I'm selling graphix over the web via Paypal credit-card processing.
One thing I've noticed is when it comes time to pay, the php page with sessions has the Paypal button with hidden fields on it. The problem is, anyone could just look at the source code, copy and paste the "thank you" address into the browser, and by-pass the credit-card processing altogether.
I know about includes...but so would they.
What do you suggest?
Thanks
__________________ Zoobie or not Zoobie...That is the problem. <body onUnload="flush( ! )">
Umm... If you're talking about the Paypal system having a security hole, I think you'll find you're mistaken They wouldn't leave such an incredibly obvious hole.
If it's YOUR script, then just find another way of moving variables around (use sessions n' stuff...)
Hi, not having used paypal, but having tied up to other payment gateways they all return via POST or GET a transaction number and a success code , so your thankyou page should really do nothing without checking for those variables?
MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)
If you are processing more than a dozen or so transactions per month, I would suggest getting a real merchant account from a bank and processing the transactions through a traditional payment processing gateway.
Your per transaction costs will probably be lower and Paypal has the habit of locking up all your funds if a customer complains to them about you -- justified or NOT.
Search the web and read for yourself...
__________________
Steven Sommers (blog)
Shift4 Corporation -- www.shift4.com
If you are processing more than a dozen or so transactions per month, I would suggest getting a real merchant account from a bank and processing the transactions through a traditional payment processing gateway.
Your per transaction costs will probably be lower and Paypal has the habit of locking up all your funds if a customer complains to them about you -- justified or NOT.
Search the web and read for yourself...
SOrry but do you know how much a "real merchant account" costs? Netbanx, CCnow etc may be better than Paypal...
__________________
[+] Computer/PC issues [+] Silverpaw3D
------------------------------------------------ Never buy a dwarf with learning disabilities...
SOrry but do you know how much a "real merchant account" costs?
Yes I do -- I've seen a wide range of costs anywhere from a one-time setup fee and then a straight discount rate with no monthly minimums to exurbanite setup fees, monthly fees, discount rates and per transaction fees. And yes, I did oversimplify the criteria for determining one solution over another. Many factors come into play: average ticket amount, risk factor for the type of goods you provide, risk factor for the type of consumers you market to, how long you have been in business, etc. My suggestion is shop around.
Do you know how much business you are loosing using person-to-person payment solutions like these for business-to-consumer transactions? Consumers using P2P solutions lose many, if not all of their charge-back rights and many shoppers know this. Unless you are selling something extremely unique, many shoppers are more likely speed off to purchase their goods from another site than jump through the "account setup" hoops many of these P2P solutions require in addition to losing many of their rights.
Also, since I do know the costs involved with setting up and maintaining a "true" merchant account, sites that uses these cheap alternatives strike me as being "fly-by-night" organizations or organizations where customer satisfaction may not be a priority.
As strange as you might think my views are, I know I’m not alone. So I ask again, Do you know how much business you are loosing?
__________________
Steven Sommers (blog)
Shift4 Corporation -- www.shift4.com
I know it's going against what everyone else is saying, but there is a way to do it. First, put all the hidden form elements you want to submit on a different page, and like your PayPal button to that page.
I know you don't understand, it's hard to explain. You link the button to, say, form.php, and on that page you have all of the form elements inside a form, say, formname. Then, AFTER the form, add this JavaScript:
<script>
document.formname.submit();
</script>
Oh, and I forgot one thing... the action attribute of the form has to be the URL that the PayPal button originally pointed to.
I think I do...The javascript automatically sends to the action=http://mypaypal.com once loaded thusly not allowing them to see the hidden fields.
One problem...They disable their javascript...and there are the hidden fields.
Yes...I was very suprised that Paypal does this. However, to be fair, they also offer IPN (Instant Payment Notification) in which once paid, the buyer is sent an email with a password and url to download their purchase. The thing is, my items are only $2-5 and I think having them fill out Paypal's credit card form and asking for their email addy and asking them to come back to d/l is just a tad too much.
Someone suggested I enter the Paypal variables as session variables...but I guess that's not possible
Thanks
__________________ Zoobie or not Zoobie...That is the problem. <body onUnload="flush( ! )">
Before you post, read our: 
They wouldn't leave such an incredibly obvious hole.
