I'm using some payment gateway with PHP, and in there documentation:
<form accept-charset="UTF-8" action="https://api.linkToPaymentGateway.com/v1/payments.html" method="POST">
<input type="hidden" name="description" value="Order id 1234 by guest" />
<input type="hidden" name="amount" value="10000" />
<!--
and some input's for the card information with type="text"
-->
<button type="submit">Purchase</button>
</form>
my question's:
How to protect The amount filed and description ?
Should i change the Action and use cURL to send the api ?
Thank you.
EDIT:
here is the link for doc https://moyasar.com/docs/payments/create-payment/mpf/
You can't trust the hidden input of amount field from FORM. Anyone with some knowledge of html and dev tool can easily change it to any amount.
There are might be many work around to solve this. Like
You should send the form data to your server and calculate the amount again and call gateway apis.
Just trust the user here only if your api gateway has callback option. In call back you can check the amount charged and make sure that the amount is correct before updating the order.
Related
First of all, I am a complete beginner when it comes to backend development.
I'm currently creating a webshop and have the whole thing hosted using Netlify.
The HTML code I am using for the webshop is (currently) static.
I am looking for a way to do payment processing for products.
I came across the following code on the internet (Source):
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="upload" value="1″ />
<input type="hidden" name="business" value="your-paypal#adress.com" />
<input type="hidden" name="currency_code" value="EUR"
<input type="hidden" name="item_name_1″ value="Desktop PC" />
<input type="hidden" name="amount_1″ value="79.00″ />
<input type="submit" value="PayPal" />
</form>
When clicking on the submit button, the buyer will be redirected to a page of Paypal and pay there the specified amount (the 79.00€). But since the sum can be changed on client side, the user can adjust it to any sum.
How can I specify the amount of money without the client being able to change it?
I have already tried something with PHP, however it seems that PHP does not work on Netlify.
I have also already added readonly to the responsible input tag. However, I can still change the sum.
So is there any way to set the money amount so that the client can't change it?
Or are there already completely different ways to set up payment forwarding for PayPal these days?
For the client not to be able to change the amount you need a server-side integration, plain and simple.
Create two routes, one for 'Create Order' and one for 'Capture Order', documented here. These routes should return JSON data.
Pair your two routes with the following approval flow: https://developer.paypal.com/demo/checkout/#/pattern/server
Edit: There is also a much older and simpler solution, though it doesn't give a modern checkout experience: you could create hosted 'Buy Now' or 'Add to Cart' button via https://www.paypal.com/buttons . The generated <form> code will have a "hosted_button_id", and its amount is stored at PayPal. This way the buyer can't change it.
I have a service based company and a website entirely created with Dreamweaver. It does not have a cart and no service we sell is exactly the same price so it would not make sense to include one.
My bank provided me with a payment gateway to automate payments and allow clients to select their own currency but it is built for a website with a cart or a database.
So I am trying to find a solution which:
1 - allows me to ask for the clients details
2 - asks the client to confirm the amount they are due to pay (which needs to be between 0 and 10000 euros, no dots, comas or space allowed and 2 decimals included)
3 - confirms their name and the amount filled in the form on a separate page (their terminal does not show the amount to be paid so I want to confirm this to the client)
4 - sends the correct information to the payment terminal
5 - returns to our website to confirm the payment has gone through
6 - sends me an email with all the information filled in by the client and that the payment has been approved.
Here is the code provided by the bank
<form action="https://hpp.prueba.santanderelavontpvvirtual.es/pay" method="POST">
<input type="hidden" name="MERCHANT_ID" value="<?=$merchantid?>">
<input type="hidden" name="ORDER_ID" value="<?=$orderid?>">
<input type="hidden" name="ACCOUNT" value="<?=$account?>">
<input type="hidden" name="CURRENCY" value="<?=$curr?>">
<input type="hidden" name="AMOUNT" value="<?=$amount?>">
<input type="hidden" name="TIMESTAMP" value="<?=$timestamp?>">
<input type="hidden" name="DCC_ENABLE" value="1">
<input type="hidden" name="SHA1HASH" value="<?=$sha1hash?>">
<input type="hidden" name="HPP_LANG" value="EN">
<input type="hidden" name="AUTO_SETTLE_FLAG" value="1">
<input type="hidden" name="MERCHANT_RESPONSE_URL" value="tpv-mailer.php">
<input type="Submit" value="Pay by credit card on a Secure Website">
</form>
I am new to php, the documentation the bank sent me is not clear at all so I have been stuck on this issue for a while.
I have the form requesting data from the client thought POST working and the payment system works (although it only charges the same amount) but I cannot seem to find the code to pass the $amount filled in by the client to "> on the bank gateway without breaking the hash.
I was thinking maybe of sending this information by url or creating a session. Does anyone have experience with this and can help me?
Thank you so much in advance!
This is how I would go about it:
Start from scratch with your own multi-step form (since you want to confirm their name and amount).
POST the form to a PHP script via jQUery AJAX.
In your PHP script validate every single field. Remember that the client can send anything, so you want to make sure they wrote an actual amount for example.
Prepare the POST request that you'll be sending to your bank's API endpoint from your PHP script. Use the fields the user submitted (after validating them) and generate any others that you might need, for example the timestamp and return URL.
Send this POST request to your bank.
Read their response.
Process their response, e.g. send back a JSON to your jQuery AJAX function with information on what to do next, such as which page to redirect to. This is where you can also configure PHP to send you that notification email.
You don't have to use AJAX but by doing it this way you can show a nice "Processing..." view to your client if you so desired.
You'll need to fully understand all the parameters that your bank is requesting, for example where the $sha1hhash is coming from. If they have poor documentation then there are always alternative such as:
PayPal: https://developer.paypal.com/docs/api/
Stripe: https://stripe.com/docs/api
That said, if you're running the company and are new to PHP as you've mentioned, you might want to consider hiring a professional to do it for you. It's worth the investment.
After spending all day and trying to learn about PHP I found the solution to my problem. As I could not find any documentation online answering this question, I would like to share it if anyone needs it one day:
First you need to create a 3 step php form:
The First page is a standard form which asks information from my client, filters it and cleans it up
It redirects to the second page which acts as a mailer and collects the info. In the header, it sends the information collected to me by email then it calls the payment gateway. In the body, it sums up the information previously sent and gives the client a link to the gateway
the third page is the gateway response. It lets the client know of any error or thanks them for the booking and resends me an email with the booking confirmation.
The piece of code I needed was:
Page 1: ask for the amount due which is saved as $charge
On page 2:
in header:
$amount=$_REQUEST['charge'];
in body - to show the amount to be paid:
<?php
$FIRSTNAME=$_REQUEST['firstname'];
$LASTNAME=$_REQUEST['lastname'];
$CHARGE=$_REQUEST['charge'];
echo <<<TEXT
<h3 style="text-align:left;padding-left:1em">Hello, $FIRSTNAME $LASTNAME, balance is $amount euros</h3>
TEXT;
?>
The payment platform seems to be working and the amount is now decided by the client without access to a database.
I am building an page with some items that I gonna sell through paypal. first I did generic buttons with fixed prices,after clicking you redirected to paypal page with your values like that:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top" class="payPalBtn">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="test#gmail.com">
<input type="hidden" name="item_name" value="test">
<input type="hidden" name="button_subtype" value="services">
<input type="hidden" name="no_note" value="0">
<input type="hidden" name="amount" value="10.00">
<input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynowCC_LG.gif:NonHostedGuest">
<input type="image" src="https://www.paypalobjects.com/he_IL/IL/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
But this is to dangerous because the client can change the amount value...and it can make some problems. So I chose using their API - this means, on server side sending some values like price,amount... ang getting back token id. After that sending this again with some data, and in the end the payment is transferred and every thing is closed. One of the parameters is: $PayPalReturnURL , this the page after success result, the user redirected to.
Now after I did that and verified that the payment pass I want to start an private program that do some private function (each time I run it it cost me money) that should be done only once, after the payment passed. The page I redirect is for example : payment.php, and there I simply start my function.
The question is: how can I be sure that the user wont go straight to that PHP address and automatically start this function. what are my options guarantee that this function would run only once after paypal redirect to me.
You are making it complex. Here is how I did paypal integration.
Alone with the input price send the transaction no in a hidden field as below.
<input type="hidden" name="amount" value="10.00">
<input type="hidden" name="tx_id" value="1234">
Before generation this form insert a database record with the status of the transaction as pending as below.
tx_id = 1234
amount = 10.00
tx_status = 0 // pending
When the transaction is complete paypal will return amount, your tx_id and status of the transaction. Using a SELECT query you can check whether returned amount is the same amount whether in the database table.
SELECT amount FROM table_name WHERE tx_id = 1234
Then If it's correct change the tx_status to paid. Else mark it as fraud.
To protect your button you could either setup a hosted button through Payments Standard or you could integrate the Express Checkout API if you're familiar with using web services.
As for the automated post-order processing you won't want to do that on your return URL. There is no guarantee that page will get hit even with Auto-Return enabled in your PayPal account. If the buyer closes their browser before that redirect happens your code will never run and your automation will not work correctly.
To avoid this, and to protect from people going directly to your return URL, you can utilize Instant Payment Notification. This will be triggered with every payment regardless of whether the user makes it back to your site or not, and you can verify the data with PayPal to ensure it actually came from them so people can't try to be sneaky with your IPN script.
I have this code on my Website:
<form method="post" action="process.php">
<input type="hidden" name="itemname" value="1" />
<input type="hidden" name="itemnumber" value="2" />
<input type="hidden" name="itemQty" value="1" />
<input type="hidden" name="itemprice" value="17">
</form>
This code, sends a POST to process.php, which opens a paypal class to make the payment.
All works great, but I have a very big trouble. The point is, if I edit any value with FireBug, let's say for example, "itemprice", anyone can change the default value, and replace the itemprice with any other quantity at the moment of process the payment.
How could I fix this? Any ideas?
Thanks.
Encryption is the only way to thwart this, there's nothing you can do client side. You could try to add some verification server side or use the _SESSION, but those are your only options.
You could use the PayPal Instant Payment Notification System (IPN). You supply the URL to a script on your website which can handle the payment. It is there somewhere when you login to your PayPal account.
Every time a new payment is made PayPal will send a request to your IPN script with all the details of the payment (item ID,name, price, whatever you want and you can then verify in the script using your database if the prices match for the supplied item ID's.
It is very easy to implement in my opinion and very flexible. It is very well documented too on the PayPal website. It does not take too long to understand it.
You should never rely on the price from the web form. Because the item has its ID, it's perfectly valid to send only the ID and required quantity to the process.php. This, in turn, should fetch the prices straight from the source (database, config...), not from the (possibly tampered) web form data.
I have built a product generation and display plugin for the Wordpress CMS and I am now trying to integrate some form of PayPal integration for the checkout process.
I have the cart, the products, the shipping, totals, all that figured out on my end and I was hoping someone could point me in the simplest direction of sending this information to PayPal. I understand some methods of doing this are not that secure and others make you jump through hoops like some sort of show dog. I've been trying to learn how to use cURL and then how to get it to work with PHP - it really seems like a bit of a mess. I do now have cURL working on my WAMP server ... but..
Is there a better way or should I continue to learn cURL?
I can format the data however it needs to be to send off to PayPal and would not mind doing this with JavaScript - this is not a pay-wall and every order is checked for accuracy by a human - so someone messing with the client-side script will not bother me. I also definitely want to send them to PayPal, I want no part of storing/processing their credit card information. It would, however, be nice to have IPN. Can someone point me in the right direction or assure me that I already am headed that way?
Thanks alot.
This is how i automatically redirect to PayPal with all the form details;
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" id="paypal">
<input type="hidden" name="cmd" value="_xclick" />
<input type="hidden" name="cbt" value="Return to example" />
<input type="hidden" name="business" value="email" />
<input type="hidden" name="item_name" value="example Purchase" />
<input type="hidden" name="amount" value="9.99">
<input type="hidden" name="button_subtype" value="services" />
<input type="hidden" name="no_shipping" value="1">
<input type="hidden" name="return" value="URL" />
<input type="hidden" name="notify_url" value="URL"/>
<input type="hidden" name="cancel_return" value="URL" />
<input type="hidden" name="currency_code" value="USD"/>
<input type="hidden" name="image_url" value="" />
<input type="hidden" id="custom" name="custom" value="invoice_id to track"/>
<input type="hidden" class="btn btn-primary" style="width:100%" alt="PayPal - The safer, easier way to pay online!"/>
</form>
For multiple products, you can simply add more products to the form, example;
<input type="hidden" name="item_name_1" value="Item #1">
<input type="hidden" name="amount_1" value="1.00">
<input type="hidden" name="item_name_2" value="Item #2">
<input type="hidden" name="amount_2" value="2.00">
However, using this method is not all great
All the data would need to be generated with PHP and input into the page, you would also need to check the transaction when the IPN calls back to ensure its been paid.
<script type="text/javascript">
function myfunc () {
var frm = document.getElementById("paypal");
frm.submit();
}
window.onload = myfunc;
</script>
You may want to use the new PayPal
SDK. They have a good set of sample code,
including code for express checkout and IPN.
Try here
https://www.x.com/developers/paypal/documentation-tools/paypal-sdk-index
Get the SDK for Express checkout. At this
time, they should be at SDK 98 for PHP.
You won't have to worry about the Curl,
the SDK takes care of all that for you.
A typical call might be something like this.
$setECResponse = $paypalService->SetExpressCheckout($setECReq);
This line of code is modeled after the samples. It's
all object oriented. They provide you with classes.
In this case there is a request object you fill out,
the examples show exactly how to do it; just use the
samples as your template.
It sounds like you want to do PayPal Express checkout,
this way you won't have to handle credit cards or anything
like that. The user is redirected to the PayPal website
and all the financial transactions happen there. The
user is redirected back to your site. Then you have a
page where the user can review the order and click
submit if they approve. When the user clicks submit,
you call a PayPal API telling PayPal that the transaction
is approved. PayPal then executes the transaction and
sends you back a confirmation with a transaction id.
You can then call getTransactionDetails and display the
confirmation to the customer. You can additionally put
those transaction details into a database.
Here are the APIs you can call for this. These
are modeled closely to the sample code they provide
$paypalService->SetExpressCheckout($setECReq);
control goes to PayPal URL, and the user goes
through a few pages there. control returns to you.
your order review page
$paypalService->GetExpressCheckoutDetails($getExpressCheckoutReq);
your order confirmation page
$paypalService->GetExpressCheckoutDetails($getECReq);
$paypalService->DoExpressCheckoutPayment($DoECReq);
Tells PayPal to do the transaction.
$paypalService->GetTransactionDetails($request);
Here you can put transaction details into a database.
You can also send yourself a mail with all the details,
that way you will know whenever a transaction occurs.
IPN can be a bit tricky. There is a sample IPN listener
that they provide, that will help. You will need to
set up your listener URL on the PayPal website. You will
also need to set up an SSL certificate.
The SDKs are fairly new, but PayPal is working on an even
newer way to do things, developer.paypal.com. It just came out
within the last month or so. You may want to look into that too.