|
|
Free Open Book
PayPal Hacks. 100 Industrial-Strength Tips and Tools |
|
Hack 36 Hack-Proof Your Payment
Prevent code-tampering and price-spoofing with a hidden form post. When
deploying PayPal buttons on your web site,
you should consider the risk of spoofed payments. PayPal buttons are
normally created in plain HTML, with the variables and their values
available for anyone to see (select View
This hack uses techniques covered in some of the other hacks in this book to create a hidden form post that sends the button information to PayPal without allowing the customer to see it. To use this technique to its fullest, you should already have deployed [Hack #54] . 4.10.1 The CodeThe hack consists of two pages: link.asp and jump.asp. First, link.asp contains the product and selling information, as well as a link to the second page: <html> <body> Widget<br> <a href="jump.asp?id=123">Click here to buy</a> </body> </html> This first page mimics the Buy Now button, but instead of sending the customer to PayPal, it links to the jump page. Next, jump.asp queries your database for the product info and sends the purchase information to PayPal. This code is written in ASP: <%
'Connect to database and create recordset
1. connStore = "DRIVER={Microsoft Access Driver (*.mdb)};DBQ="C:/InetPub/wwwroot/database/
dbPayPal.mdb")
set rsJump= Server.CreateObject("ADODB.Recordset")
rsJump.ActiveConnection = connStore
2. rsJump.Source = "SELECT tblProducts FROM tblProducts WHERE Id = " & Request("id")
3. rsJump.Open( )
%>
<html>
4. <body onLoad="document.fmPost.submit( )">
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" name="fmPost">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="youremail@yourisp.com">
<input type="hidden" name="item_name" value=
"<%=(rsJump("ItemName").Value)%>">
<input type="hidden" name="item_number" value=
"<%=(rsJump("ItemID").Value)%>">
<input type="hidden" name="amount" value=
"<%=(rsJump("ItemPrice").Value)%>">
</form>
</body>
</html>
<%
rsJump.Close( )
%>The jump page queries the database (line 2) for the requested product information (based on the URL embedded in the link page) and then dynamically builds a PayPal form from this information. Finally, the page uses an onLoad function (line 4) to automatically submit the form as soon as the page loads, without the customer ever seeing the page.
4.10.2 Hacking the HackYou don't necessarily have to use the database method described here. Instead, you can simply create a static jump page for each product, complete with all of the product information (name, price, etc.) embedded right in the code. Although this approach wouldn't make any sense for an online store that sells hundreds or thousands of items, it would ultimately be easier to implement than a full database if you sell only one or two products on your site. 4.10.3 Plan B: Obfuscate Your Button CodeIf all this seems like too much trouble to guard against a remote possibility, there is an easier way to keep casual observers from seeing exactly what your button code contains and spoofing your button. (Isn't it handy that the word obfuscate is, itself, a rather cryptic term?)
This quick and easy obfuscator makes it harder for casual viewers to see how your button is coded and thus helps protect it from tampering. Additionally, it foils most web spiders looking for fresh email addresses to spam.
To illustrate, here's an ordinary payment button: <h1>Plain button</h1>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="sales@wwjcd.biz">
<input type="hidden" name="item_name" value="Jackie Chan bobble head">
<input type="hidden" name="item_number" value="jc-bh">
<input type="hidden" name="amount" value="9.99">
<input type="hidden" name="currency_code" value="USD">
<input type="image" src=
"https://www.paypal.com/en_US/i/btn/x-click-but23.gif"
border="0" name="submit" alt="Make payments with PayPal - it's
fast, free and secure!">
</form>And here's the obfuscated version of the same code: <h1>Button obfuscated</h1>
<script>
<!--
document.write(unescape("%3Cform%20action%3D%22https%3A//www.paypal.com/cgi-bin/webscr%22%
20method%3D%22post%22%3E%0D%0A%3Cinput%20type%3D%22hidden%22%20
name%3D%22cmd%22%20value%3D%22_xclick%22%3E%0D%0A%3Cinput%20type%3D%22hidden
%22%20name%3D%22business%22%20value%3D%22sales@wwjcd.biz%22%3E%0D%0A%3Cinpu
%20type%3D%22hidden%22%20name%3D%22item_name%22%20value%3D%22Jackie%20Chan
%20bobble%20head%22%3E%0D%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22item_number%22
%20value%3D%22jc-bh%22%3E%0D%0A%3Cinput%20type%3D%22hidden%22%20name
%3D%22amount%22%20value%3D%229.99%22%3E%0D%0A%3Cinput%20type%3D%22hidden
%22%20name%3D%22currency_code%22%20value%3D%22USD%22%3E%0D%0A%3Cinput
%20type%3D%22image%22%20src%3D%22https%3A//www.paypal.com/en_US/i/btn/x-click-but23.gif%22
%20border%3D%220%22%20name%3D%22submit%22%20alt%3D%22Make%20
payments%20with%20PayPal%20-%20it%27s%20fast%2C%20free%20and%20secure%21%22%
3E%0D%0A%3C/form%3E"));
//-->
</script>While this hack can indeed be applied to an already-encrypted button (as detailed in [Hack #37], encrypted buttons hardly need the added protection of obfuscation.
|
Main Menu |
| 500 Juegos Gratis | 500 Giochi Gratis | 500 Jeux Gratuits | 500 Jogos Gratis | 500 Kostenlose Spiele |
Source in your
browser to see for yourself). This means that anyone can view your
button source code, copy the HTML to her own system, make changes to
the variables (such as the price), and make a payment with the
modified button. You can manually review purchases to make sure no
tampering has taken place, but in high-volume or automated systems,
this might be a difficult or even impossible task.
