The Background

The other day, I was building a website http://VoIPMadeEZ.com which sells an eBook I bought the Private Label Rights to and then modified, called "Definitive Guide to VoIP."   When I was getting ready to monetize the site, I decided that I wanted to use PayPal, since it is so easy to setup and use. 

So, in PayPal, I created a button using my own custom image – fine, easy enough. 

Then I noticed something that I hadn’t noticed before… 

When I created the PayPal button as encrypted, PayPal didn’t supply the HRef hyperlink version that you use inside an email or even on a webpage.

But, when I turned off the encryption, the HRef hyperlink version appeared.  This means that if I want to use the HRef hyperlink version, I have to have all my sensitive data unencrypted — not good or wise.

So, I came up with this method of handling that situation…

The Solution

This is not a tutorial on how to use PayPal buttons – although I can write about that another time if there is interest.  However, what I’m going to show you is how to further secure your PayPal Button transactions.

If you don’t already know, you can setup PayPal buttons as Encrypted and as Non-Encrypted.  The Encrypted button is optimal because PayPal disguises all the details from the user, like price and ‘return.’   However, when you use Encrypted, you loose the ability to use some features.  One feature, in particular, is very helpful, and that is to be able to put a hyperlink in the text that say’s "Order Now".

For an example, see my site http://VoIPMadeEZ.com

Here you see that I have several "order now"-type of hyperlinks.

Here is what the unencrypted link looks like (doctored slightly for security reasons):Now, it probably looks like gibberish to you – let’s break it down, parameter by parameter (note that each parameter is separated by the ‘&’):

 

https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=ps%40voipmadeez%2ecom&item_name=Definitive%20Guide%20to%20VoIP&item_number=Definitive%20Guide%20to%20VoIP&amount=9%2e77&no_shipping=1&return=http%3a%2f%2fvoipmadeez%2ecom%2fa%2db%2dc%2ehtm&no_note=1&currency_code=USD&lc=US&bn=PP%2dBuyNowBF&charset=UTF%2d8

Here are the parametes broken out, one per line.

business=ps%40voipmadeez%2ecom
item_name=Definitive%20Guide%20to%20VoIP
item_number=Definitive%20Guide%20to%20VoIP
amount=9%2e77
no_shipping=1
return=http%3a%2f%2fvoipmadeez%2ecom%2fa%2db%2dc%2ehtm
no_note=1
currency_code=USD
lc=US
bn=PP%2dBuyNowBF
charset=UTF%2d8

There are still some characters that are difficult to read – that’s because HTML  doesn’t understand spaces, hyphens, etc.  So, HTML substitutes Hexadecimal equivalents for those characters.  In every the case where you find a ‘%’ (percent sign), that means the next 2 characters are hexadecimal.  So let’s translate the above using the following:

%20 – space ‘  ‘
%2d – hyphen "-"
%2e – period ‘.’
%2f – forward slash "/"
%3a – colon ":"
%40 – at sign ‘@’

(By the way, a good site to use for hexadecimal to decimal conversions is http://asciitable.com)

Our list of parameters now looks like this:

business=ps@voipmadeez.com
item_name=Definitive Guide to VoIP
item_number=Definitive Guide to VoIP
amount=9.77
no_shipping=1
return=http://voipmadeez.com/a-b-c.htm
no_note=1
currency_code=USD
lc=US
bn=PP-BuyNowBF
charset=UTF-8

This definitely makes it easier read.

From the above list, please note the following 2 parameters:
amount=9.77
return=http://voipmadeez.com/a-b-c.htm

"amount" is the amount being charged
"return" is the page that the user is returned to after a successful transaction – this is the return page that gives my buyer the location for his product to download.

So, an unscrupulous buyer can potentially cheat you by altering either of these values and submitting the rebuilt link.  Or, he could avoid paying altogether and go to the ‘return’ link and download the product without paying at all.

One way to combat this is with a link is with a URL redirection service, like go2-url.com.  Go2url.com takes long URLs and transforms them (masks them) by a URL that disguises what’s underneath.

So, for example, this link:

https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=ps%40voipmadeez%2ecom&item_name=Definitive%20Guide%20to%20VoIP&item_number=Definitive%20Guide%20to%20VoIP&amount=9%2e77&no_shipping=1&return=http%3a%2f%2fvoipmadeez%2ecom%2fa%2db%2dc%2ehtm&no_note=1&currency_code=USD&lc=US&bn=PP%2dBuyNowBF&charset=UTF%2d8

can be transformed into a link that looks like this:
http://Go2-URL.com/aarnes

With Go2-URL.com, you have option of choosing a "Link Type" of "Simple Redirect" or "Hidden" – you want to choose "Hidden", otherwise, your original URL with all of that sensitive information will appear on the URL line when the link is clicked.

Then in your webpage, change your hyperlinks to http://Go2-URL.com/aarnes and they will be magically redirected the correct PayPal payment page without divulging any sensitive information.

Ah, and I forgot to mention, Go2-URL.com is free to use

I hope this is helpful.