PayPal Hacks by Dave Nielsen, Shannon Sofield, Dave Burchell

To generate a simple block of button code, follow these steps:

The resulting code should look like this:

<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
    <input type="hidden" name="cmd" value="_xclick">
    <input type="hidden" name="business" value="sales@payloadz.com">
1.  <input type="hidden" name="item_name" value="Widget">
2.  <input type="hidden" name="item_number" value="Wid-001">
3.  <input type="hidden" name="amount" value="1.00">
    <input type="hidden" name="no_note" value="1">
    <input type="hidden" name="currency_code" value="USD">
   <input type="image" src=
"https://www.paypal.com/en_US/i/btn/x-click-but23.gif" border="0"
                name="submit">
</form>

Most of the variables will not change, regardless of the item you’re selling. The variables on lines 1 ,2 , and 3 are the only ones you’ll need to customize for each particular product.

Modifications to the variables are straightforward and can be done directly in the HTML. For instance, to specify a price, replace 1.00 with the price of your item, in dollars and cents (but no dollar sign). Likewise, set the item_name variable to the name of the product, and set the item_number variable to a unique product number or SKU code that makes sense for your store.

In addition to the aforementioned variables, there are also other PayPal-supported options you can add to your purchase buttons. For example, the return and cancel_return variables define the addresses of web pages to which the user should be taken after the payment process has been completed or if the process is cancelled, respectively:

<input type="hidden" name="return" value="http://yoursite.com/thankyou.html">
<input type="hidden" name="cancel_return" value=
                "http://yoursite.com/cancel.html">

Simply insert additional variables anywhere in your button code, so long as they appear between the opening <form> and closing </form> tags. Other variables include:

First, you’ll need to prepare another button image for use in the form. It can be either a GIF or JPG image file, but it must be located somewhere on your web site or elsewhere on the Internet so that you can reference its location in your code. See the next section for button design tips.

Start by generating the code for an ordinary Buy Now button [Hack #28] . Copy the HTML code and paste it into your favorite HTML editor, such as Dreamweaver, FrontPage, or any plain-text editor (e.g., Notepad). Find the piece of code that references the image:

<input type="image" src="https://www.paypal.com/images/x-click-but23.gif" 
                border="0" name="submit" alt="Make payments with PayPal - it's 
                fast, free  and secure!">

The src parameter contains the location (URL) of the image to be used:

 src="https://www.paypal.com/images/x-click-but23.gif"

Simply change this source to the address (URL) of your button image:

src="http://www.anothersite.com/yournewimage.gif"

Or, if the image is located on the same site as your button code, it could be as simple as this:

src="/images/ournewimage.gif"

So, the final code should look like this:

<input type="image" ="http://www.anothersite.com/ournewimage.gif"
                border="0" name="submit" alt="Make payments with PayPal - it's 
                fast, free and secure!">

The PayPal Button Factory provides some options for button appearance, though most of the supplied images are branded with the PayPal look and might not integrate cleanly with your web site’s design. The previous section shows how to use any image you like, provided that you have one at the ready. With a simple web search, you can find images of buttons at web sites that specialize in shopping cart buttons. But for even more seamless integration, you can create your own image in an image-editing program, such as Photoshop or Paint Shop Pro.

The ideal sizes for your buttons, based on the sizes PayPal uses for their buttons, are 68x23 pixels for Buy Now buttons and 87x23 pixels for Shopping Cart buttons. You do not have to use these exact sizes for your own buttons, but do use them as guidelines when choosing appropriate sizes for your buttons.

You can also add interaction to your buttons by providing different variations of your images so that they look lit up or pushed in when your customers click them or move over them with their mice. This visual feedback and interactivity makes your buttons look and act more clickable, and it is a good way to get more customers to click them. To give your image a slightly different appearance on mouseover or when clicked, you need to have two button images: one to act as the normal, unactivated state and another to replace the original image with activated. Figure 4-2 shows two such images.

Figure 4-2. Normal and activated images for one button

The images in Figure 4-2 are identical, except that the activated image has been tinted gray. You might prefer a little more color or perhaps a highlighted border; to make the image look pushed in, replace the shadow pixels with the button foreground color (in this case, white).

Simply include this JavaScript code to swap one image for another upon mouseover:

<input type="image" name="submit" src="yourbutton_up.gif" onmouseover=
                "this.src='yourbutton_over.gif'" onmouseout=
                "this.src='yourbutton_up.gif'">

The two images for normal and activated states are yourbutton_up.gif and yourbutton_over.gif, respectively, in the preceding code. To have the button change when it is clicked (as opposed to responding to a mouseover), use this code instead:

<input type="image" name="submit" src="yourbutton_up.gif" onMouseDown=
                "this.src='yourbutton_over.gif'">

This just scratches the surface of what you can do. The more you do to polish the appearance and behavior of your buttons, the more customized (and hopefully professional) your site will appear to your customers.

Since PayPal is an eBay company, it shouldn’t be surprising that PayPal is well integrated with the eBay web site. For instance, if you indicate that you accept PayPal payments when constructing an eBay listing, a PayPal button will automatically appear for the winning bidder when the listing ends. Here’s how to build the link between your eBay account and your PayPal account:

That’s it! When your auction ends, a PayPal payment button will automatically appear at the top of the auction page, but for the winning bidder only.

Furthermore, you can configure PayPal to automatically insert a Pay Now button into each of your running auctions:

The PayPal Auction options include the following:

Figure 4-3. Buttons indicating that you prefer PayPal in an eBay listing

Although eBay provides payment buttons for high bidders, you might want to supplement these buttons with your own. Plus, you might want to add eBay-like functionality to other auction sites, such as Yahoo!, uBid, Amazon.com, MSN, and Bidville auctions.

This code displays a simple Pay Now button that sends your customers to the PayPal web site and guides them through the payment process. The system automatically tracks the payment for this particular auction, so your customer will not have to enter any additional auction-related information. Plus, the auction site, provided that it’s linked up with PayPal, will be notified automatically so that it can update the payment status of the auction for you and your bidder.

The goal of providing an extra payment button like this one is to reduce the chances that your customer (bidder) will use PayPal’s Send Money function to pay for an auction; in that case, you would receive a payment not linked to its corresponding auction.

Here is the HTML code for an auction payment button, linked to a particular auction:

<form method="get" action="https://www.paypal.com/cgi-bin/webscr">
<input type="hidden" name="cmd" value=_cart>
<input type="hidden" name="business" value="youremail@paypalhacks.com">
<input type="hidden" name="item_name_1" value="Widget">
<input type="hidden" name="amount_1" value="1.00">
<input type="hidden" name="quantity_1" value="1">
<input type="hidden" name="site_1" value="eBay">
<input type="hidden" name="ai_1" value="2540252652">
<input type="hidden" name="ab_1" value="your_ebay_id">
<input type="submit" name="upload" value="Pay Now">
</form>

This code is similar to the code used in [Hack #50] , with the exception of a few new variables: site_ n, ai_ n, and ab_ n, where n is a number representing the item in multiple item payments, starting with 1 (for example, include ab_1, ab_2, and ab_3 if you’re requesting payment for three different auctions).

The site_ n variable defines the site on which the auction was listed, and it should be set to eBay for eBay auctions or Yahoo for Yahoo! Auctions. This value is case sensitive, so for other auction sites, you’d type uBid, Amazon, MSN, or Bidville. The second variable, ai_ n, should be set to the auction (or listing) number at the auction site. Finally, ab_ n, is your user ID at the auction site (your_ebay_id in this example). Naturally, you’ll need to replace all italicized text in the code with the details of your transaction.

The other variables, such as item_name_ n and amount_ n, can be modified as described in [Hack #28] .

This hack demonstrates how you can create buttons that facilitate auction-specific payments. Naturally, creating a button for each auction manually would be a time-consuming process, but you can use the eBay API to automate this process. Start by sending a query to obtain the information for each of your completed auctions using a GetTransactionDetails call, and then assemble your buttons and email them to the high bidders. The technical procedures involved with implementing this type of system go beyond the scope of this book, but extensive information can be found in David A. Karp’s eBay Hacks (O’Reilly).

If you use an off-site listing tool or a third-party listing service to build your auctions, you might be able to tie your application into the application’s local database. However, you will also need a means of obtaining completed-item details (such as the final price and high-bidder contact information). For an example that shows how to build payment buttons dynamically, see [Hack #54] .

You can take this hack a step further by changing the values of other fields based on selection. For instance, you can change the price based on the shirt size your customer chooses and send the correct price to PayPal along with the corresponding options. You need to add a few pieces of code to your payment button form for this to work.

First, place this JavaScript code in the section of your page between the <head> and </head> tags:

<script type="text/javascript">
<!-- Update Price Change
function UpdateForm (object1) {             // process change selects
var i,item_amt,object,position,val;
  item_amt = object1.amount.value;          // default amount
  for (i=0; i<object1.length; i++) {        // check options
    object = object1.elements[i];           
    if (object.type == "select-one" &&
        object.name == "cng") {             // must be named cng
      position = object.selectedIndex;      // option selected
      val = object.options[position].value; // selected value
      position  = val.indexOf ("$");        // set new price
      if (position >= 0) item_amt = val.substring (position + 1)*1.0; 
    }
  }
  object1.amount.value = item_amt;
  if (object1.item_total) object1.item_total.value = "$" + item_amt;
}
//-->
</script>

Next, change the <form> tag for your payment button code so the JavaScript function is executed when the form is submitted, like this:

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" 
onsubmit="this.target='paypal';UpdateForm(this);">

Finally, modify the <select> tag so that it, too, is linked to the JavaScript code:

<select name="cng" onchange="UpdateForm(this.form);">
 <option value="Small $1.00">Size: Small $1.00</option>
 <option value="Medium $2.00">Size: Medium $2.00</option>
 <option value="Large $3.00">Size: Large $3.00</option>
</select>

You can edit the amount charged to your customer by changing the value="Small $1.00" section of the form field. You can also change the text displayed to your customer by changing the value between the <option> and </option> sections.

Make sure the amount tag in your form is set to the same value as the default value of the drop-down menu. That way, if the form is submitted without changing the values, the amount has the correct default value.

When this code is in place, the price is updated automatically whenever a new size is selected.

The BN tag only allows PayPal to track your sales internally; you won’t have access to any usage statistics connected with your use of the BN tag on your web site.

However, you can track your sales by including the custom variable in your purchase buttons. Set the value of the custom variable to some unique identifier for the application or web site in which the button appears:

<input type="hidden" name="custom" value="GeekSoft.Cart.1.3">

Every time a payment is made with this button, PayPal records the custom value in your transaction history. Next, use the Download My History feature to generate a tab- or comma-delimited text file, as shown in Figure 4-6. Finally, import the file into your spreadsheet or database and use the tools at your disposal to plot sales trends, run reports, or perform statistical analysis.

Figure 4-6. Pulling a comma-delimited file from your PayPal history for use in spreadsheets and statistical analysis applications

You can also export your PayPal history into files that Quicken and Quickbooks can understand, allowing you to integrate PayPal sales with your accounting software.

[Hack #77] shows another way to track sales through your PayPal payment buttons.

The hack consists of two pages: link.asp and jump.asp. First, link.asp contains the product and selling information, as well as a link to the second page:

<html>
<body>
Widget<br>
<a href="jump.asp?id=123">Click here to buy</a>
</body>
</html>

This first page mimics the Buy Now button, but instead of sending the customer to PayPal, it links to the jump page. Next, jump.asp queries your database for the product info and sends the purchase information to PayPal. This code is written in ASP:

<%
'Connect to database and create recordset
1.  connStore = "DRIVER={Microsoft Access Driver (*.mdb)};DBQ="C:/InetPub/wwwroot/database/
dbPayPal.mdb")
set rsJump= Server.CreateObject("ADODB.Recordset")
rsJump.ActiveConnection = connStore
2.  rsJump.Source = "SELECT tblProducts FROM tblProducts WHERE Id = " & Request("id")
3.  rsJump.Open( )
%>
<html>
4.  <body onLoad="document.fmPost.submit( )">
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" name="fmPost">
  <input type="hidden" name="cmd" value="_xclick">
  <input type="hidden" name="business" value="youremail@yourisp.com">
  <input type="hidden" name="item_name" value=
                "<%=(rsJump("ItemName").Value)%>">
  <input type="hidden" name="item_number" value=
                "<%=(rsJump("ItemID").Value)%>">
  <input type="hidden" name="amount" value=
                "<%=(rsJump("ItemPrice").Value)%>">
</form>
</body>
</html>
<%
rsJump.Close( )
%>

The jump page queries the database (line 2) for the requested product information (based on the URL embedded in the link page) and then dynamically builds a PayPal form from this information. Finally, the page uses an onLoad function (line 4) to automatically submit the form as soon as the page loads, without the customer ever seeing the page.

You don’t necessarily have to use the database method described here. Instead, you can simply create a static jump page for each product, complete with all of the product information (name, price, etc.) embedded right in the code. Although this approach wouldn’t make any sense for an online store that sells hundreds or thousands of items, it would ultimately be easier to implement than a full database if you sell only one or two products on your site.

If all this seems like too much trouble to guard against a remote possibility, there is an easier way to keep casual observers from seeing exactly what your button code contains and spoofing your button. (Isn’t it handy that the word obfuscate is, itself, a rather cryptic term?)

This quick and easy obfuscator makes it harder for casual viewers to see how your button is coded and thus helps protect it from tampering. Additionally, it foils most web spiders looking for fresh email addresses to spam.

To illustrate, here’s an ordinary payment button:

<h1>Plain button</h1>

<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="sales@wwjcd.biz">
<input type="hidden" name="item_name" value="Jackie Chan bobble head">
<input type="hidden" name="item_number" value="jc-bh">
<input type="hidden" name="amount" value="9.99">
<input type="hidden" name="currency_code" value="USD">
<input type="image" src=
                "https://www.paypal.com/en_US/i/btn/x-click-but23.gif" 
                border="0" name="submit" alt="Make payments with PayPal - it's 
                fast, free and secure!">
</form>

And here’s the obfuscated version of the same code:

<h1>Button obfuscated</h1>

<script>
<!--
document.write(unescape("%3Cform%20action%3D%22https%3A//www.paypal.com/cgi-bin/webscr%22%
20method%3D%22post%22%3E%0D%0A%3Cinput%20type%3D%22hidden%22%20
name%3D%22cmd%22%20value%3D%22_xclick%22%3E%0D%0A%3Cinput%20type%3D%22hidden
%22%20name%3D%22business%22%20value%3D%22sales@wwjcd.biz%22%3E%0D%0A%3Cinpu
%20type%3D%22hidden%22%20name%3D%22item_name%22%20value%3D%22Jackie%20Chan
%20bobble%20head%22%3E%0D%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22item_number%22
%20value%3D%22jc-bh%22%3E%0D%0A%3Cinput%20type%3D%22hidden%22%20name
%3D%22amount%22%20value%3D%229.99%22%3E%0D%0A%3Cinput%20type%3D%22hidden
%22%20name%3D%22currency_code%22%20value%3D%22USD%22%3E%0D%0A%3Cinput
%20type%3D%22image%22%20src%3D%22https%3A//www.paypal.com/en_US/i/btn/x-click-but23.gif%22
%20border%3D%220%22%20name%3D%22submit%22%20alt%3D%22Make%20
payments%20with%20PayPal%20-%20it%27s%20fast%2C%20free%20and%20secure%21%22%
3E%0D%0A%3C/form%3E"));
//-->
</script>

While this hack can indeed be applied to an already-encrypted button (as detailed in [Hack #37] , encrypted buttons hardly need the added protection of obfuscation.

Button encryption is done using a cryptography library, such as OpenSSL, and a pair of cryptographic keys. OpenSSL is nice, because it allows you to both sign and envelope the message in one action. The first thing to do is install OpenSSL, which is available for download at http://www.openssl.org.

Note that some knowledge of compiling programs is required for the installation of OpenSSL on Unix. Instructions for compiling and installation on various platforms can be found in the OpenSSL download. A precompiled Windows version is available at http://www.slproweb.com/products/Win32OpenSSL.html. Simply follow the installation instructions for your particular environment.

Cryptographic keys must be exchanged in order for button encryption to work. You’ll need to contact PayPal to obtain PayPal’s public key, and you must provide your public key to PayPal. You should generate your keys in PEM format; consult the OpenSSL documentation (http://www.openssl.org/docs/HOWTO/keys.txt) for details.

Start with an unencrypted HTML form tag in your HTML page:

<form method="post" action="https://www. paypal.com/cgi-bin/webscr">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="sales@company.com">
<input type="hidden" name="amount" value="1.00">
<input type="hidden" name="currency_code" value="USD">
<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but23.gif"
                name="submit" alt="Make payments with PayPal - it's fast, free 
                and secure!">
</form>

The first thing you need to do is convert all the hidden field name/value pairs from this form into a single string, like this:

cmd=_xclick
business=sales@company.com
amount=1.00
currency_code=USD

Next, load the PayPal public key from the paypal_cert.pem file:

BIO *bio;
X509 *gPPx509;
char* payPalCertPath = "/opt/keys/paypal_cert.pem";
if ((bio = BIO_new_file(payPalCertPath, "rt")) == NULL) {
        printf("Fatal Error: Failed to open (%s)\n", payPalCertPath);
        goto end;
}

if ((gPPx509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL) {
        printf("Fatal Error: Failed to read Paypal certificate from 
                (%s)\n", payPalCertPath);
        return "";
} 

BIO_free(bio);

Then, load your public and private keys:

X509 *x509 = NULL;
RSA *rsa = NULL;

char* certPath = "/opt/keys/my_cert.pem";
char* keyPath = "/opt/keys/my_key.pem";

if ((bio = BIO_new_file(certPath, "rt")) == NULL) {
        printf("Fatal Error: Failed to open (%s)\n", certPath);
        goto end;
}

if ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL) {
        printf("Fatal Error: Failed to read certificate from (%s)\n", certPath);
        goto end;
}

BIO_free(bio); 

if ((bio = BIO_new_file(keyPath, "rt")) == NULL) {
        printf("Fatal Error: Failed to open (%s)\n", keyPath);
        goto end;
}

if ((rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, NULL, NULL)) == NULL) {
        printf("Fatal Error: Unable to read RSA key (%s).\n", keyPath);
        goto end;
}

BIO_free(bio);

' Create an EVP_PKEY instance from the private key you just loaded:
EVP_PKEY *pkey = EVP_PKEY_new( );

if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) {
        printf("Fatal Error: Unable to create EVP_KEY from RSA key\n");
        goto end;
}

' create the PKCS7 instance so you can create the PKCS7 Blob:
PKCS7 *p7 = PKCS7_new( );                
PKCS7_set_type(p7, NID_pkcs7_signedAndEnveloped);

PKCS7_SIGNER_INFO* si = PKCS7_add_signature(p7, x509, pkey, EVP_sha1( ));

if (si) {
        if (PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT,
                                OBJ_nid2obj(NID_pkcs7_data)) <= 0) {
                printf("OpenSSL Error: %s\n", ERR_error_string(ERR_get_error( ), NULL));
                goto end;
        }
} else {
        printf("Fatal Error: Failed to sign PKCS7\n");
        goto end;
}

//Encryption
if (PKCS7_set_cipher(p7, EVP_des_ede3_cbc( )) <= 0) {
        printf("OpenSSL Error: %s\n", ERR_error_string(ERR_get_error( ), NULL));
        goto end;
}

if (PKCS7_add_recipient(p7, gPPx509) <= 0) {
        printf("OpenSSL Error: %s\n", ERR_error_string(ERR_get_error( ), NULL));
        goto end;
}

if (PKCS7_add_certificate(p7, x509) <= 0) {
        printf("OpenSSL Error: %s\n", ERR_error_string(ERR_get_error( ), NULL));
        goto end;
}

BIO *p7bio = PKCS7_dataInit(p7, NULL);

if (!p7bio) {
        printf("OpenSSL Error: %s\n", ERR_error_string(ERR_get_error( ), NULL));
        goto end;
}

//Pump data to special PKCS7 BIO. This encrypts and signs it.
BIO_write(p7bio, data, strlen(data));
BIO_flush(p7bio);
PKCS7_dataFinal(p7, p7bio);                

//Write PEM encoded PKCS7
BIO *bio = BIO_new(BIO_s_mem( ));

if (!bio || (PEM_write_bio_PKCS7(bio, p7) == 0)) {
        printf("Fatal Error: Failed to create PKCS7 PEM\n");
}

BIO_flush(bio);                

char *str;
int len = BIO_get_mem_data(bio, &str);

char *ret = new char [len + 1];
memcpy(ret, str, len);
ret[len] = 0;

' free the resources:
PKCS7_free(p7);
BIO_free_all(bio);
BIO_free_all(p7bio);

The last step to enable button encryption is to change the value of the cmd form tag to _s-xclick and add the PKCS7 blob as a form value of encrypted..

When you’re done, you’ll end up with something like this:

<form method="post" action="https://www.sandbox.paypal.com/cgi-bin/webscr">
<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but23.gif" 
name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" id="encrypted" name="encrypted" value="-----BEGIN PKCS7-----
MIIEvQYJKoZIhvcNAQcEoIIErjCCBKoCAQExggE0MIIBMAIBADCBmDCBkjELMAkG
A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
EgYDVQQKEwtQYXlQYWwgSW5jLjEVMBMGA1UECxQMc3RhZ2UyX2NlcnRzMRMwEQYD
VQQDFApzdGFnZTJfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tAgEA
MA0GCSqGSIb3DQEBAQUABIGACgshgqbB147NFGZlK23kRLaQ3EkGnFmnRWn8euqN
Ecm12daiK57CaU/L36dhc4PtkigXI2TQ/alWglyerZkOhl+qb6ZRTqEq2+7fhvsB
T32Yph/usVQEj5j0njtFmo9smOyEJuHcNYY5bn3gUsiM6FxIZq8qRlI5W9yh7hTc
1/kxCzAJBgUrDgMCGgUAMGsGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQINNLmCVHP
OUWASIMAdhSkOjW5qKb98fpT1yLCByYMjvE0U39fuG3pSOXv8tKzKEz3v1sKDUOR
PRy0ekPFI6nEdp+dDJLBy3acM3DGrHk7KdYSLqCCAdIwggHOMIIBN6ADAgECAgEC
MA0GCSqGSIb3DQEBBQUAMBExDzANBgNVBAMTBlBheXBhbDAeFw0wNDAzMjkyMTU3
NDdaFw0xNDAzMjcyMTU3NDdaMBExDzANBgNVBAMTBlBheXBhbDCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEArdX6/kaw/9JWyxedVUBf1hLQ0nE3Z8HZTOAb8tTj
tH3anE8lxoA84NBKgsnAfsWSivWZA149NcpNrVgk7aPiCpIlxxLD7dv30zSqrXUA
kzVZ3xDfxILN42Xe8JZiM7MieixlKL/2RlnqHv6RyfAJyXH7cMlbLQJCBR3g4XnF
7I0CAwEAAaM2MDQwDgYDVR0PAQH/BAQDAgGmMA8GA1UdEwEB/wQFMAMBAf8wEQYJ
YIZIAYb4QgEBBAQDAgIEMA0GCSqGSIb3DQEBBQUAA4GBAD0CbksayWCC0yqZSn3c
6J65Yvmi/KrObGX7EzHcB1N0/YbfYkisw5qvZnGUhMj00DL3cvNOnPxXNBIUdHT3
UF1O8MzLlv8fTAjnS8Zd83vZfSyi6TMSPJlXbx8p+P2IbRNKdQaIHz2tR6tCnUNC
JYYKim3Nkz48sk0/jGtjiJPVMYIBGzCCARcCAQEwFjARMQ8wDQYDVQQDEwZQYXlw
YWwCAQIwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ
KoZIhvcNAQkFMQ8XDTA0MDQyMjIxMDkyMVowIwYJKoZIhvcNAQkEMRYEFO1Oou9z
6VXvxn6wow7yZXlP6vqeMA0GCSqGSIb3DQEBAQUABIGAoNU5uAeD+pp2bROOfhHh
6oTPZDjhUvKLrhVaHmpHzz1aZTtIdqYcwZ6vEVai6fGG43hqoZYAh97xWDiwW9Ie
X/RtAzc38Yk2vch6ocPF8MjsEMVne3J9iy0rN6A0Cby5IgkKFrrYee9eWNIec/6d
3koVvLSCBZvZV+RFYCKhA/0=
-----END PKCS7-----
"> 
</form>

Obviously, this code is nearly impossible to decipher or tamper with, making it sufficiently obfuscated.

—Michael Blanton

Adding a PayPal payment hyperlink to your own email involves nothing more than typing a simple URL [Hack #18] . The required parameters to create a basic hyperlink are email address, payment amount, and item name.

However, there are many optional parameters you can include in the hyperlink to help you provide a more complete payment record, such as the currency, item number, quantity, shipping, and request for shipping address. For example:

https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=
   email%40paypalhacks%2Ecom&amount=10%2E00&currency_code=USD&item_name=
   jersey&item_number=1001&quantity=1&shipping=3%2E00&no_shipping=0

As you can see, the hyperlink begins to become unwieldy. Hyperlinks this long or longer cause problems because email programs chop them up into smaller pieces when they wrap the text. More than likely, only the first piece will be hyperlinked and a customer will not think twice about clicking it and attempting to complete the transaction with incomplete information.

The simplest solution is to run the address through TinyURL^[1] (http://tinyurl.com), which will convert it to something that looks like this:

http://tinyurl.com/2tqz8

The resulting link is always short enough to be spared the aforementioned word wrap. Unfortunately, the https://www.paypal.com/ prefix will be lost, and your more diligent customers might avoid it.

Want something more professional-looking than a bare URL in your emails? Nearly all modern email programs support HTML (much to the bane of the minimalists among us), which means that you can replace ordinary URLs with hyperlinked, graphical buttons right in your email messages.

Simply use your email software’s formatting tools to insert an image and then link it to a payment URL you construct. In fact, URLs in hyperlinks can be as long as 1024 bytes (characters), which is plenty for PayPal’s payment URLs. Of course, there’s a cost: these payment buttons can be time-consuming to create...until now.

Enter the PayPal Payment Wizard, a free add-in toolbar for Microsoft Outlook and Microsoft Outlook Express that allows you to painlessly insert payment buttons into your emails.

You can create five different types of PayPal payment buttons, each with six different button designs:

To use the Payment Wizard toolbar, start by downloading it from http://www.paypal.com/outlook and installing it on your computer. You might be asked to close Microsoft Outlook if it’s open.

To insert a button with the Payment Wizard, follow these steps:

When your customer opens the email, he will be able to click the button and pay you after logging into his PayPal account. To test this experience firsthand, send the email to your own email address.

Since the PayPal Payment Wizard creates a new email message with each button, there is no way to use it to insert more than one button into a single email message. However, overcoming this limitation is easy enough:

Repeat the process for each additional payment button you would like to insert. To verify that the image and corresponding hyperlink have been pasted correctly, as well as to make any changes to the URL, right-click the button and select Properties.

Your donors might be more comfortable giving at one of several suggested donation levels than having to fill in a blank box with a dollar amount.

Provide a drop-down list (shown here) or a radio button group to allow your donors to easily choose an amount:

<blockquote>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
        <p>Please contribute to XHTML Promotion Society, "Diamond" Dave Burchell,
        DocBook Outreach Officer.</p>
<input type="hidden" name="cmd" value="_xclick"/>
<input type="hidden" name="business" value="burchell@inebraska.com"/>
<input type="hidden" name="item_name" value="General Fund Contribution"/>
<input type="hidden" name="item_number" value="GF-1"/>
<!-- <input type="hidden" name="amount" value="3.00"/> -->
<p>Contribution amount: 
<select name="amount">
        <option value="200"/>$200
        <option selected value="100"/>$100
        <option value="75"/>$75
        <option value="50"/>$50
        <option value="25"/>$25
</select>
</p>
<input type="hidden" name="no_note" value="1"/>
<input type="hidden" name="currency_code" value="USD"/>
<input type="hidden" name="tax" value="0"/>
<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but21.gif"
                border="0" name="submit" alt="Make payments with PayPal - it's fast,
                free and secure!"/>
</form>
</blockquote>

Among other things, a page like the one shown in Figure 4-11 will give your donors some idea how much others might be donating.

Figure 4-11. Suggesting a range of donation levels to encourage your contributors to donate fistfuls of cash

In some situations, such as the collecting of contributions to a political campaign, you’ll require information about your donors. For example, your local election laws might require you to record the occupation and employer of each contributor.

You could simply ask contributors to include this information in the note field (answer Yes to the Collect Additional Information From Your Customers question on the Add More Options page), but when was the last time you saw a customer ever follow directions? Instead, include a little JavaScript to virtually insure that your donors provide the information you need:

<script language="javascript">
<!--
function noEntry( ) {
if (document.contribution_form.os0.value.length<1) {
  alert("Please fill in your Employer.");
  return false; }
else if (document.contribution_form.os1.value.length<1) {
  alert("Please fill in your Occupation.");
  return false; }
if (document.contribution_form.amount.value.length<1) {
  alert("Please fill in the amount to donate.");
  return false; } 
else if (document.contribution_form.amount.value<1) {
  alert("No pennies please.");
  return false; }
else if ((document.contribution_form.q1.checked==false) ||
  (document.contribution_form.q2.checked==false) ||
  (document.contribution_form.q3.checked==false) ||
  (document.contribution_form.q4.checked==false)) {
  alert("You must agree to all four certifications.");
  return false; }
else { return true; }
}
// -->
</script>

<blockquote>
        <h4 align="center">Please show your support for "Diamond" Dave Burchell's
                run for the position of city dogcatcher with a generous donation.</h4>

<form name="contribution_form" onsubmit="return noEntry( )" action=
                "https://www.paypal.com/cgi-bin/webscr" method="post" target="_blank">
        <input type="hidden" value="Occupation" name="on1"/>
        <input type="hidden" value="Employer" name="on0"/>
        <input type="hidden" value="Dogcatcher Campaign Contribution" name=
                "item_name"/>
        <input type="hidden" value="PayPalTech" name="bn"/>
        <!-- enter the email address on your PayPal account below -->
        <input type="hidden" value="burchell@paypalhacks.com" name="business"/>
        <input type="hidden" value="_xclick" name="redirect_cmd"/>
        <input type="hidden" value="_ext-enter" name="cmd"/>
  <center>
        <table border="0" width="100%">
          <tbody>
            <tr>
              <td width="37%" align="right">First Name: </td>
              <td width="63%"><input name="first_name" size="15"/> </td>
            </tr>
            <tr>
              <td width="37%" align="right">Last Name: </td>
              <td width="63%"><input name="last_name" size="15"/> </td>
            </tr>
            <tr>
              <td width="37%" align="right">Employer:</td>
              <td width="63%"><input name="os0"/> (required)</td>
            </tr>
            <tr>
              <td width="37%" align="right">Occupation: </td>
              <td width="63%"><input name="os1"/> (required)</td>
            </tr>
            <tr>
              <td width="37%" align="right">Phone Number: </td>
              <td width="63%"><input name="item_number" size="12"/> </td>
            </tr>
            <tr>
              <td width="37%" align="right">Amount: </td>
              <td width="63%">$ <input name="amount" size="7"/> (limit
$1000)</td>
            </tr>
          </tbody>
        </table>
        <table border="0" width="90%">
          <tbody>
            <tr>
              <td width="305"><br/>
You must check each of the boxes below to meet federal contribution
requirements:<br/>
              <br/>
              <input type="checkbox" value="1" name="q1"/>This
contribution is made from my own funds, and not from those of another.<br/>
              <br/>
              <input type="checkbox" value="1" name="q2"/>
This contribution is not made from general treasury fund of a
corporation, labor organization, or national bank.<br/>
              <br/>
              <input type="checkbox" value="1" name="q3"/>
I am not a Federal Government Contractor, nor am I a Foreign National
who lacks permanent resident status in the United States.<br/>
              <br/>
              <input type="checkbox" value="1" name="q4"/>
This contribution is made on a personal credit card or debit card for
which I have a legal obligation to pay, and is made neither on a
corporate or business entity card nor on the card of another.
              </td>
            </tr>
          </tbody>
        </table>
        <p align="center"><input type="submit" value="Contribute" name="button"/></p>
        </center>
</form>

Here, the noEntry() JavaScript routine, executed when the contributor submits the form, displays an error if the Employer or Occupation fields are blank, or if the donor enters a donation that’s too low, as shown in Figure 4-12.

Figure 4-12. A little JavaScript prevents donors from sending you donations you can’t use

So, what does it take to make the Flash connection to PayPal? In truth, the back-end ActionScript required to make the necessary PayPal connection is extremely complex. The good news, however, is that a Flash extension, developed by PayPal and WebAssist, provides the core functionality while leaving a great deal of room for programmatic customization.

Get the extension—known as the WA PayPal eCommerce Snap-ins for Flash MX—from http://webassist.com/Products/ProductDetails.asp?PID=24. The extension is free; you just need to register with WebAssist. Install the extension into Flash MX by double-clicking the downloaded file, or into Flash MX 2004 via Macromedia’s Extension Manager. If you have Flash open, you’ll need to quit and relaunch the program for the snap-in to appear.

Once the extension is installed, you can straightforwardly handle the basics for adding a Buy Now or Subscription button to your page. If the item you’re selling has no options or other complications, you don’t even have to touch the ActionScript.

Start by building your basic product page. Make sure there is at least one clickable element (such as a button) on the Flash stage, and give it a name in the Property inspector.

Open the Components panel and look in the WA PayPal eCommerce category. Drag either the Buy Now or Subscription object (these are the actual snap-ins) anywhere onto the stage.

To complete the simple Flash PayPal configuration, you’ll need to establish the details to be sent. While you can set these values in ActionScript, as explained later in this hack, you can also use the snap-in’s Component inspector. Select the snap-in and, in the Property inspector, click the Launch Component Inspector button.

In the Parameters tab of the Component Inspector panel, you’ll see a custom dialog box for the snap-ins, as shown in Figure 4-13. Each of the snap-in parameter dialogs is a specialized multitabbed affair.

Figure 4-13. Setting the properties of the PayPal extension in Macromedia’s Component Inspector

Take a look at the Component Inspector for the Buy Now snap-in, in which the following parameters are separated into three tabs (General, Item Details, and Shipping):

For items with properties that are completely covered by the options in the Component Inspector panel, no additional ActionScript is required to complete the PayPal order. All you need do is publish the .swf file and put it in an HTML page on the Web; the rest is automatic. But, of course, you want more, don’t you?

So, what’s underneath the hood of the WebAssist PayPal eCommerce Snap-ins for Flash MX? Quite a bit, as it turns out. There are 31 different methods embedded in the Buy Now snap-in and 38 in the Subscribe snap-in. Of these, about half are used to set values, and the other half are used to pass those values to PayPal. The setting methods are of prime interest to the Flash/PayPal hacker.

Take a look at a typical example that ties additional options (and their related prices) to a PayPal item. Imagine a fictional online T-shirt emporium that offers a fancy-dancy item available in five different colors and four different sizes. There’s no difference in price for the various colors available. However, Flash can represent the different colors quite easily, thus adding a nice visual flair to our product page. T-shirt size, on the other hand, goes up with price: $10.99 for small, $13.99 for medium, $15.99 for large, and $18.99 for extra large.

Again, representing this in the .swf is trivial for Flash MX or Flash MX 2004. The values in the drop-down size list are displayed in a dynamic text variable as the current price. But how do you send the correct item cost and order details to PayPal? Short answer: use the set methods. Here’s the longer, code-oriented answer—just place this ActionScript code into your project:

function setPrice( )  {
  // Get the price (based on size list)
  var newPrice = sizeList.getValue( );
1.  BN.setAmount(newPrice);
2.  BN.setItemName(sizeList.getSelectedItem( ).label+" "+colorList.getSelectedItem( ).
label+" WebAssist.com T-Shirt");
3.  BN.setItemNumber(String(sizeList.getSelectedIndex( )) + String
(colorList.getSelectedIndex( )));
}

The function setPrice() is called when the page is first loaded and each time any option changes. Both options (color and size) are selected from drop-down lists, colorList and sizeList, respectively. The first line of the code picks up the price from the sizeList. The user sees the labels in the list (Small, Medium, Large, and X-Large), but the values are set to prices of 10.99, 13.99, 15.99, and 18.99. The current item price is established as amount to send to PayPal on line 1.

The Buy Now snap-in instance placed on the stage is named BN, and any methods that relate to that instance are named with the BN prefix. Two more functions are used to set the item name (which is what the customer sees on the Payment For line of the PayPal page) and the item number (a SKU number that is sent to the online store owner for order processing) on lines 2 and 3, respectively.

Any value that you can set in the Component Parameter dialog can be set programmatically in ActionScript. Table 4-1 shows all Buy Now methods that set values.

The Subscription methods are, for the most part, the same as the methods that set values; all methods listed in Table 4-1, with the exception of setAmount, setExtraShipping, setHandling, setShipping, and setUpdateableQuery, can also be used with an instance of a Subscription snap-in. Table 4-2 lists the additional Subscription set methods available.

Combine Flash’s interactive flair with the ActionScript methods to put your customers in the driver’s seat and still get all the information you need to process your PayPal order correctly.

—Joe Lowery

With WebAssist PayPal eCommerce Toolkit (available for free at http://www.webassist.com), you can insert Add to Cart, View Cart, Subscription, and Buy Now buttons. Insert any of these objects and a multistep wizard walks you through the particulars of the process. Each wizard offers a nice library of button designs to choose from, so you don’t have to create any artwork from scratch. However, if you do have your own button, you can enter the URL of its web-based location and that button will be used.

Other available options depend on which button type is being inserted. The Buy Now button, for example, lets you specify the base shipping, any extra shipping to be added for each additional item ordered, and overall handling charges. If you enter these additional values, they override your general account settings on a per-item basis. Adding a Subscription button, on the other hand, gives you the ability to establish periodic billing values (i.e., how much for how long) and trial-offer settings, such as the length of the trial offer. You can even determine a setup fee for a subscription.

By itself, the WebAssist PayPal eCommerce Toolkit is great for items with no options or variations. However, by doing a little work on the form that contains the PayPal buttons, you can greatly extend the toolkit’s functionality. Most of the following techniques center on two concepts: naming form elements properly and using hidden form fields. These concepts work together to pass the correct information to PayPal when the transaction is initiated.

Say your your item is available in several sizes or configurations at varying prices. You can pass the right price to PayPal in two ways: using drop-down lists or radio buttons. To offer multiple prices with a list, follow these steps:

When the user makes a selection from the list, the related value is assigned as the amount and sent to PayPal at transaction time. If you’d prefer to display all options on-screen rather than contain them in a list, use radio buttons to vary the price. Here’s how:

Keep the name of each button in the radio group the same (amount) and vary the Checked Value numbers. You can use as many radio buttons as needed.

What about other types of options? PayPal allows two additional options per item. Using the following technique, you can pass two pairs of name and associated information to be included in the order sent to the store owner for fulfillment. If this technique is used to pass color choices, for example, the string passed to PayPal (and on to the owner) might be color="Cream“.

Let’s say that you have a list of colors for the customer to choose from in your product page. Set up the color list with name/value pairs as described in the previous steps for establishing the amount. This time, however, name the list/menu form object os0 , which stands for Object String 0, the first of the two PayPal option values allowed.

Of course, you can’t send a value without identifying it. To tell PayPal and, eventually, the fulfillment folks, what this value is for, insert a hidden form field from Dreamweaver’s Insert bar, in the Forms category. With the hidden form field selected, enter its name in the Property inspector: on0 (short for Object Name 0). Complete the operation by entering color in the Value field of the Property inspector. Your first option is ready to go. You can enter another option (perhaps setting the item’s size) by following same procedure and substituting os1 and on1 for the new option’s value and name, respectively.

—Joe Lowery

Collecting order details is fairly straightforward with traditional scripting languages (e.g., ASP or PERL). Simply display the information for each product, with relevant options, in a single form for each product (this example uses Active Server Pages with VBScript):

<% while not rs.eof%>
<form action="https://www.paypal.com/cgi-bin/webscr" method=POST>

<!-- The product name and description go here -->

<input type=hidden name="on0" value="Size">
<select name=os0>
  <option value="Large">Large</option> 
  <option value="Medium"> Medium </option> 
  <option value="Small">Small </option> 
</select>
<input type=hidden name="on1" value="Color">
<select name=os1>
  <option value="Yellow"> Yellow </option> 
  <option value="Blue"> Blue </option> 
  <option value="Gold"> Gold </option> 
</select>

<input type=submit value="Add To Basket">

<form>
<%
rs.movenext
wend
%>

Using product options with the .NET payment controls, however, offers a bit of a challenge, given that an ASP.NET page only lets you have one <form> tag per ASP.NET web page, thus allowing it to maintain page state properly.

To get around the single-form limitation, you can use the Click event of the Payment Controls to add the option controls at runtime. The first thing you must do is set the control to use the postback routine (UseFormGet=false) and disallow the pop-up command (UsePopUp=false), so that PayPal can glean the options from the postback.

This is a delicate process, especially when using the .NET-native data controls (e.g., DataList, Repeater, or DataGrid). You need to understand which events fire and in what order, because this can affect how your option controls are populated. You will be dealing with the Click event of the PayPal control, not one of the events of the data controls, which can get a little confusing. Thus, it’s best to skip ahead to the good part: how to do it!

If you are a serious geek, you’ve probably already created your own Custom Server Control to handle the intricacies of gathering option information from the ViewState. Or, at the very least, you have something mapped out in your head. However, there might be something simpler in the following approach, and I appeal to you to quell your ADD for another five minutes. Custom Server Controls can be useful, but they can also (and often do) add a layer of complication (a.k.a. lots of code) to an otherwise simple task.

This approach starts with a user control and then populates its options from the product information you pass to it. User controls allow you to encapsulate functionality for individual UI components, which this is, so you don’t need to write the same code twice or create spaghetti code in order to find the control you want hidden within your page.

Create a user control called AddToCartOptions.ascx, and add the PayPal AddToCart server control, along with a RadioButtonList called radColors and a DropDownList called ddSize:

<table>
  <tr>
    <td><asp:dropdownlist id="ddSize" runat="server">
      <asp:ListItem Value="Small" Selected="True">Small</asp:ListItem>
      <asp:ListItem Value="Medium">Medium</asp:ListItem>
      <asp:ListItem Value="Large">Large</asp:ListItem>
      </asp:dropdownlist>
    </td>
    <td width="290">
      <asp:radiobuttonlist id="radColors"
                 runat="server" RepeatDirection="Horizontal" Width="280px"
                                        Height="24px">
      <asp:ListItem Value="Black">Black</asp:ListItem>
      <asp:ListItem Value="Blue">Blue</asp:ListItem>
      <asp:ListItem Value="Paisley">Paisley</asp:ListItem>
      <asp:ListItem Value="Polka Dots">Polka Dots</asp:ListItem>
      </asp:radiobuttonlist>
    </td>
    <td>
      <cc1:addtocartbutton id="AddToCartButton1" runat="server"
             BusinessEmail="mybusinessemail" ItemNumber="xxxx" ItemName="Small Army Men"
             Amount="1.02" ReturnUrl="http://myserver/myhandler.aspx"
             CancelPurchaseUrl="http://myserver/mycancelhandler.aspx"
             Shipping=".01" Tax=".01" UsePopup="false" UseFormGet="false" 
      </cc1:addtocartbutton>
    </td>
  </tr>
</table>

Make sure to set the UseFormGet and UsePopup values to false, which will force a postback to the server. Next, in the code behind the page, add the properties or fields that will be set by the calling page:

public string ItemName;
public string ItemNumber;
public string Amount;

In the Page_Load event of the ASP.NET page, populate these values, as well as those of your options (in case you need to populate the option controls from the database):

//expose the properties as needed
AddToCartButton1.ItemName=ItemName;
AddToCartButton1.ItemNumber=ItemNumber;
try{
  AddToCartButton1.Amount=Convert.ToDouble(Amount);
}catch{
  throw new Exception("Invalid value for a double: "   +Amount.ToString( ));
}

Add the event handler for the button Click event in the InitializeComponent() method:

this.AddToCartButton1.Click+=new System.EventHandler(this.AddClicked);

Finally, add the method to handle the PayPal button Click event, which reads the values of the controls and populates the AddToCartButton1 options accordingly:

private void AddClicked(object sender, System.EventArgs e) {
  AddToCartButton1.Option1FieldName="Size";
  AddToCartButton1.Option1Values=ddSize.SelectedValue;
  AddToCartButton1.Option2FieldName="Color";
  AddToCartButton1.Option2Values=radColors.SelectedValue;
}

This method populates the control just before the output is rendered to the browser, which redirects the user to PayPal for the purchase.

To reward those of you who are patient enough to have made it this far, here is a final piece of wisdom: .NET is notoriously tricky when it comes to marrying the concept of events to a stateless medium such as a web page. There is a mess of events that goes into every request and every object; adding more objects to a page only complicates matters, especially when those objects have event sets of their own.

If you have ever tried to run logic using the events in a user control—which is, itself, part of a DataList or Repeater—you have undoubtedly run into the Event Freak Show^TM, wherein you cannot get your events to work properly or fire in the correct order, despite using all the Page.Postback tests in existence. If not done properly, the options selected by your customer will be overwritten by the initialization routine of the page, and the same meaningless information will be passed to PayPal.

The solution to this problem lies in setting the DataSource property, not the DataBind( ) method, of your Repeater or DataList. Consider that the user control, discussed earlier in this hack, is in a Repeater called MyRepeater:

<asp:Repeater id=MyRepeater Runat="server">
  <ItemTemplate>
  <uc1:_AddToCartOptions'   
  id=_AddToCartOptions1   
  runat="server"   ItemName='<%#DataBinder.Eval(Container.DataItem, "ModelName")%>' 
  ItemNumber='<%#DataBinder.Eval(Container.DataItem,   "ModelNumber")%>'   Amount=
'<%#DataBinder.Eval(Container.DataItem, "UnitCost")%>'   >
  </uc1:_AddToCartOptions>
  </ItemTemplate>
</asp:Repeater>

To preserve the ViewState of the user control, be sure to DataBind the Repeater:

MyRepeater.DataSource = MyDataSource;
if(!Page.IsPostBack){
  MyRepeater.DataBind( );
}

The DataBind() method overwrites whatever state the user control was in when submitted by the customer, so you need to handle the population of this control and test for the postback. Setting the DataSource at runtime apparently helps the control remember the ViewState of its child controls.

Thus, your Repeater (or DataList) and all of its controls will maintain their ViewState, and your customer’s option selections will be passed properly.

—Rob Conery