I'm designing a Order Site using PHP & Mysql. In the final stage the user is given Paypal buttons to pay for the Orders he has made. So, the Item Name, Value are variables. These values being variables, I cannot use an encrypted button from Paypal. I'll have to use either a non-encrypted button or encrypt it before showing it to the user.
I wish to encrypt it for security reasons. I would like to know how to do it on my server.
EWP is a PayPal Payments Standard feature that uses public and private keys to encrypt the payment button code used on merchant websites. The encryption hides the payment details so they cannot be seen by anyone viewing the website source code in a browser.
PayPal doesn't have any ongoing fees or long term contracts which makes it convenient. “Buy Now” buttons can be encoded to allow your customers to purchase an item with a fixed amount. Buyers may purchase multiples of the same items. PayPal will track inventory of these items if that is required.
What you need to do is fairly complex, first, the intro, paypal encrypted buttons have the following layout:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="encrypted" value="-----BEGIN PKCS7-----MIIIEQYJKo...Encrypted stuff...IF5ioje8JH0LAA+5U7P+tabAMOL37k=-----END PKCS7-----">
<input type="image" src="https://www.paypalobjects.com/es_XC/MX/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal, la forma más segura y rápida de pagar en línea.">
<img alt="" border="0" src="https://www.paypalobjects.com/es_XC/i/scr/pixel.gif" width="1" height="1">
</form>
The cmd field indicates an encrypted Buy Now button (check the values for the buttons you want to create), and the encrypted field is the actual content of the button in the following layout:
cert_id=ZQCMJTZS27U4F
cmd=_xclick
[email protected]
item_name=Handheld Computer
item_number=1234
custom=sc-id-789
amount=500.00
currency_code=USD
tax=41.25
shipping=20.00
no_note=1
cancel_return=http://www.company.com/cancel.htm
Note, these are in the pair=value format, for a full reference look here: https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_Appx_websitestandard_htmlvariables.
Now the theory, to get the encrypted field, well encrypted, you need to sign these values with your certificate (x509 certificate) and you private key, then you need to encrypt this signed message with paypal's public certificate.
Going to the practice, for doing it you can (need) to use the following two PHP functions (part of the OpenSSL extension): openssl_pkcs7_sign and openssl_pkcs7_encrypt.
I found this last part very tricky to setup, so i recommend you to download the PHP SDK for PayPal avalaible here: https://www.x.com/community/ppx/sdks#WPST and directly here: https://cms.paypal.com/cms_content/US/en_US/files/developer/PP_PHP_WPS_Toolkit.zip, this SDK comes with the class EWPServices who contains the method encryptButton which gives you the encrypted button pretty easy; if you want to look at the bones then look in the PPCrypto class who offers you the signAndEncrypt method which give you only the encrypted string you need for the field and does show you the process of encrypting the button.
By the way, if you don't know how to get your certificate and your private key (and/or the Paypal's certificate) look here: https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0N30Y4
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With