Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Recently I built a website where the user fills in a form and then goes to a checkout page they then press the pay with paypal button and then are taken to the paypal checkout, Then in the paypal button settings I have them taken the user to a php script where it inserts the info to the server via mysql then instantly taken to a thank you page.
At least that's what I want to happen; the page doesn't seem to do anything and when testing it out I echoed one of the variables and it doesn't show up so I gathered that the cookies aren't remembered or something of the sort, although I don't know why this is happening
I'm simply lost on whats going on and my scripts definitely work as before I didn't connect the button and when clicked it did all the correct orders however when the paypal checkout confirmation directs the user it doesn't seem to work
I have seen a few threads on this however never saw a concrete conclusion however apologies if this has been covered
Appreciate any advice or help immensely and thank anyone in advance,
Cheers
To guarantee your server is notified of when a transaction completes, I recommend using this server-side integration demo as a skeleton:
https://developer.paypal.com/demo/checkout/#/pattern/server
Notice that there is no PayPal transaction created until the line that reads:
fetch('/demo/checkout/api/paypal/order/' + data.orderID + '/capture/'
This would be doing an XHR to a PHP script on your server (at that sample path), which must itself then call the PayPal API to capture the transaction.
This server-side design guarantees that your server will be notified of all completed transactions at capture time, so it can then immediately write the required record to your mysql database.
If instead you used a different type of integration, such as a client-side one, e.g. as shown here: https://developer.paypal.com/demo/checkout/#/pattern/client
Your server would not be guaranteed to be notified of captured transactions, since the capture happens via JS in the client web browser.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Closed 9 years ago.
Improve this question
I have a shopping cart and want to send an email confirming the order before forwarding the data to the payment system, for example PayPal.
Client put items in shopping cart and when ready I show a confirmation page with all details of the order. There is a button, Go to pay, that make a post to the selected payment system.
But before the post is executed, I would like to update the order data in my MySql table and also send a "Thank-you-for-the-order" email.
My first idea was to post to my server, update the table, send the email and do a curl to the payment system. But then they don't get transferred to the payment system in their browser to complete the payment.
Any suggestions how to solve this?
How you should probably do things
EDIT: Although I'm leaving this section here for now, I did make a false assumption about your process, so perhaps the next section is more beneficial
I have not used online payment systems in any of my own projects, but I just took a look at the PayPal docs to confirm something. The payment process seems to go like this:
Get user order and payment details
Pass payment details to Paypal
Direct the user to the approval URL so that the user can approve the payment
They are redirected to your site by PayPal, with a payment ID
You then confirm the payment by querying PayPal with the payment ID
Most payment systems I've encountered online have had a similar process (from what I can see as an enduser). From what you're saying, it seems like you want to email the user and update your database at step 2, when you have not confirmed that a payment actually took place. I would suggest that instead, you perform the table update and email during step 5.
So wait until whatever payment system you are using has confirmed the order, and update at that point, as part of the same process in which you query PayPal to confirm the order (And you can make sure your actions depend on them having actually paid you!)
How you can do what you're asking to do
Going back to the guts of your question though. If you do want to execute your own server side code while directing them to the external system, I'd suggest you send an Ajax request when they submit the form. This will call the script where you do your work in the background, and the user will still be redirected to the payment provider.
Edit: I should mention the snippet here is using jQuery
$("#myForm").submit(function(e) {
// Do your ajax stuff here
});
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Our company works with affiliates that promote our products. They get paid based on how many sales they bring to us.
To track conversions, they ask us to put third party tracking pixels on our "thank you" page (final page where our customer is being redirected after payment through third party billing processor is complete).
So, we ended up with a ton of tracking JS code and hidden iframes on our "thank you" page.
Is it safe?
The billing processor sends sensitive data to this page via GET variables that we'd rather not make accessible to the affiliates.
Or maybe there is a better way to do this? Like, store all the tracking code from our affiliates in a database and only load the one that matches the customer's referral?
UPDATE
I'm worried about "third party tracking pixels" that are not from the "trusted" third parties (Like Google, Yahoo) but custom-made by our affiliates.
You do not have to worry about affiliates. Usually such solutions only talk to your partner and gets distributed on that end.
As for GET parameters or page content, just read the JavaScript code and see how it behaves. If it doesn't eval some response and doesn't touch DOM elements and cookies you're fine. And I really see no reason why they would need to do that. But if the partner seems untrustworthy, why deal with them at all?
Note that if you request a static resource, as an image, only cookies set by image's location domain are being sent. To see what's going on your page use Firebug or Chrome Developer Tools and check what request headers are being sent.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm using the standard php paypal form for payments on my e-commerce app.
I noticed that people with just firebug can change the paypal form data before sending the request for paying by the "PAY NOW" button.
So I'm wondering, is it a "standard" to have a payment's form that can be "edited" by a newbie :/ ?
What we can do to prevent this?
I disagree; I do think it's something you should prevent in the first place. The amount a buyer should pay shouldn't be publicly sent over the internet. The time where we could get away with that is long past.
Additionally, a check will not prevent the transaction from going through for a different amount. It'll only prevent any post-transaction drama.
And yes, you should definitely run checks after the transaction has completed, but that should happen even if someone weren't able to manipulate the amount theoretically.
There are several options, you can choose what suits you best depending on your requirements,
Do nothing and only implement a post-transaction check (e.g. with IPN).
The easiest. Your PayPal integration will look shabby from a code point of view, and you'll still get all those $0.01 fraudulent transactions.
Tick the 'Host button with PayPal' option in the button generator, and use PayPal's BMUpdateButton API to dynamically alter the amount of the button.
An example request for BMUpdateButton would look as follows:
USER=Your API username
PWD=Your API password
SIGNATURE=Your API signature
METHOD=BMUpdateButton
VERSION=82.0
HOSTEDUBTTONID=The value of
BUTTONTYPE=The type of button. E.g. BUYNOW
BUTTONCODE=The type of code you want to get back. E.g. HOSTED
L_BUTTONVAR0=amount=The new amount with a period as separator
L_BUTTONVAR1=item_name=Optional: a new item name if you wish
Use both the BMCreateButton and BMUpdateButton API's to both create and update your buttons with PayPal.
You could also use the BMCreateButton API to create a new button, or use the BMButtonSearch API to search through a list of all your stored hosted buttons (to find the hosted_button_id of your button automatically, for example).
Implement PayPal Express Checkout instead
It may be the 'hardest' to implement as it consists of 2-3 API calls for a single transaction, it's also the most flexible. Where with Website Payments Standard (the 'buttons') the transaction is finalized as soon as the buyer clicks on 'Pay now', Express Checkout lets the buyer 'agree' to the transaction on the PayPal website, and you can finalize it at any time 0 - 3 hours after the buyer initially agreed to the payment by calling the DoExpressCheckoutPayment API call.
For a quick rundown on integrating Express Checkout, see my answer on Checkout my order basket with PayPal
This isn't a huge security risk, as you should be checking what was actually paid anyway! Anyone can post data to anything. It has little to do with your form, or even Firebug.
You can store that button information on PayPal's server, but then it cannot be dynamically generated. There is an option for this when you use their wizard to create the button code for you.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 5 years ago.
Improve this question
I am trying to learn how I can add PayPal Subscription to my existing PHP app using IPN and looking for a good article that explains the ins-and-outs.
In my app, users can register for a free account and then they can select a membership type and rate (daily, weekly, monthly and yearly). When they have made their selection, the configured PayPal button is displayed. They can click the Subscribe button which takes them to PayPal.
I need to know how to identify the user: what custom information to send to PayPal that is then sent back? I would also like to know what information PayPal sends back to the IPN page.
It seems that the button can be configured for the notify url. Does that mean I still have to turn on IPN?
I just have too many questions to list here... The PayPal site does not have any teaching material that explains Subscriptions and how to integrate it into a site.
Any good and recent articles you know of?
anon445699, I completely agree with you about the subscribe information it mostly shows you how to generate a button with no parameters.
Maybe this will help some people in the future, it oulines all the possible parameters for subscriptions. I know it helped me
https://www.paypalobjects.com/en_US/ebook/subscriptions/html.html
There are plenty of articles out there, just google it. The date doesn't matter as much, most of the main functionality is basically the same, they don't change it much because a ton of people rely on it being the same. What you really need to do though, is look at the documentation at paypal, its quite thorough, and even has code samples. Including for subscriptions, how do you think the people who wrote articles, and everyone who has implemented it did it? Did they just guess and hope for the best?
Next get yourself an account on the paypal sandbox. Want to know what the IPN sends back? Setup a script to catch an IPN post, and save all the $_POST data to a file, and see for yourself using the sandbox to complete a fake order. Thats what I did when implementing paypal. Of course, the return values are also noted in the documents as well.
Edit
I believe the field they will send back is called custom. You could hijack a field you are not using, like productnumber. Or maybe use the payer_id field. Or identify them with their email. There is not just one way to do it. The best way to find out though, is to try it on the sandbox rather than waiting for someone to do it for you or write an article. You could have saved yourself 3 days of reading if you would just try it.
Links
Found these in about 2 minutes, there is more than enough info in these to get the job done.
Various IPN and subscription tutorials:
http://net.tutsplus.com/tutorials/php/using-paypals-instant-payment-notification-with-php/
http://www.web-development-blog.com/archives/easy-payments-using-paypal-ipn/
http://www.paymentsplus.com.au/joomla/faq/paypal-buy-now-guide.html
Sandbox:
https://developer.paypal.com/devscr?cmd=_signup-run
Paypal Documentation:
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_subscribe_buttons (this is the one you really want)
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_admin_IPNIntro
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
ok heres my problem, im creating a site where people sign up first then pay straight after, my problem is what if the customer who signs up uses a different card to pay so for example, his wife. im trying to work out how to match the sign up info and the payment info without having to store the card details and get an ssl cert.. i need this so i can tell if they paid.. im writing it in php, it currently sends me an email when they sign up rather than straight into a database, any help?
Simplest thing that comes to mind would be to have options on the payment screen that let you:
(1) Use the billing info you supplied during registration
(2) Specify the name as it appears on the card (as most sites I've ordered from include)
Does this answer your question?
If you are concerned about matching the account to being paid if they use a different name, you most likely have some kind of $Session going on I would think. Use the user's login information from the Session() and then you can tell.
We use Authorize.Net for our payment processor. They have two different APIs which give you different levels of control (AIM - Advanced, SIM - Simple). From your description of not desiring a SSL Cert, SIM would be the best way to proceed.
We have designed our system to collect as much information as possible from the customer and then pass (via POST) to AuthNet's SIM method where they only need to enter in their card-specific information (number, expiration date, and CID). If the transaction is successful (and also in some failure cases), they notify us by a pre-defined 'silent-post' transaction and also redirect the user to a 'relay url'. We provide AuthNet with an order/invoice number as part of our original post data, so we can use it in their silent post to match up their payment with the appropriate order.
The SIM interface has worked well for us over the years and we now have it tweaked via CSS so that it closely resembles our site despite being hosted elsewhere, saving use far larger PCI-DSS compliance issues by doing everything locally.
im trying to work out how to match the sign up info and the payment info without having to store the card details and get an ssl cert
In that case the best advice is to use something like PayPal, Amazon Payments, or Google Checkout. Other than that, your question was a bit hard to decipher.
i need this so i can tell if they paid.. im writing it in php, it currently sends me an email when they sign up rather than straight into a database, any help?
Most 3rd party payment processors (PayPal, Google, Amazon), provide a way of checking payment status. Most also offer pinging a callback when the payment status changes.
PayPal IPN
Amazon IPN
Google Notifications
Many credit-card processing options will send a response to your server containing crucial information about the user that you can use to verify that they have successfully paid. For example, PayPal has an IPN (Instant Payment Notification). You can use the data returned in this to automate a process on your server that states the user has paid.
My advice is to contact whoever is processing your credit-card transactions and ask what options they provide for relaying information back to your server to verify which users have suffessfully paid for the products/services.