SecureSlash

This is not about hacking paypal.com. Paypal knows enough about securing itself. Are you using Paypal IPN script in your websites? Then you have to take care on something.

First of all plan and decide your product delivery strategy.

Product delivery methods

1.Email product after a successful payment

2.Redirect user to product page to download directly

Invalidated data always put you in a hell.

See the below example:

<form action=”https://www.paypal.com/cgi-bin/webscr” method=”post”>
<input type=”hidden” name=”cmd” value=”_xclick”>
<input type=”hidden” name=”business” value=”see the #Hidden Code#below”>
<input type=”hidden” name=”item_name” value=”Your Product”>
<input type=”hidden” name=”item_number” value=”100″>
<input type=”hidden” name=”amount” value=”15.00″>
<input type=”hidden” name=”return”
value=”hxxp://www.yourbusiness.com/secret-location/product.zip”>
<input type=”image” src=”hxxp://www.paypal.com/images/x-click-butcc.gif”
border=”0″ name=”submit”>
</form>

#Hidden Code #

<!– var prefix = ‘ma’ + ‘il’ + ‘to’; var path = ‘hr’ + ‘ef’ + ‘=’; var addy81733 = ‘you’ + ‘@’ + ‘yourbusiness’ + ‘.’ + ‘com’; document.write( ‘<a ‘ + path + ‘\” + prefix + ‘:’ + addy81733 + ‘\’>’ + addy81733 + ‘</a>’ ); //–>

This is for redirecting user to your exact product page after a successful payment. Don’t do such a worse code ever. Just give some transaction or purchase code to user and ask that code while they trying to download.

Encrypted values

$hash = $paypal_transcation_id.$productno.$user_id;
$purchase_code = md5($hash);

Put this $purchase_code in a `transactions` table for the user and email to them.

Ok now user is trying to download product. What should we check?

Considerations:
1.Ask the purchase code in a <form>
2. Force user to login in your site.
3. Check weather you have any rows in `transactions` table for the user.
4. If yes then fetch row and arrange one checker variable
$checker = $row[‘paypal_transaction’].$row[‘productno’].$user_id;
$user_entered_hash = $_POST[‘purchase_id’];
$our_checker_hash = md5($checker);
If($our_checker_hash == $user_entered_hash)

By this manner you can proceed.
You have to take care on url encode.
Temporary product url generation. It must expire after some hours.
All information should be encoded and highly validated.
Then only you can see profit. So don’t just install/write ipn scripts as it is. Take care on input and url validation always.