How to hide the Return URL of your order form

Have you ever looked into your Order-page HTML-code?
Did you see a code like this below?
<form action= "https://www.paypal.com/cgi-bin/webscr">
  <input type="hidden" name="cmd" value="_xclick">
  <input type="hidden" name="business" value="my@email.com">
  <input type="hidden" name="item_name" value="Item name">
  <input type="hidden" name="item_number" value="1234">
  <input type="hidden" name="amount" value="19.95">
  <input type="hidden" name="no_shipping" value="1">
  <input type="hidden" name="return"
    value="http://myhost.com/payment_success.html">
  <input type="hidden" name="cancel_return"
    value="http://myhost.com/payment_cancel.html">

  <input type="submit" value="Buy Now">
</form>

What this hidden return and cancel_return fields mean?

This means people would arrive the URL you’ve entered in the return field after the payment completed.

I bet you wouldn’t like they look into your code and then open your return page without a payment. Even if this is not a download-page but just a thank-you page.

You can hide this field with a simple JS-script.

Cloaking field of a form

It’s necessary to mention, that it’s impossible to completely hide/encrypt from everyone your HTML. Any HTML or Javascript encoding can be broken by technical people.
This is why you have to use PayPal encryption, IPN procedure which allows to check the transaction.

However this script allows to hide the Return URL field from most of people. This could substantially reduce the theft.

 
Step 1)  We enter any fake URL as return URL into the return field of the form:
<form action= "https://www.paypal.com/cgi-bin/webscr">
  <input type="hidden" name="cmd" value="_xclick">
  <input type="hidden" name="business" value="my@email.com">
  <input type="hidden" name="item_name" value="Item name">
  <input type="hidden" name="item_number" value="1234">
  <input type="hidden" name="amount" value="19.95">
  <input type="hidden" name="no_shipping" value="1">
  <input type="hidden" name="return"
    value="http://myhost.com/payment_success.html"
    value="http://myhost.com/fake_page.html">

  <input type="hidden" name="cancel_return"
    value="http://myhost.com/payment_cancel.html">
  <input type="submit" value="Buy Now">
</form>

 
Step 2)  We have to add the onSubmit form-attribute to run a script to substitute the fake return-URL with the real one just after the form submitted:
<form onSubmit="checkForm(this)"
  action= "https://www.paypal.com/cgi-bin/webscr">

  <input type="hidden" name="cmd" value="_xclick">
  <input type="hidden" name="business" value="my@email.com">
   * * *
</form>

 
Step 3)  Also you’ll need a javascript to substitute the fake return-URL with the real one just after the form submitted.
The script would look like below:
<script type="text/javascript">
<!--
var temp = "&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#109;"
+"&#121;&#115;&#105;&#116;&#101;&#46;&#99;&#111;"
+"&#109;&#47;&#114;&#101;&#116;&#117;&#114;&#110;"
+"&#95;&#112;&#97;&#103;&#101;&#46;&#104;&#116;"
+"&#109;&#108;"
;
function checkForm(theForm) { theForm.return.value = temp; }
//-->
</script>

This awkward code (in green color) would contains a real return-URL encoded.

But how you create a code for YOUR URL?!!

OK, use the form below.

Cloacking-script Generating Form

Enter the Return-URL you’d like to encode:

Enter your PayPal ‘business’ email to encode:

Then copy the code from the box below and paste it into your page between the <head> and </head> tags.


 

by Michel Komarov, © Copyright 2006. iCoder.com

 

Share in social bookmarking:These icons link to social bookmarking sites where readers can share and discover new web pages.  digg del.icio.us BlinkList Reddit NewsVine YahooMyWeb co.mments

Related Articles:

2 Responses to “How to hide the Return URL of your order form”

  1. npredford Says:

    Hi Michel,

    Can the email address be also encoded to prevent harvesting using your script?

    “Protect your email address placed at a web-page”

    This is a serious problem for PayPal shopping cart buttons which cannot be encrypted.

    Nancy

  2. michel Says:

    Hi Nancy,

    I’ve added a feature to encode PayPal emails also.
    Please enter your Return URL and PayPal email
    in the Generating form above and click the “Encode” button.

    I hope this helps.

    Michel

Got a question?   Leave a Reply

You must be logged in to post a comment.