Thyon, its been a while since I did it, but I've incorporated a paypal system into a site I made, but I've used "_xclick"
Code:
<input type=\"hidden\" name=\"cmd\" value=\"_xclick\">
whereas yours uses "_s-xclick"
Code:
<input type="hidden" name="cmd" value="_s-xclick">
I'm not sure of the difference.
However in mine I also pass two extra parameters, which I think you may also need.
Code:
<input type=\"hidden\" name=\"return\" value=\"" . $websitebase . $ppreturn . "\">
<input type=\"hidden\" name=\"cancel_return\" value=\"" . $websitebase . $ppabort . "\">
One is the absolute url of the return page (visible on paypal after successful completion), the other is the url of a cancel return page (visible on paypal before successful completion).
Try adding
<input type="hidden" name="return" value="http://www.thyon.com/donations-thanks.html">
<input type="hidden" name="cancel_return" value="http://www.thyon.com/was-there-a-problem.html">
and this may solve the referer.
You may also need
<input type="hidden" name="rm" value="1">
before the above, I can't remember what this was, but maybe it turns on "return method" or somesuch.
My whole code is below, but its dynamic so the value won't apply, but it shows what I pass to paypal
Code:
//PAYPAL MISCELLANEOUS PAYMENT BUTTON TO ALLOW PAYER INPUT (amount/name is omitted)
$paypalmiscbutton = "
<div id=\"paypalbutton\" class=\"paypalbutton\">
<form action=\"https://www.paypal.com/cgi-bin/webscr\" method=\"post\">
<input type=\"hidden\" name=\"cmd\" value=\"_xclick\">
<input type=\"hidden\" name=\"business\" value=\"".$ppaccountemail."\">
<input type=\"hidden\" name=\"button_subtype\" value=\"services\">
<input type=\"hidden\" name=\"lc\" value=\"NZ\">
<input type=\"hidden\" name=\"currency_code\" value=\"".$ppcurrency."\">
<input type=\"hidden\" name=\"charset\" value=\"utf-8\">
<input type=\"hidden\" name=\"rm\" value=\"1\">
<input type=\"hidden\" name=\"return\" value=\"" . $websitebase . $ppreturn . "\">
<input type=\"hidden\" name=\"cancel_return\" value=\"" . $websitebase . $ppabort . "\">
<input type=\"hidden\" name=\"custom\" value=\"" . $NZQAnumberstring . $JAnumberstring . "\">
<input type=\"hidden\" name=\"item_number\" value=\"NZQAID-" . $roundednzqaid . "-MISC\">
<input type=\"hidden\" name=\"item_name\" value=\"".$paypalmiscbuttonitemname."\">
<input type=\"hidden\" name=\"tax_rate\" value=\"".$paypalmiscbuttontaxrate."\">
<input type=\"hidden\" name=\"bn\" value=\"PP-BuyNowBF:btn_paynowCC_LG.gif:NonHostedGuest\">
<input type=\"image\" name=\"submit\" border=\"0\" src=\"https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif\" alt=\"PayPal - The safer, easier way to pay online\"> <img alt=\"\" border=\"0\" width=\"1\" height=\"1\" src=\"https://www.paypal.com/en_US/i/scr/pixel.gif\" >
</form>
</div>
</div>
";
I think the whole https://wiki.mozilla.org/Security:Renegotiation thing is not associated with your referer thing, but it does imply paypal haven't got their shit together and upgraded their servers to circumvent a potential Man-in-the-middle attack.
A very lucrative testing method you've invented :D
Bookmarks