Security issue with PayPal

Hi friend as you know PayPal is one of the biggest player for online payment.
Since you implement the paypal integration in your web site as developer or as webmaster etc. How you tackle the security issue when especially you handle the paypal button. Here some idea with sample code can help you.

You can encrypt the paypal button by open ssl certificate with paypal certificate.
1. Step 1: create private key with open ssl from your linux/unix command prompt [make sure your server have open ssl installed]

openssl genrsa -out my-prvkey.pem 1024

2. Step 2: Create public certificate [key + signature]

openssl req -new -key my-prvkey.pem -x509 -days 365 -out my-pubcert.pem

3. Step 3: create paypal certificate to use encrypt the paypal button code

To upload your public certificates to PayPal:

1. Log in to your Business or Premier account.
2. Click the Profile subtab.
3. In the Seller Preferences column, click Encrypted Payment Settings.
4. Click Add.
5. Click Browse, and select your public certificate file.
6. When your public certificate is successfully uploaded, it appears on the next screen under Your Public Certificates.

You use PayPal's public certificate to encrypt your button code. To download PayPal's public certificate:

1. Log in to your Business or Premier account.
2. Click the Profile subtab.
3. In the Seller Preferences column, click Encrypted Payment Settings.
4. Click Download in the PayPal Public Certificate area.

To prevent someone from creating a spoof version of your payment buttons, you can block non-encrypted website payments to your account. Follow the instruction in Blocking Non-encrypted Website Payments.

PHP code for buton encryption



# private key file to use
$MY_KEY_FILE = "secu/my-prvkey.pem";

# public certificate file to use
$MY_CERT_FILE = "secu/my-pubcert.pem";

# Paypal's public certificate
$PAYPAL_CERT_FILE = "secu/paypal_cert.pem";

# path to the openssl binary
$OPENSSL = "/usr/bin/openssl";

// QUUNRT25HWJLY ray user
$form = array('cmd' => '_xclick',
'business' => 'sddhiradsdj_11932536710_biz@master.com',
'cert_id' => 'U7PRFGN9MNWNE64QL',
'lc' => 'IE',
'custom' => 'test',
'invoice' => '',
'currency_code' => 'EUR',
'no_shipping' => '0',
'item_name' => 'Lunch',
'item_number' => session_id(),
'rm' => 2,
// 'notify_url' => 'paypalipn.php',
'amount' => $tot
);


$encrypted = paypal_encrypt($form);


function paypal_encrypt($hash)
{
global $MY_KEY_FILE;
global $MY_CERT_FILE;
global $PAYPAL_CERT_FILE;
global $OPENSSL;


if (!file_exists($MY_KEY_FILE)) {
echo "ERROR: MY_KEY_FILE $MY_KEY_FILE not found\n";
}
if (!file_exists($MY_CERT_FILE)) {
echo "ERROR: MY_CERT_FILE $MY_CERT_FILE not found\n";
}
if (!file_exists($PAYPAL_CERT_FILE)) {
echo "ERROR: PAYPAL_CERT_FILE $PAYPAL_CERT_FILE not found\n";
}
if (!file_exists($OPENSSL)) {
echo "ERROR: OPENSSL $OPENSSL not found\n";
}


//Assign Build Notation for PayPal Support
$hash['bn']= 'StellarWebSolutions.PHP_EWP';

$openssl_cmd = "$OPENSSL smime -sign -signer $MY_CERT_FILE -inkey $MY_KEY_FILE " .
"-outform der -nodetach -binary | $OPENSSL smime -encrypt " .
"-des3 -binary -outform pem $PAYPAL_CERT_FILE";

$descriptors = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
);

$process = proc_open($openssl_cmd, $descriptors, $pipes);

if (is_resource($process)) {
foreach ($hash as $key => $value) {
if ($value != "") {
//echo "Adding to blob: $key=$value\n";
fwrite($pipes[0], "$key=$value\n");
}
}
fflush($pipes[0]);
fclose($pipes[0]);

$output = "";
while (!feof($pipes[1])) {
$output .= fgets($pipes[1]);
}
//echo $output;
fclose($pipes[1]);
$return_value = proc_close($process);
return $output;
}
return "ERROR";
};

References : paypal dot com and stellerweb dot com