You don't send passwords to paypal. Just the transaction details (item numbers, quantities, and prices) and your paypal address. The user enters all the secure stuff on the paypal site so you don't have to mess with that. The transaction you get from paypal only includes the user's info (name, email, and snailmail address) and details about the transaction (items purchased, quantities, and price). There's no way for me to sneakily charge extra money from one of my buyers' accounts.
As for security the other way (i.e. people faking a purchase to you), there's a verify step. When paypal first contacts you to tell you that somebody bought something, they send you a key, which is a big string of random characters. You send this key to Paypal's verification-server, and it sends you back a "VERIFIED" or "NOT VERIFIED". If you get a "VERIFIED", then you can be sure that the transaction came from Paypal. Again, the sample-code takes care of all of this. Most of your paypal solution will involve downloading their sample code in your favorite server language (PHP, Perl, CF, etc) and modifying it to serve your needs. Google checkout is similar, security-wise, although it's entirely XML-based and requires an encrypted connection so you can't talk to it directly from Flash (at least not easily). In my case, I talk to a little piece of PHP on my site that sends the transaction to Google Checkout, because PHP has all the secure-connection stuff built in. One nice thing Google Checkout adds is that buyers can hide their emails from sellers. I've gotten a couple of these with game purchases. Instead of the user's real email address, I get something like "[EMAIL PROTECTED]". This email forwards to the buyer, but only for a limited time. That way buyers don't have to worry about getting spammed by sellers after the fact. ----- Original Message ---- From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> To: flashcoders@chattyfig.figleaf.com Sent: Tuesday, April 24, 2007 4:42:01 AM Subject: Re: [Flashcoders] flash and paypal super-useful guys, thankyou how secure is this? are there any passwords or seller account details sent by flash to paypal? Quoting Jordan Snyder <[EMAIL PROTECTED]>: > That was helpful John! > > FYI, it seems your Google Checkout code is broken! > > > Cheers > > On 4/23/07, John Hattan <[EMAIL PROTECTED]> wrote: >> You don't need any third-party API's to talk to paypal. Since the >> paypal site accepts standard GET and POST CGI data, sending a >> transaction to Paypal can be done by setting up a LoadVars object, >> setting the parameters to your shopping cart in the object, then >> sending that LoadVars object to PayPal's little processor at >> https://www.paypal.com/cgi-bin/webscr >> >> (note that there's apparently a long-standing bug in Flash's >> POST-handler, so I just use GET. It makes for ugly URL's, but it >> works) >> >> As for doing back-end processing from Paypal (i.e. being notified >> that somebody bought something and you need to act on that >> purchase), google for "IPN", which is Paypal's spec for creating >> and acting on transactions. Paypal's got good sample code in >> several server-side languages along with developer forums and a >> sandbox (i.e. a "fake paypal" where you can test your code without >> spending real money). >> >> The process basically goes like this. . . >> >> 1. You send your shopping cart data to paypal (either from Flash or >> some other browser-based shopping-cart solution) >> 2. The user is sent to paypal where he pays for the transaction. >> 3. Paypal contacts some server-side code telling you that somebody >> bought something. >> 4. You verify the transaction with paypal (to make sure you're not >> being spoofed) >> 5. If verified, do whatever's necessary to complete the >> transaction, like email the user a download link. >> >> Here's my little shopping-cart. Note that it also talks to Google >> Checkout, which has a few more steps but is otherwise similar. >> >> http://www.thecodezone.com/buy.html >> >> >> >> ----- Original Message ---- >> From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >> To: flashcoders@chattyfig.figleaf.com >> Sent: Monday, April 23, 2007 11:23:40 AM >> Subject: [Flashcoders] flash and paypal >> >> i'm going to be producing a site which sells some exclusive, single >> and multiple (ie shopping cart) products which i'd like to do in flash. >> >> the client wants to use paypal to begin with (it's a startup). >> >> Does anyone have any experience with using flash with paypal? Can you >> recommend any good tutorial sites or 3rd party api's? >> >> Hope you guys can help >> >> thanks >> a >> _______________________________________________ >> Flashcoders@chattyfig.figleaf.com >> To change your subscription options or search the archive: >> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders >> >> Brought to you by Fig Leaf Software >> Premier Authorized Adobe Consulting and Training >> http://www.figleaf.com >> http://training.figleaf.com >> >> >> >> _______________________________________________ >> Flashcoders@chattyfig.figleaf.com >> To change your subscription options or search the archive: >> http://chattyfig.figleaf.com/mailman/listinfo/flashcoders >> >> Brought to you by Fig Leaf Software >> Premier Authorized Adobe Consulting and Training >> http://www.figleaf.com >> http://training.figleaf.com >> > > > -- > Jordan Snyder > Applications Developer > Image Action LLC > http://www.imageaction.com > _______________________________________________ > Flashcoders@chattyfig.figleaf.com > To change your subscription options or search the archive: > http://chattyfig.figleaf.com/mailman/listinfo/flashcoders > > Brought to you by Fig Leaf Software > Premier Authorized Adobe Consulting and Training > http://www.figleaf.com > http://training.figleaf.com _______________________________________________ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com _______________________________________________ Flashcoders@chattyfig.figleaf.com To change your subscription options or search the archive: http://chattyfig.figleaf.com/mailman/listinfo/flashcoders Brought to you by Fig Leaf Software Premier Authorized Adobe Consulting and Training http://www.figleaf.com http://training.figleaf.com
