PayPal Classic error: The seller accepts encrypted website payments only - coldfusion

I have a e-Commerce website that has been using US PayPal accounts for processing orders, not the API, just the standard account. It works fine.
One of my clients is in the UK and is getting an error message that indicates it maybe his account.
Error: The seller accepts encrypted website payments only. You
cannot pay the seller through un-encrypted buttons. Please contact
your seller for more details.
PayPal says its not the account. Is there a difference between US and UK.
The code:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" >
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="bn" value="SEOWebstore">
<input type="hidden" name="business" value="#GetSettings.Paypal_Account#">
<input type="hidden" name="item_name" value="#Request.AppSettings.SiteName# Order">
<input type="hidden" name="currency_code" value="#Left(LSCurrencyFormat(10, "international"),3)#">
<input type="hidden" name="amount" value="#Total#">
<cflock scope="SESSION" timeout="15" type="READONLY">
<input type="hidden" name="custom" value="#Request.BasketNum#^#Session.User_ID#"
</cflock>
<input type="hidden" name="notify_url" value="#Request.AppSettings.SiteURL##self#?fuseaction=shopping.checkout&step=ipn">
<input type="hidden" name="return" value="#Request.AppSettings.SiteURL##self#?fuseaction=shopping.checkout&step=ipn&PayPalCust=Yes">
<input type="hidden" name="cancel_return" value="#Request.AppSettings.SiteURL##self#?fuseaction=shopping.basket">
<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but01.gif" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>

The error message:
Error: The seller accepts encrypted website payments only. You cannot pay the seller through un-encrypted buttons. Please contact your seller for more details.
appears when you are using a non-encrypted and unprotected PayPal Payments Standard button and you have selected to block payments these payments on your PayPal account (this works for any accounts)
To unblock payments from unprotected and non-encrypted PayPal Payments Standard buttons:
1.Log in to your PayPal Premier account or Business account.
2.Click the Profile subtab.
3.In the Selling Preferences column, click the Website Payment Preferences link.
4.Scroll down to the Encrypted Website Payments section.
5.Next to the Block Non-encrypted Website Payment label, select the Off radio button.
6.Scroll to the bottom of the page, and click the Save button.
Ref. Encrypted Web Payments

Related

Django + OWASP ZAP Cross Site Scripting (Reflected) - Is the value attribute of an HTML input tag a risk?

In my Django project, I have a search input in the navbar across most pages on my site.
I'm a beginner to OWASP ZAP. After running the scan, one of the high priority alerts (red flag icon) raised was Cross Site Scripting (Reflected).
In my case, this is my website search form:
<form method="GET" id="searchForm">
<input type="text" name="q"
id="searchQuery" placeholder="Search..." autocomplete="off" maxlength="100" required="">
</form>
if someone searches for javascript:alert(1); in the search box, the value= attribute contains the same.
<form method="GET" id="searchForm">
<input type="text" name="q" value="javascript:alert(1);"
id="searchQuery" placeholder="Search..." autocomplete="off" maxlength="100" required="">
</form>
Is this is a potentially vulnerability or is the input is being sanitized by Django? This form is created using a Django forms.ModelForm:
class SiteSearchForm(forms.ModelForm):
class Meta:
model = Search
fields = ('q',)

Retrieve custom variable from PayPal Button in Django

Hi I have a django app hosted on Heroku.
I have a view with the paypal button, which is working and sends me back to my success url. But on the success url I want to display/use my custom variable.
I tried some solutions from StackOverflow already, but I can not fix it by myself.
URLS
path('match/<int:pk>', MatchDetail, name='match-detail'),
path('match_paid/', MatchPaid, name='match-paid'),
MatchDetail - PayPalButton
The form looks like this:
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="...">
<input type="hidden" name="custom" id="custom" value="{{match.id}}">
<input type="image" src="https://www.sandbox.paypal.com/de_DE/DE/i/btn/btn_paynow_LG.gif" border="0" name="submit" alt="Jetzt einfach, schnell und sicher online bezahlen – mit PayPal.">
<img alt="" border="0" src="https://www.sandbox.paypal.com/de_DE/i/scr/pixel.gif" width="1" height="1">
</form>
In PayPal I have set the custom variables of my button to:
custom=custom # What is most likely wrong.
Now I want the custom variable to be print in the return URL 'match_paid/'.
Tried {{custom}}, {{request.custom}} etc.

How to add "Remember me" feature in login form using php

I create a login form in index.php and action of that form is loginform.php, so i want to functional the remember me checkbox in php.this
is loginform image
The original script
The form
> <form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
> Username: <input type="text" name="username" maxlength="40"> Password:
> <input type="password" name="pass" maxlength="50"> <input
> type="submit" name="submit" value="Log in"> </form>
An extremely simple login form with fields for a username, a password and of course a submit button. I should also mention at this point that for the sake of simplicity for this tutorial, I am using “PHP_SELF” (forms action code is contained within the same file) I would recommend keeping all of your scripts in separate files for actual development.
The php
For security reasons, and so that I don’t give away all of my secrets, I wont be sharing the entire login script here. If you are still reading this tutorial I assume you have a working knowledge of php and indeed, a login script that you are trying to improve upon, so this shouldn’t be a problem.
Once I have connected to my database and carried out all of my validation checks I proceed to log in a verified user using the following code:
$hour = time() + 3600;
setcookie('ID_my_site', $_POST['username'], $hour);
//then redirect them to the members area
header("Location:example-page.php");
Above I simply set two cookies lasting one hour each, one for username, and one for password, and redirect them to the members area.
Adding the remember me functionality
The form
Firstly, we need to actually provide our form with a remember me checkbox. Adding this makes our form look like this:
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
Username:
<input type="text" name="username" maxlength="40">
Password:
<input type="password" name="pass" maxlength="50">
<input type="checkbox" name="remember" value="1">Remember Me
<input type="submit" name="submit" value="Log in">
</form>
The php
Now we need to make this checkbox do something. Namely, when checked, remember the users username and place it in the username field on each of their corresponding visits to the login page. To do so, I decided to use cookies. I couldn’t use the “ID_my_site” username cookie that I set above, as this was being killed each time the user logged out. The solution was to create an additional cookie named “remember” which also stored the username, like so:
$year = time() + 31536000;
setcookie('remember_me', $_POST['username'], $year);
Above we have added this additional cookie, lasting for a year, so that when a user logs in it creates an additional cookie that holds the users username. However, at the moment, it is not being used. Changing:
<input type="text" name="username" maxlength="40">
to:
<input type="text" name="username" maxlength="40" value="<?php
echo $_COOKIE['remember_me']; ?>">
in our login form will now store this username into the text field for future visits:
We are not finished yet though. Currently, the code is storing this information for every user. We want it to remember only those users who specifically request this functionality. To do this, we run a simple check before we create the additional cookie. This check looks to see if the remember me checkbox has been checked, and only creates our new cookie if it has. Like so:
if($_POST['remember']) {
setcookie('remember_me', $_POST['username'], $year);
}
elseif(!$_POST['remember']) {
if(isset($_COOKIE['remember_me'])) {
$past = time() - 100;
setcookie(remember_me, gone, $past);
}
}
The above code also handles the scenario where a cookie is present, but the user has identified that they no longer want to be remembered, by seting any existing cookies to a time in the past, essentially killing them.
Further improvements
The above code does indeed achieve the main aim of this tutorial, to remember a users username in a log in form when they request it. However, to improve usability further, I wanted the checkbox to be automatically checked when a user has requested to be remembered, and unchecked when they haven’t. Adding this into our form gives us our final form code:
<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
Username:
<input type="text" name="username" maxlength="40" value="<?php
echo $_COOKIE['remember_me']; ?>">
Password:
<input type="password" name="pass" maxlength="50">
<input type="checkbox" name="remember" <?php if(isset($_COOKIE['remember_me'])) {
echo 'checked="checked"';
}
else {
echo '';
}
?> >Remember Me
<input type="submit" name="submit" value="Log in">
</form>

How I can show PayPal donators list?

I added a PayPal Donate button on my site, with that code
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="business" value="pro-email#gmail.com">
<input type="hidden" name="cmd" value="_donations">
<input type="hidden" name="item_name" value="Donation">
<input type="hidden" name="item_number" value="Donation">
<select name="amount"><option value="2.00">$2.00</option><option value="5.00">$5.00</option><option value="10.00">$10.00</option></select>
<input type="hidden" name="currency_code" value="EUR">
<input type="image" name="submit" border="0" src="https://www.paypal.com/en_US/i/btn/btn_donate_LG.gif" alt="PayPal - The safer, easier way to pay online">
</form>
I want add and show Donators names or emails with the $$ amount on list on my website after then when someone pays. How can i do this?
I would set something like up using PayPal Instant Payment Notification (IPN).
It will automatically POST data about transactions to a listener script you have on your server. That script can receive the data and load it into a database table called "donors" or whatever you want to call it.
Then on your site you can simply pull the data from the donors table and display it accordingly.
Since you're using WordPress I'd recommend taking a look at this PayPal IPN for WordPress plugin. It's free and it will get you up and running with IPN very quickly. It logs all of the IPN data in WordPress and allows you to easily extend the plugin using a number of hooks to trigger events based on different IPN types or payment status.

django paypal - how to prevent user tampering the amount

I am using Django 1.7 with django-paypal.
I follow the tutorial, everything is working fine.
However,although the payment form is hidden, and yet I found out that user can temper the amount by simply using browser Inspect Element feature.
eg.
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
<input id="id_business" name="business" type="hidden" value="xxx#example.com">
<input id="id_amount" name="amount" type="hidden" value="10.0">
<input id="id_item_name" name="item_name" type="hidden" value="2">
<input id="id_notify_url" name="notify_url" type="hidden" value="http://www.example.com/pp/ipn/">
<input id="id_cancel_return" name="cancel_return" type="hidden" value="http://www.example.com/order/21/">
<input id="id_return_url" name="return" type="hidden" value="http://www.example.com/thank-you">
<input id="id_invoice" name="invoice" type="hidden" value="21"><input id="id_cmd" name="cmd" type="hidden" value="_xclick">
<input id="id_charset" name="charset" type="hidden" value="utf-8">
<input id="id_currency_code" name="currency_code" type="hidden" value="USD">
<input id="id_no_shipping" name="no_shipping" type="hidden" value="1">
<input type="image" src="https://www.sandbox.paypal.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="Buy it Now">
</from>
Is it a bug or I missing something here? How do I prevent user fraudulent the payments? Should I verify the payment on the ipn view??
The button code you have created is Clear text button which is not a hosted button.
In order to secure the button from tampering, I would suggest you to create a hosted button.
Steps to create :
1) login to www.paypal.com
2) Navigate to My Profile->My Selling tools or My selling Preferences
3) Click "Update" beside "PayPal buttons"
4) Create new button and enter all the required information,
5) In Step 2, check the box(Save button at PayPal), click Save
Hosted buttons are stored on PayPal. The parameters associated with this kind of button are secure.
Hosted buttons provide the greatest flexibility because you can instruct PayPal to change them dynamically, and PayPal maintains information about their state, such as the inventory level associated with the button.