Special User Sections > Site/Forum Features

Instructions for making a PayPal link people can follow to donate money to you

<< < (3/7) > >>

Carol Haynes:
How about allowing user to put a PayPal encrypted button script on their profile page (like you have added the ad control stuff) and then point the icon to the profile for people who have set it up?

mouser:
i think that would be too much of a security risk..
i suppose if you already have a web page, the easiest thing is to point your donation link to a page on your site with the encrypted form, but for those that don't a solution is still needed.

Carol Haynes:
The encrypted PayPal link code is standard HTML format, you could handle the actual HTML tags (to avoid security issues) and just allow people to enter the encrypted part of the code, which is just an encryption of the email address etc.

Here is mine:


--- ---<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-butcc-donate.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
<input type="hidden" name="encrypted" value="-----BEGIN PKCS7----- Lots of encryption junk -----END PKCS7-----
">
</form>
As far as I can tell the "Lots of encrypted junk" is just that, not executable code. It is decoded on the PayPal page referred to using the PKCS7 routines embedded in the PayPal page.

the first three lines are standard (you could supply them so that you know they are OK along with the <form> tags). The only user customisable bit is the image file used for the button. You could choose that as a site default (or even use a DC specific image for the button).

The only user specific info required is the 'Lots of encrypted junk' which could be cut and paste into a user profile field, and automatically used to generate the button script (a trivial PHP script could do that).

If invalid data is supplied PayPal would not be able to decrypt it and generate its own error (and anyway it would not be ina DC page - so no threat to DC). If some one used somebody elses code they would effectively send all their donations to them, but the same thing could happen now if someone copied another users URL from the 'donate' button on the forum pages!!!

Just a thought.

mouser:
yes, you are right, if we enforced only having paypal encrypted form field text in that field (or if i allowed a special prefix like "encrypted=" which could be a reasonable solution), then this might be doable.

i really wish paypal had a better way of doing this.. they really should have a simple link with user id# in it or something  :down:

mouser:
maybe what would be nice would be a simple javascript function that when you clicked on that link (or email link), brought up a tiny java script form that you have to click a button on before it will redirect you - that should stop any email harvesting and still allow general navigation.  anyone want to help me look for such a mini script?

Navigation

[0] Message Index

[#] Next page

[*] Previous page