47  

You should use the PayPal Button API such as below:

您应该使用以下贝宝按钮API:

$sendPayData = array(
    "METHOD" => "BMCreateButton",
    "VERSION" => "65.2",
    "USER" => "username",
    "PWD" => "password",
    "SIGNATURE" => "abcdefg",
    "BUTTONCODE" => "ENCRYPTED",
    "BUTTONTYPE" => "BUYNOW",
    "BUTTONSUBTYPE" => "SERVICES",
    "BUTTONCOUNTRY" => "GB",
    "BUTTONIMAGE" => "reg",
    "BUYNOWTEXT" => "BUYNOW",
    "L_BUTTONVAR1" => "item_number=$invoiceNumber",
    "L_BUTTONVAR2" => "item_name=$invoiceType",
    "L_BUTTONVAR3" => "amount=$invoiceTotal",
    "L_BUTTONVAR4" => "currency_code=GBP",
    "L_BUTTONVAR5" => "no_shipping=1",
    "L_BUTTONVAR6" => "no_note=1",
    "L_BUTTONVAR7" => "notify_url=http://www.abc.co.uk/paypal/ipn.php",
    "L_BUTTONVAR8" => "cancel_return=http://www.abc.co.uk/paypal/thanks",
    "L_BUTTONVAR9" => "return=http://www.abc.co.uk/paypal/return.php"
);

You can then send that with cURL to their API

然后你可以用cURL将其发送到它们的API。

$curl = curl_init();
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_URL, 'https://api-3t.paypal.com/nvp?'.http_build_query($sendPayData));
$nvpPayReturn = curl_exec($curl);
curl_close($curl);

To then generate a encrypted HTML button that cannot be edited

然后生成无法编辑的加密HTML按钮

<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> 
<input type="hidden" name="cmd" value="_s-xclick"> 
<input type="hidden" name="encrypted" value="-----BEGIN PKCS7-----MIIIUwYJKoZIhvcNAQcEoIIIRDCCCEACAQExggE6MIIBNgIBADCBnjCBmDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMRUwEwYDVQQKEwxQYXlQYWwsIEluYy4xFjAUBgNVBAsUDXNhbmRib3hfY2VydHMxFDASBgNVBAMUC3NhbmRib3hfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tAgEAMA0GCSqGSIb3DQEBAQUABIGAfqXycFvfW2NCSYDg0Gw80R85HLRk8CuBqaYasckuMJucw5I5osTTcUYJ7JWTBxaZfgz+SVAwj5QzNBdeBSHf9N+RMrjWLF8X9lDX9QXrns0RRUCBL46GfoXW8QMEo+lEnjMxtkycLTtBwJzzQrkR9cVk3hrbvZCputr0EXs5zhExCzAJBgUrDgMCGgUAMIIBnQYJKoZIhvcNAQcBMBQGCCqGSIb3DQMHBAhVGECT5w1q5YCCAXg4kqM0T3pJ9jfI1UjbvQGgfDHZpgYeWpCZcIv1t0PB5AryGz9ZfQhaoF5Y+pljStxEMt67HLJwbWcoIhoAoKTlO7aR7JOLxBT/jd4nkI0p3fDCU7trzy0uQLoFO7AGH2JFmMTUZlnaMKmmfCLcyOsLry0f2n8yhnXjeX2SznSgtvz9fIesEFTJpokKU70K4GqikqPz0aBVyalXnml4YAeqOgxwEON4KhDbfp/nb1SPg7AJ3wR7TJyitY+8J3KTg7XVBeHk7ch3fcJ4kBuHuBGvfcNNTQ2kMyFz0R9sLzH5thewxhxdFo3uiziEVhG/ofCVLjqjW6hgD2pTFdbrjwxcm4GQ/nXJXAm+sw7d15usFukxLCSiJQoXw3ovgGmCJI6F973TyggGFnjlTt1z/MSvcQzzNbl0WMhPaMlM5QvQ9YBEhBYh/fyiVOY37ZRHlWhLZHRE9Gdd1sscVcaV0zPhkefxxUz+Lo0RgGQ7tqWWFw+ql8uHpN/7oIIDpTCCA6EwggMKoAMCAQICAQAwDQYJKoZIhvcNAQEFBQAwgZgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEVMBMGA1UEChMMUGF5UGFsLCBJbmMuMRYwFAYDVQQLFA1zYW5kYm94X2NlcnRzMRQwEgYDVQQDFAtzYW5kYm94X2FwaTEcMBoGCSqGSIb3DQEJARYNcmVAcGF5cGFsLmNvbTAeFw0wNDA0MTkwNzAyNTRaFw0zNTA0MTkwNzAyNTRaMIGYMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFBheVBhbCwgSW5jLjEWMBQGA1UECxQNc2FuZGJveF9jZXJ0czEUMBIGA1UEAxQLc2FuZGJveF9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALeW47/9DdKjd04gS/tfi/xI6TtY3qj2iQtXw4vnAurerU20OeTneKaE/MY0szR+UuPIh3WYdAuxKnxNTDwnNnKCagkqQ6sZjqzvvUF7Ix1gJ8erG+n6Bx6bD5u1oEMlJg7DcE1k9zhkd/fBEZgc83KC+aMH98wUqUT9DZU1qJzzAgMBAAGjgfgwgfUwHQYDVR0OBBYEFIMuItmrKogta6eTLPNQ8fJ31anSMIHFBgNVHSMEgb0wgbqAFIMuItmrKogta6eTLPNQ8fJ31anSoYGepIGbMIGYMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFBheVBhbCwgSW5jLjEWMBQGA1UECxQNc2FuZGJveF9jZXJ0czEUMBIGA1UEAxQLc2FuZGJveF9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb22CAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBXNvPA2Bl/hl9vlj/3cHV8H4nH/q5RvtFfRgTyWWCmSUNOvVv2UZFLlhUPjqXdsoT6Z3hns5sN2lNttghq3SoTqwSUUXKaDtxYxx5l1pKoG0Kg1nRu0vv5fJ9UHwz6fo6VCzq3JxhFGONSJo2SU8pWyUNW+TwQYxoj9D6SuPHHRTGCAaQwggGgAgEBMIGeMIGYMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFBheVBhbCwgSW5jLjEWMBQGA1UECxQNc2FuZGJveF9jZXJ0czEUMBIGA1UEAxQLc2FuZGJveF9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTExMDYxMjE0MDE0OFowIwYJKoZIhvcNAQkEMRYEFNu5UjQG2vaycSRYaiKfzYlhQv4cMA0GCSqGSIb3DQEBAQUABIGARpzYolvSZ2+oPziwSIeC+BjbdLrA9w6PhA2FPGcLYJFtkpGtlGazCviJbbnEBVpzGt1rmdPpzvhnOA6FKZ1nC668jADjqgF+LugFc1hIc0X9um6PQ7CXkSBAweLUGHp2xlKkIVUoRXWs2ppTLeVBz7JDjM4vpMr6mB5V494EEpM=-----END PKCS7-----
">
<input type="image" src="https://www.paypal.com/en_US/i/btn/btn_paynow_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online."> 
<img alt="" border="0" src="https://www.paypal.com/en_GB/i/scr/pixel.gif" width="1" height="1"> 

These links should help you with the button options:

这些链接应该有助于您的按钮选项:

https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_BMCreateButton

https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_BMCreateButton

https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_ButtonMgrAPIIntro

https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_ButtonMgrAPIIntro

7  

You're right - dynamic PayPal buttons are easily "hackable" if you pass, for example, the price of the product in clear text.

你是对的——动态贝宝按钮很容易“被黑客”，如果你通过，例如，产品的价格在明文。

However, PayPal supports public-key button encryption, so that the relevant details can not be easily altered. This is the way it works:

但是，PayPal支持公钥按钮加密，使得相关细节不能轻易改变。这就是它的工作方式:

• You generate a public/private key pair with an appropriate program such as OpenSSL.
• 使用适当的程序(如OpenSSL)生成公钥/私钥对。
• You log in to your PayPal account and submit the public key to PayPal, then store the private key securely on your Web server. You will also need to download PayPal's certificate and store it on your server as well. It is also highly recommended to tell PayPal not to accept unsigned/unencrypted transactions (see link at bottom for details).
• 您登录到您的贝宝帐户并将公钥提交给贝宝，然后将私钥安全地存储在您的Web服务器上。您还需要下载贝宝的证书并将其存储在您的服务器上。我们也强烈建议贝宝不要接受未签名/未加密的交易(详情请见下面的链接)。
• Each time you need to generate a PayPal button, you encrypt the data using PayPal's public key and sign it with your private key, then you display the result on your Web page. When the user clicks the button, PayPal will decrypt the details and check they have not been tampered with since their generation on your server.
• 每次需要生成贝宝按钮时，您都要使用贝宝的公钥加密数据，并用您的私钥签名，然后在Web页面上显示结果。当用户单击该按钮时，贝宝将解密详细信息，并检查自其在您的服务器上生成以来未被篡改的信息。

This way, as long as your private key is uncompromised, no one will be able to alter the transaction's details.

这样，只要您的私钥不受破坏，就没有人能够更改事务的详细信息。

More information and detailed instructions are available at https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P017Q. (Although PayPal provides its software to generate encrypted buttons, I think it's possible to create them "on the fly" using appropriate functions, such as openssl_*() in PHP; I haven't tested them personally).

更多的信息和详细的说明可以在https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P017Q中获得。(虽然PayPal提供了生成加密按钮的软件，但我认为可以使用适当的函数“动态”创建这些按钮，如PHP中的openssl_*();我还没有亲自测试过)。

An alternative would be implementing Instant Payment Notification (https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_admin_IPNIntro); you could check that the amount of the transaction performed by the user equals the total order amount.

另一种选择是实现即时支付通知(https://cms.paypal.com/us/cgi-bin/?您可以检查用户执行的事务量是否等于总订单量。

3  

I think you can use a hashed approach as well where all the important values are hashed so they can't be modified.

我认为您可以使用散列方法，所有重要的值都被散列，因此不能修改。

The current approach is indeed hack-able but once you're on the PayPal site you can still see the amount you're going to pay. It's up to the user to double check the amount really.

目前的方法确实可以被破解，但是一旦你登陆贝宝网站，你仍然可以看到你将要支付的金额。用户真正要检查的是金额。

1  

You are correct. <input type="hidden" name="amount" value="24.99"> can be easily manipulated on the client side. In the example you gave, this might be a form where the client is actually supposed to be able to set the amount, eg. a PayPal donate button. Otherwise there would need to be server side checks after this form submission to ensure that there is no funny business going on.

你是正确的。可在客户端轻松操作。在您给出的示例中，这可能是一个表单，在该表单中，客户实际上应该能够设置金额(例如)。一个贝宝捐赠按钮。否则，在提交此表单之后，需要进行服务器端检查，以确保没有任何有趣的事情发生。

1  

You can créate encrypted buttons on the fly, for more info you can check Dynamic Paypal button encryption

你可以在飞行中创建加密的按钮，以获取更多的信息，你可以检查动态的Paypal按钮加密。

-9  

I think I have a solution for this issue:
First, submit to PayPal from a secure page - Public SSL.

我认为我有一个解决这个问题的办法:首先，从一个安全的页面——公共SSL提交给贝宝。

Second, you can use Ajax in order to prevent users to brows your HTML code via "Right Click - View Source" or browsers Tools like Fire-Bug.

其次，您可以使用Ajax，以防止用户通过“右键单击-查看源代码”或firebug等浏览器工具对HTML代码进行眉毛处理。

Here is an example in jQuery:
I usually program with C#.NET so this is why I communicate with a .ashx Generic Handler (but it can work with PHP as well)

下面是jQuery中的一个例子:我通常使用c#编程。这就是为什么我要与。ashx通用处理器通信(但它也可以与PHP一起工作)

$(function () {

$(函数(){

$.ajax({  
           type: "POST",  
           url: "myPage.ashx",  
           data: {  
               theProductsIdAndAmountsString: yourValue  
           },
           success: function (allHtmlCode) {
               $("body").append(allHtmlCode);
               $("form").submit();
           }
       });
   });

In the server side you can generate all the HTML form by pooling the data from your Data Base, Then send it back to the page.
After, append it to the body and submit the form to PayPal.

Now no one can use browser tools like Fire-Bug to change your HTML values.

在服务器端，您可以通过将数据从数据库中集中起来生成所有HTML表单，然后将其发送回页面。之后，将其附加到主体并将表单提交给贝宝。现在没有人可以使用firebug这样的浏览器工具来更改HTML值。