M
Mark Rae
Hi,
I mainly use PayPal for eCommerce, but one of the features which I don't
like is the fact that you pass shopping cart data to their payment gateway
by means of hidden form variables, e.g.
<form id=paypal>
<input type="hidden" name="business" value="(e-mail address removed)">
<!--other hidden fields representing the items in the shopping cart-->
</form>
Although I generate the client-side form tag dynamically server-side, I'm
still not happy about these form variables being human-readable. The main
problem, apart from spamming of course, is that someone could easily click
View Source, copy and paste the form tag and all its contents into a new web
page, change the prices of the items in the cart, and submit the form.
Of course, I do verify all purchases before the goods are dispatched so I do
prevent fraud in that way but, assuming that "prevention is better than
cure", I'd inifinitely prefer not to give potential fraudsters the ability
to hack my View Source contents.
I've looked at some so-called "encryption" options which are, frankly,
rubbish: http://www.dynamicdrive.com/dynamicindex9/encrypter.htm is a case
in point. That doesn't encrypt anything, it just esapes the test!
Other sites (e.g. http://automaticlabs.com/products/enkoder) provide much
better encryption, but they don't support dynamic interaction. I'm looking
for a solution which will allow me to create the <form> tag dynamically,
then encrypt it in real-time.
PayPal do have a webservice-based gateway, but that's available only to US
account holders at the moment. As soon as that's available to UK account
holders, then all of the above will be academic.
However, in the meantime, I'd be grateful to know of any decent client-side
encryption techniques which fit within an ASP.NET solution.
Any assistance gratefully received.
Mark
I mainly use PayPal for eCommerce, but one of the features which I don't
like is the fact that you pass shopping cart data to their payment gateway
by means of hidden form variables, e.g.
<form id=paypal>
<input type="hidden" name="business" value="(e-mail address removed)">
<!--other hidden fields representing the items in the shopping cart-->
</form>
Although I generate the client-side form tag dynamically server-side, I'm
still not happy about these form variables being human-readable. The main
problem, apart from spamming of course, is that someone could easily click
View Source, copy and paste the form tag and all its contents into a new web
page, change the prices of the items in the cart, and submit the form.
Of course, I do verify all purchases before the goods are dispatched so I do
prevent fraud in that way but, assuming that "prevention is better than
cure", I'd inifinitely prefer not to give potential fraudsters the ability
to hack my View Source contents.
I've looked at some so-called "encryption" options which are, frankly,
rubbish: http://www.dynamicdrive.com/dynamicindex9/encrypter.htm is a case
in point. That doesn't encrypt anything, it just esapes the test!
Other sites (e.g. http://automaticlabs.com/products/enkoder) provide much
better encryption, but they don't support dynamic interaction. I'm looking
for a solution which will allow me to create the <form> tag dynamically,
then encrypt it in real-time.
PayPal do have a webservice-based gateway, but that's available only to US
account holders at the moment. As soon as that's available to UK account
holders, then all of the above will be academic.
However, in the meantime, I'd be grateful to know of any decent client-side
encryption techniques which fit within an ASP.NET solution.
Any assistance gratefully received.
Mark