paypal dynamic return address

Question

I have a single product, a file that is dynamically created and I need a paypal to return a customer after payment is done to the address of the file. Simple Buy Now button is elegant but if I put

<input type="hidden" name="return" value="http://www.mysite.com/x727x7e.dat"&gt;

into a button's code, simple browser's Page - View Source can reveal the file address before the payment.

Here is a sample of button code:

<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="return" value="http://www.mysite.com/x727x7e.dat"&gt;
<input type="hidden" name="cancel_return" value="http://www.mysite.com/nothanx.html"&gt;
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="1111111111">
<input type="image" src="https://www.paypal.com/en_AU/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypal.com/en_AU/i/scr/pixel.gif" width="1" height="1"></form>

I assume the right way would be to use PayPal api and to generate the file after the transaction has been sucessfull but since I am noob to paypal and was wondering can this be solved in an elegant way?

Can I make a (asp.net c#) button that makes post method with this parameters to paypal, so that return url in not visible to the customer?

Answer 1

Yes, create a hidden input named return and insert your return address. You can also set a hidden input named cancel_return and insert a cancel-return address that is used if the user tries to cancel the transaction. Finally you may add one named notify_url that will receive a POST asynchronously after the purchase. The return address will also receive a POST but only if the user clicks to return.

EDIT:

I just noticed you want to hide the address. One, as I mentioned the payment information is posted to that address, which includes a validation code you can ask paypal if the payment is valid. So this means it's not vital to keep the address secret (besides, after one payment a user could see where he went to anyway).

Two, you may register an SSL key with paypal and then encrypt your fields with it. Please see their documentation on how to do this.

The worst that a user can do is complete an erroneous payment through paypal -- they'd still be charged money but would have to, with a straight face, claim that your website said it (whatever you are selling) was only $0.01 USD instead of $10.00 USD.

That may or may not be a concern depending on what you are selling.