Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Senior Coder
    Join Date
    Jun 2002
    Location
    ColoRockyz
    Posts
    1,646
    Thanks
    1
    Thanked 0 Times in 0 Posts

    My Security Hole

    I'm selling graphix over the web via Paypal credit-card processing.

    One thing I've noticed is when it comes time to pay, the php page with sessions has the Paypal button with hidden fields on it. The problem is, anyone could just look at the source code, copy and paste the "thank you" address into the browser, and by-pass the credit-card processing altogether.

    I know about includes...but so would they.

    What do you suggest?

    Thanks
    Zoobie or not Zoobie...That is the problem.
    <body onUnload="flush( ! )">

  • #2
    Regular Coder
    Join Date
    Jun 2002
    Location
    Ontario, Canada
    Posts
    183
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Umm... If you're talking about the Paypal system having a security hole, I think you'll find you're mistaken They wouldn't leave such an incredibly obvious hole.

    If it's YOUR script, then just find another way of moving variables around (use sessions n' stuff...)
    Offtone.com - In the works...

  • #3
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,045
    Thanks
    10
    Thanked 93 Times in 91 Posts
    Hi, not having used paypal, but having tied up to other payment gateways they all return via POST or GET a transaction number and a success code , so your thankyou page should really do nothing without checking for those variables?
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #4
    Regular Coder
    Join Date
    Jul 2002
    Location
    Las Vegas, NV - USA
    Posts
    104
    Thanks
    0
    Thanked 0 Times in 0 Posts
    zoobie,

    If you are processing more than a dozen or so transactions per month, I would suggest getting a real merchant account from a bank and processing the transactions through a traditional payment processing gateway.

    Your per transaction costs will probably be lower and Paypal has the habit of locking up all your funds if a customer complains to them about you -- justified or NOT.

    Search the web and read for yourself...
    Steven Sommers (blog)
    Shift4 Corporation -- www.shift4.com

    Creators of $$$ ON THE NET(tm) payment processing services.

  • #5
    Regular Coder
    Join Date
    Jun 2002
    Location
    North East England
    Posts
    853
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Originally posted by Shift4Sms
    zoobie,

    If you are processing more than a dozen or so transactions per month, I would suggest getting a real merchant account from a bank and processing the transactions through a traditional payment processing gateway.

    Your per transaction costs will probably be lower and Paypal has the habit of locking up all your funds if a customer complains to them about you -- justified or NOT.

    Search the web and read for yourself...
    SOrry but do you know how much a "real merchant account" costs? Netbanx, CCnow etc may be better than Paypal...
    [+] Computer/PC issues [+] Silverpaw3D
    ------------------------------------------------
    Never buy a dwarf with learning disabilities...

    ...it's not big, and it's not clever.

  • #6
    Regular Coder
    Join Date
    Jul 2002
    Location
    Las Vegas, NV - USA
    Posts
    104
    Thanks
    0
    Thanked 0 Times in 0 Posts
    SOrry but do you know how much a "real merchant account" costs?
    Yes I do -- I've seen a wide range of costs anywhere from a one-time setup fee and then a straight discount rate with no monthly minimums to exurbanite setup fees, monthly fees, discount rates and per transaction fees. And yes, I did oversimplify the criteria for determining one solution over another. Many factors come into play: average ticket amount, risk factor for the type of goods you provide, risk factor for the type of consumers you market to, how long you have been in business, etc. My suggestion is shop around.

    Do you know how much business you are loosing using person-to-person payment solutions like these for business-to-consumer transactions? Consumers using P2P solutions lose many, if not all of their charge-back rights and many shoppers know this. Unless you are selling something extremely unique, many shoppers are more likely speed off to purchase their goods from another site than jump through the "account setup" hoops many of these P2P solutions require in addition to losing many of their rights.

    Also, since I do know the costs involved with setting up and maintaining a "true" merchant account, sites that uses these cheap alternatives strike me as being "fly-by-night" organizations or organizations where customer satisfaction may not be a priority.

    As strange as you might think my views are, I know I’m not alone. So I ask again, Do you know how much business you are loosing?
    Last edited by Shift4Sms; 08-08-2002 at 07:41 PM.
    Steven Sommers (blog)
    Shift4 Corporation -- www.shift4.com

    Creators of $$$ ON THE NET(tm) payment processing services.

  • #7
    New Coder
    Join Date
    Jul 2002
    Location
    Regina, Saskatchewan, Canada
    Posts
    35
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I know it's going against what everyone else is saying, but there is a way to do it. First, put all the hidden form elements you want to submit on a different page, and like your PayPal button to that page.

    I know you don't understand, it's hard to explain. You link the button to, say, form.php, and on that page you have all of the form elements inside a form, say, formname. Then, AFTER the form, add this JavaScript:

    <script>
    document.formname.submit();
    </script>

    Oh, and I forgot one thing... the action attribute of the form has to be the URL that the PayPal button originally pointed to.

    I hope you understand what I'm saying!
    Jared Brandt
    IKinsler

  • #8
    Senior Coder
    Join Date
    Jun 2002
    Location
    ColoRockyz
    Posts
    1,646
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I think I do...The javascript automatically sends to the action=http://mypaypal.com once loaded thusly not allowing them to see the hidden fields.

    One problem...They disable their javascript...and there are the hidden fields.

    Yes...I was very suprised that Paypal does this. However, to be fair, they also offer IPN (Instant Payment Notification) in which once paid, the buyer is sent an email with a password and url to download their purchase. The thing is, my items are only $2-5 and I think having them fill out Paypal's credit card form and asking for their email addy and asking them to come back to d/l is just a tad too much.


    Someone suggested I enter the Paypal variables as session variables...but I guess that's not possible

    Thanks
    Last edited by zoobie; 08-10-2002 at 09:28 AM.
    Zoobie or not Zoobie...That is the problem.
    <body onUnload="flush( ! )">


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •