PayPal Community

syberknight · ‎Jun-01-2016

i'm needing to have a Subscribe button, but where the user can type in the amount.

the only way i've discovered that this can be done is by setting the button to NOT be saved, & thus become a non-hosted button like the below code.

but i've read that this is a huge security risk, & that concerns me. so can anybody either ease my mind or provide a method of adding the "a3" input field while keeping it secure?

just how INsecure is this method? what could happen & how?

is it just because the email address is exposed?

is there a way to hide the sensitive info in PHP?

note: i know HTML/CSS; sorta JS, & can work with PHP, but am not a programmer. so the easiest/simplest solution is needed.

THANKS!!!

here's the code example...

<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
    
    <input type="hidden" name="cmd" value="_xclick-subscriptions">
    <input type="hidden" name="business" value="EmailAddressHere">
    <input type="hidden" name="lc" value="US">
    <input type="hidden" name="item_name" value="Subscription Name">
    <input type="hidden" name="item_number" value="ID">
    <input type="hidden" name="no_note" value="1">
    <input type="hidden" name="no_shipping" value="1">
    <input type="hidden" name="src" value="1">
    <input type="hidden" name="srt" value="0">
    <input type="hidden" name="p3" value="1">
    <input type="hidden" name="t3" value="M">
    <input type="hidden" name="currency_code" value="USD">
    <input type="hidden" name="bn" value="PP-SubscriptionsBF:btn_subscribeCC_LG.gif:NonHosted">

<label>Enter Your Donation Amount</label>
<input type="text" name="a3" maxlength="60">

    <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_subscribeCC_LG.gif" border="0" name="submit" alt="Giving">
    <img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>

Cross-Posted Here!

PayPal_Andy · ‎Jun-06-2016

Hi syberknight -

Welcome to the Community, this is a great question!

We generally wouldn't recommend using non-hosted buttons if you have an option because they definitely are potentially less secure. As far as what could happen, if someone was to compromise your website they could alter your button parameters, including redirecting from your email address to theirs so they get paid instead of you.

If you need them to be able to enter amounts, have you just tried using the text field option on a hosted button? That may work if all you need is them to be able to enter their own amounts.

- Andy

syberknight · ‎Jun-09-2016

hi Andy,

thank you for your reply!!!

i have 2 PP buttons on our site...

the 1st is the standard Hosted Donations button, and yes, this does allow for the user to enter the amount on the paypal page. all's good with that.

the 2nd is a Subscription button, but i've not found a way around the forced option to pre-select amount(s) for the donor. the only way i've found to let the user enter the amount they want to donate in a monthly subscription is in the example above; by making it Non-Hosted & providing the field on our end.

when researching how to do that (which does work, BTW), i read people saying how insecure & dangerous it is. but i didn't know how.

so, if i'm understanding you correctly, the only "danger" is a two-fold process, where 1) the site has to be hacked to where someone could change the code on its pages, & then 2) they'd redirect the button's email address to their own.

i would THINK it unlikely for either to happen without our noticing, since we're still building the website & are in it every day. but then if it does get hacked, we'll have a LOT more problems than just them redirecting the donation subscription button.

so, i guess there's no danger unless someone hacks the site - right? all that's "exposed" is the email address.

sidenote: would there be a way with PHP or JQuery/Javascript to encrypt the non-hosted form to at least keep prying eyes (& bots) from getting at the email addy?

thanks!

PayPal Community

How Secure are non-hosted buttons?

Haven't Found your Answer?