I thought I would pass along what we learned about integrating DNN with PayPal.
The <form> tag required by PayPal to link to its shopping cart was indeed the problem. We initially solved the problem by using an alternative GET (query string) approach that PayPal recommended. However, since this solution left sensitive information exposed as a query string, we ultimately decided it wouldn't work for us.
After trying several possible solutions, we finally settled on the DNN module XMod. This module creates summary/detail views that work well for our product list and product detail views. Plus, it contains an <xmod:button> tag that can be used to pass POST data in the same manner as a <form>. It provides a very nice interface between DNN and PayPal.
We discovered another potential problem using POST data, however. Although sensitive information isn't quite as exposed as it is when passed as a query string, it is still very simple for any knowledgeable user to get to the data in their browser. PayPal provides a fairly straightforward encryption mechanism to protect against this risk. Essentially, the sensitive product data is encrypted when the page is designed. If a user accesses the sensitive data in their browser, they only see the encrypted text. The encryption is based on public-key technology, and it appears strong enough for normal e-commerce applications. Since the encryption is done at design time, it places no additional load on DNN or XMod.
Hopefully, this will help the next prople who need to integrate DNN with PayPal. It's a bit of a process, but worth it. Good luck!
Liza Veeneman
Foresight Systems