notification for a purchase of item 0764589547 at a cost of $1.00.

Modifying the encrypted code is much more difficult, if not impossible. An attacker (with prior knowledge of the PayPal system) could still manually create a payment link of a different price, but would need to guess the correct values for the item's name and ID.

Though the unencrypted form can be easily faked by attackers, it can also be easily generated by your system. If you are selling multiple items, you can create payment buttons for each one automatically with a little bit of code, likely no more complicated than the code already being used to generate the pages themselves. Just change the item_name, item_number, and amount values as appropriate for each item in your inventory. This also grants you flexibility when you change prices, because these changes can be immediately reflected in your payment buttons.

If you have only a few products, with prices that change rarely, the encrypted buttons work really well and can provide an additional layer of protection. If you have a wide selection of products, changing prices, or require the additional functionality available, unencrypted buttons are probably the right choice.