Sending information in a URL by using & and ? certainly works - but it is not very secure! If you have your ASP code POST instead, you help prevent hackers from affecting your code.
For example, this is very important when creating PayPal buttons. Yes, if you have just one button you can use the PayPal button factory to create a completely secure (coded) button. However, often when you're using ASP it's because you're creating dynamic pages. You can't pre-code all of your buttons ahead of time in the button factory.
The solution is to use a combination of cookies and a form post. First, you need to get all of the necessary information from your order page to your processing page. On the page where the "buy" button is located, store all important information - the price, item code, etc. - into cookies. Have the buy button point to YOUR process.asp page, where you will create the necessary links to go to PayPal. That way your end user can't hit "view source" and see exactly what information you're giving PayPal.
Now, in your process.asp, you're going to have code that looks like this:
DestURL = "http://www.paypal.com/etc."
SendString = "NOTE-PAYPAL-VARS-GO-HERE"
set xmlhttp = CreateObject("MSXML2.ServerXMLHTTP")
xmlhttp.open "POST", url, false
xmlhttp.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
set xmlhttp = nothing
The DestURL is set to whatever you normally have your PayPal form submit to. PayPal will tell you that value. The SendString will need to be a string that contains the variables to pass along to PayPal. This will look something like this:
SendString="cmd=_xclick&no_shipping=1&amount=" & Price & _
"&item_number=" & ItemNo & _
"&business=" & PayPalAcct & _
and so on. Everything that you normally would have supplied in your PayPal form, simply include it appropriately in this send string. You get the values for Price, ItemNo etc. from the cookies you set on the previous page.
The beauty of this is that the end user never sees any of those values. That way they can't hack into your system by knowing the return page code, and just going there directly. With everything hidden from view, you help to make your PayPal transaction - or any transaction that uses forms to pass information - more secure.