StellarWebSolutions.com - The Web Application Experts - Main Page

Products
Web How-To
Free Tools
FAQ
Contact Us
Our Clients






You are here: Home > Articles > PayPal Buttons in PHP

How-To: Build your own PayPal Encrypted Buttons

Paypal uses the X.509 standard certificate format which was originally developed for sending encrypted email messages. PayPal uses this to encrypt the data so they can decrypt it, while signing it so that they can ensure that you originated it.

How It Works

You first create a private key and public signing certificate and download PayPal's public key. You upload your public certificate to PayPal. PayPal generates a unique ID to ensure a malicious user is not just using their own certificate.

Using something like open source tool OPENSSL, you can encrypt your form data to be sent to PayPal. You can test all of this with PayPal's sandbox website.

How-To: Do it yourself button encryption

Step 1: Generate your private key and public certificate.

You can either generate your private key and public certificate on your own server manually (step 1a and 1b), or use our Stellar PayPal Certificate Wizard.

Step 1a: Manual Creation - Generate a Private Key 1024 bytes long

openssl genrsa -out my-prvkey.pem 1024

my-prvkey.pem is your private key.

Step 1b: Manual Creation - Generate public certificate good for 1 year

openssl req -new -key my-prvkey.pem -x509 -days 365 -out my-pubcert.pem

my-pubcert.pem is your public signing certificate. Remember that your certificate is only valid for 365 days with this command, you should recreate your key and certificate every year.

Step 2: Upload Your Public Certificate

To upload your public certificates to PayPal:
1. Log in to your Business or Premier account.
2. Click the Profile subtab.
3. In the Seller Preferences column, click Encrypted Payment Settings.
4. Click Add.
5. Click Browse, and select your public certificate file "my-pubcert.pem".
6. When your public certificate is successfully uploaded, it appears on the next screen under Your Public Certificates.
7. Record the Cert ID, you'll need to include this in any encrypted data.

Step 3: Download the PayPal Public Certificate

You use PayPal's public certificate to encrypt your button code. To download PayPal's public certificate: 1. Log in to your Business or Premier account.
2. Click the Profile subtab.
3. In the Seller Preferences column, click Encrypted Payment Settings.
4. Click Download in the PayPal Public Certificate area.

Step 4: Block unencrypted payment buttons

You can prevent malicious users from submitting made up unencrypted buttons by blocking unencrypted payments. You should probably have everything working before you complete this step or your current payment buttons may become broken.
1. Log in to your Business or Premier account.
2. Click the Profile subtab.
3. Click the Website Payment Preferences link in the right-hand menu.
4. Select On next to Block Non-encrypted Website Payments.
5. Click Save.

Step 5: Generate your own payment buttons.

You can use PHP or other languages such as PERL to implement PayPal encrypted button generation.

The following code is an example of how to implement PayPal button encryption. This code uses proc_open to call OpenSSL and read the output - an encrypted blob. The function paypal_encrypt accepts a PHP associative array as input and returns the encrypted text.

For users experiencing problems with the proc_open version with some recent versions of OpenSSL, download the streamed version from the top right corner of the example box instead.

Download Example - streamed

<HTML>
<?php
//Sample PayPal Button Encryption: Copyright 2006-2010 StellarWebSolutions.com
//Not for resale  - license agreement at
//http://www.stellarwebsolutions.com/en/eula.php
//Updated: 2010 02 01

# private key file to use
$MY_KEY_FILE = "/usr/home/stellar/paypal/my-prvkey.pem";

# public certificate file to use
$MY_CERT_FILE = "/usr/home/stellar/paypal/my-pubcert.pem";

# Paypal's public certificate
$PAYPAL_CERT_FILE = "/usr/home/stellar/paypal/paypal_cert.pem";

# path to the openssl binary
$OPENSSL = "/usr/bin/openssl";


$form = array('cmd' => '_xclick',
        'business' => 'your@emailaddress.net',
        'cert_id' => 'SD3DG5FFF1234',
        'lc' => 'US',
        'custom' => 'test',
        'invoice' => '',
        'currency_code' => 'USD',
        'no_shipping' => '1',
        'item_name' => 'Donation',
        'item_number' => '1',
	'amount' => '10'
	);


	$encrypted = paypal_encrypt($form);


function paypal_encrypt($hash)
{
	//Sample PayPal Button Encryption: Copyright 2006-2010 StellarWebSolutions.com
	//Not for resale - license agreement at
	//http://www.stellarwebsolutions.com/en/eula.php
	global $MY_KEY_FILE;
	global $MY_CERT_FILE;
	global $PAYPAL_CERT_FILE;
	global $OPENSSL;


	if (!file_exists($MY_KEY_FILE)) {
		echo "ERROR: MY_KEY_FILE $MY_KEY_FILE not found\n";
	}
	if (!file_exists($MY_CERT_FILE)) {
		echo "ERROR: MY_CERT_FILE $MY_CERT_FILE not found\n";
	}
	if (!file_exists($PAYPAL_CERT_FILE)) {
		echo "ERROR: PAYPAL_CERT_FILE $PAYPAL_CERT_FILE not found\n";
	}


	//Assign Build Notation for PayPal Support
	$hash['bn']= 'StellarWebSolutions.PHP_EWP2';

	$data = "";
	foreach ($hash as $key => $value) {
		if ($value != "") {
			//echo "Adding to blob: $key=$value\n";
			$data .= "$key=$value\n";
		}
	}

	$openssl_cmd = "($OPENSSL smime -sign -signer $MY_CERT_FILE -inkey $MY_KEY_FILE " .
						"-outform der -nodetach -binary <<_EOF_\n$data\n_EOF_\n) | " .
						"$OPENSSL smime -encrypt -des3 -binary -outform pem $PAYPAL_CERT_FILE";

	exec($openssl_cmd, $output, $error);

	if (!$error) {
		return implode("\n",$output);
	} else {
		return "ERROR: encryption failed";
	}
};
?> 
<HEAD>
<LINK REL=stylesheet HREF="/styles/stellar.css" TYPE="text/css">
<TITLE>PHP Sample Donation using PayPal Encrypted Buttons</TITLE>
</HEAD>
<BODY bgcolor=white>
<TABLE border=0>
<TR><TD align=center>
<h1>Sample Donation Page</h1>
<P>This page uses encrypted PayPal buttons for your security.</P>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target=_blank>
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="encrypted" value="
<?PHP echo $encrypted; ?>">
<input type="submit" value="Donate $10">
</form>
<P><SMALL>(PayPal will open in a new window for demonstration purposes.)</SMALL></P>
</TD></TR></TABLE>
</BODY>

</HTML>


Here's an example of the above code in action using a simple donation. Right click in the white box and "View Source" to see the underlying secure encrypted button blob.

Download Example


About Us | Consulting Services | Contact Us | Privacy | Kemptville and Ottawa Web Design | User Agreement | Copyright