I have a service based company and a website entirely created with Dreamweaver. It does not have a cart and no service we sell is exactly the same price so it would not make sense to include one.
My bank provided me with a payment gateway to automate payments and allow clients to select their own currency but it is built for a website with a cart or a database.
So I am trying to find a solution which:
1 - allows me to ask for the clients details
2 - asks the client to confirm the amount they are due to pay (which needs to be between 0 and 10000 euros, no dots, comas or space allowed and 2 decimals included)
3 - confirms their name and the amount filled in the form on a separate page (their terminal does not show the amount to be paid so I want to confirm this to the client)
4 - sends the correct information to the payment terminal
5 - returns to our website to confirm the payment has gone through
6 - sends me an email with all the information filled in by the client and that the payment has been approved.
Here is the code provided by the bank
<form action="https://hpp.prueba.santanderelavontpvvirtual.es/pay" method="POST">
<input type="hidden" name="MERCHANT_ID" value="<?=$merchantid?>">
<input type="hidden" name="ORDER_ID" value="<?=$orderid?>">
<input type="hidden" name="ACCOUNT" value="<?=$account?>">
<input type="hidden" name="CURRENCY" value="<?=$curr?>">
<input type="hidden" name="AMOUNT" value="<?=$amount?>">
<input type="hidden" name="TIMESTAMP" value="<?=$timestamp?>">
<input type="hidden" name="DCC_ENABLE" value="1">
<input type="hidden" name="SHA1HASH" value="<?=$sha1hash?>">
<input type="hidden" name="HPP_LANG" value="EN">
<input type="hidden" name="AUTO_SETTLE_FLAG" value="1">
<input type="hidden" name="MERCHANT_RESPONSE_URL" value="tpv-mailer.php">
<input type="Submit" value="Pay by credit card on a Secure Website">
</form>
I am new to php, the documentation the bank sent me is not clear at all so I have been stuck on this issue for a while.
I have the form requesting data from the client thought POST working and the payment system works (although it only charges the same amount) but I cannot seem to find the code to pass the $amount filled in by the client to "> on the bank gateway without breaking the hash.
I was thinking maybe of sending this information by url or creating a session. Does anyone have experience with this and can help me?
Thank you so much in advance!
This is how I would go about it:
Start from scratch with your own multi-step form (since you want to confirm their name and amount).
POST the form to a PHP script via jQUery AJAX.
In your PHP script validate every single field. Remember that the client can send anything, so you want to make sure they wrote an actual amount for example.
Prepare the POST request that you'll be sending to your bank's API endpoint from your PHP script. Use the fields the user submitted (after validating them) and generate any others that you might need, for example the timestamp and return URL.
Send this POST request to your bank.
Read their response.
Process their response, e.g. send back a JSON to your jQuery AJAX function with information on what to do next, such as which page to redirect to. This is where you can also configure PHP to send you that notification email.
You don't have to use AJAX but by doing it this way you can show a nice "Processing..." view to your client if you so desired.
You'll need to fully understand all the parameters that your bank is requesting, for example where the $sha1hhash is coming from. If they have poor documentation then there are always alternative such as:
PayPal: https://developer.paypal.com/docs/api/
Stripe: https://stripe.com/docs/api
That said, if you're running the company and are new to PHP as you've mentioned, you might want to consider hiring a professional to do it for you. It's worth the investment.
After spending all day and trying to learn about PHP I found the solution to my problem. As I could not find any documentation online answering this question, I would like to share it if anyone needs it one day:
First you need to create a 3 step php form:
The First page is a standard form which asks information from my client, filters it and cleans it up
It redirects to the second page which acts as a mailer and collects the info. In the header, it sends the information collected to me by email then it calls the payment gateway. In the body, it sums up the information previously sent and gives the client a link to the gateway
the third page is the gateway response. It lets the client know of any error or thanks them for the booking and resends me an email with the booking confirmation.
The piece of code I needed was:
Page 1: ask for the amount due which is saved as $charge
On page 2:
in header:
$amount=$_REQUEST['charge'];
in body - to show the amount to be paid:
<?php
$FIRSTNAME=$_REQUEST['firstname'];
$LASTNAME=$_REQUEST['lastname'];
$CHARGE=$_REQUEST['charge'];
echo <<<TEXT
<h3 style="text-align:left;padding-left:1em">Hello, $FIRSTNAME $LASTNAME, balance is $amount euros</h3>
TEXT;
?>
The payment platform seems to be working and the amount is now decided by the client without access to a database.
Related
I've a question about processing a PayPal Transaction & being able to pass a unique piece of information along with the transaction to identify the customer.
Customers have a unique ID that isn't sensitive - say 1000000898.
Situation:
A customer can join this site with any email address and later can decide to upgrade with Paypal which might be registered under a different email address.
I can then have an issue identifying which account make the transaction as i only have the email as a reference. I want to be to pass the Unique ID (above) along with the transaction and be able to see this ID when I look at the transaction in Paypal.
Below is some code I'm using and the last line I added to try to pass the ID along with the transaction. Transaction processed fine but in PayPal (Sandbox) I couldn't find the ID with the transaction - didn't appear anywhere...
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="blahblahblah">
<input type="hidden" name="return" value="https://somewhere.com" />
<input type="hidden" name="item_number" value="1000000898">
Question:
What input name would I add (or line(s) of code would I add) to be able to see the ID in the PayPal transaction. EG along with name, email and address.
thanks heaps..!!
Adam
This code is for a hosted button. You cannot add additional variables directly to a hosted button's code. If you want to add dynamic data into your button you will need to make it non-hosted.
When building the button, Step 2 (or maybe Step 3) asks you if you want to save the button at PayPal. You need to disable this option. Then at the end there will be another option for securing the code, and you'll need to disable that, too, so that it's not encrypted. This will give you the basic, raw HTML form code.
With this raw form code you can add any variables you want from the PayPal Standard Variables reference.
Of course, doing things this way does leave the door open for somebody to potentially copy your HTML code, adjust the variable values, load the HTML form/button on their own page, and submit a payment for your product/service at a cheaper price. You would need procedures in place to catch this sort of thing.
Another option (which I recommend) is to use the Express Checkout API instead. This allows you to customize everything and make it dynamic without the ability for anybody to adjust any of the code/values.
Since you're working with PHP you could take a look at my PayPal PHP SDK. This would allow you to make the API calls for Express Checkout very quick and easy.
Hi i'm currently trying to integrate worldpays payment gateway to a website.
However I can't seem to submit the form in a secure way.
This is an example form:
<form method="POST" name="BuyForm" action="https://secure- test.worldpay.com/wcc/purchase">
<input type="hidden" value="yourinstid" name="instId">
<input type="hidden" value="yourcartid" name="cartId">
<input type="hidden" value="GBP" name="currency">
<input type="hidden" value="100" name="amount">
<input type="hidden" value="Product 1" name="desc">
<input type="hidden" value="100" name="testMode">
<input type=submit value="Buy Now">
</form>
Is there anyway to submit this in php to stop end user being able to inspect and change amount ie Changing amount from £100.00 to £1.00 and submitting the order and paying £1 for £100's worth of goods?
I've tried curl however from what i've read you cant redirect the user to the page you've submitted the data to?
Thanks in advance,
Jordan
With the architecture you have, no. Because the user is sending data from the page directly to worldpay.com without first going through your server, no you cannot stop the user from inspecting what's about to be sent or from changing values. Even if you locked down the browser with javascript, what's to stop me from loading a page, then copying the information and sending it directly to worldpay with a cURL request from my command line? This is a losing battle for you.
Look at WorldPay documentation for how to securely submit a transfer. Payment systems have usually worked this out. Here are some techniques I've seen.
I notice there is a cart ID. There may be an API whereby your server first sends a request to worldpay to create a cart or payment request and gets some token. Then a valid token must be submitted along with the form by the user. This would allow worldpay to compare the data that was used to create the token with the form submission and notice any change.
Other payment services require you to sign any submission with a secret token that you get from your merchant account. Basically the signature is a keyed hash of all the form values (keyed with the secret, which is never sent to the browser). If a customer changes the form and submits the changes, the new form inputs will not match the signature.
Other payment services allow you to create secure Pay buttons from within the merchant account. This is a pre-agreement of how much each product costs. Then in the browser, you don't even need to set amount, product ID etc... Just the Pay button ID that was created.
Finally, the simplest check is to create a record of the transaction on your server before you create the form for the user. Once you receive notice of payment, lookup the payment or transaction ID in your records and make sure that things line up before processing the order.
The bottom line is: you cannot stop a user from changing what she submits directly to worldpay, so if your security has this requirement, it will fail. Do your research into worldpay secure payment flows.
I have read and read through the links and documentation about the PayPal API, but to be honest, I am pretty confused as to what it is I need to do.
I am trying to set up a simple API where a user on my website clicks a button which takes him to PayPal to make a payment. After he makes the payment, all I want is for the PayPal API to update a record on my database with the confirmation.
So far the process works perfectly one way. I am using this code to get the users to make their payments:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="username#mywebsite.com">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="item_name" value="Gift Certificate">
<input type="hidden" name="item_number" value="RI001CI3481">
<input type="hidden" name="amount" value="313">
<input type="hidden" name="return" value="http://mywebsite.com/paypal/thankyou">
<input type="submit" value="PayPal">
</form>
After the user finishes the transaction, they are returned to my 'return' page.
I get an email when the transaction is complete. That's how I now a payment has been made. I then go to PayPal, confirm the payment, and update my database record to mark the transaction complete.
Now, what do I have to do to have PayPal automatically update my database when that payment has been made? If you could point me to a simple to follow document or sample, that would be great. As I said, I have read through some of the available documentation online but for someone like me it's a bit confusing.
Thanks,
Manny
What you're showing here is not using the API. PayPal Standard is just basic HTML form method for setting up payments with PayPal. It sounds like that part is already working for you how you need, so that's fine.
To update the database, you want to use Instant Payment Notification (IPN). It's still not technically an API, but it is a push service that will POST transaction data about any transaction that hits your PayPal account to a listener script that you have setup on your server.
Within this script you can process the data however you need to. Update your database, generate custom email notifications, hit 3rd party web services, etc.
There are some good IPN templates available for PHP on GitHub / Packagist. PayPal also provides a very basic starter template for IPN.
I think that IPN is one answer, but it is prone to issues and can fail if your servers or PayPal's servers are having issues. Many people who use IPN have only one server, and perform maintenance late at night, and IPN may attempt a notification but fails because the server is down for maintenance. IPN will just fail silently. A better alternative is to use an API like Express Checkout where you set up the look and feel of the page, set txn details, etc. with SetExpressCheckout and take the customer to the PayPal page to check out, and afterwards they are returned to your site. At this point you run DoExpressCheckoutPayment to complete the transaction and then when your response contains "ACK=Success" you can call GetExpressCheckoutDetails to get more detail than you would see with IPN and not have to worry if you didn't receive a response from PayPal as with IPN. You would have a request / response as with any API call and you can log your responses to be able to see when things go wrong, as well as to get details of the transaction. Often it seems that people explaining EC and even PayPal docs show to call setEC, then getEc, then doEC but I usually call set, do and then get once the txn is successful. I'm sure there are scenarios when someone would need / want to call set, get, do, but for IPN we only care once the txn is successful. ALSO, IPN will not send unless there is a txn. You can set your code to allow for situations when you receive an error and act accordingly, like when you get an error for declined card or similar. You can log the error, send email / SMS, log to DB table, etc.
Here is the documentation to integrate Express Checkout:
https://developer.paypal.com/docs/classic/products/express-checkout/
Tons of links here since EC can be used for order / auth / capture or simple sales or subscriptions, etc.
Here is the list of parameters for SetExpressCheckout:
https://developer.paypal.com/docs/classic/api/merchant/SetExpressCheckout_API_Operation_NVP/
Here is the list of parameters for DoExpressCheckoutPayment:
https://developer.paypal.com/docs/classic/api/merchant/DoExpressCheckoutPayment_API_Operation_NVP/
Here is the list of parameters for GetExpressCheckoutDetails:
https://developer.paypal.com/docs/classic/api/merchant/GetExpressCheckoutDetails_API_Operation_NVP/
While the overall coverage isn't yet at the same level of IPN, PayPal also now has Webhooks: https://developer.paypal.com/docs/integration/direct/rest-webhooks-overview/
Webhooks are a much more modern form factor than IPN, and is supported in the REST SDKs, hopefully that helps.
I have a the following form at the end of a booking process (simplified):
<form action="https://www.paypal.com/cgi-bin/webscr" name="paypalForm" method="post">
<input type="hidden" name="amount" value="<?=$price;?>">
<input type="hidden" name="business" value="business#email.co.uk">
<input type="hidden" name="notify_url" value="http://website.co.uk/ipn">
</form>
I have only left out things like address name etc. So when they pay via Paypal, I am using paypal IPN to mark them in the database as paid. However..
I have gone to the end of my booking system and viewed source of the webpage, modified the business email address and amount. I haven't tried a full transaction yet, but surely with the 'notify_url' in there Paypal with send an IPN message to my server and will mark the person off as paid? Isn't this terrible security? Surely this not how all paypal payments work, I must be missing something.
There are two things I can think of that might prevent this:
If I remove the "notify_url", will the IPN URL that I have set in paypal work instead? What value does paypal place on the hidden var notify_url, does it override the settings in the back end of paypal?
In my IPN code I could check for business and Amount. I don't currently, as I didn't read any where in the documentation that I should. But now, I am thinking that maybe it would be a terribly good idea.
There isn't any check that can be done by PayPal to know what the correct amount, or email address should be that was used, or that the IPN URL should only be used with a particular PayPal account. Your options would to be write in the additional checks like you have already mentioned. In additional to what you already stated about your 2 workarounds, a 3rd option would be to create a hosted or encrypted button on the fly using PayPal's BMCreateButton API. Then the buyer would only see the encrypted button code, they would not be able to view your HTML button code. Therefore they would not be able to modify any of the variables, or see what they are currently set to.
I have this code on my Website:
<form method="post" action="process.php">
<input type="hidden" name="itemname" value="1" />
<input type="hidden" name="itemnumber" value="2" />
<input type="hidden" name="itemQty" value="1" />
<input type="hidden" name="itemprice" value="17">
</form>
This code, sends a POST to process.php, which opens a paypal class to make the payment.
All works great, but I have a very big trouble. The point is, if I edit any value with FireBug, let's say for example, "itemprice", anyone can change the default value, and replace the itemprice with any other quantity at the moment of process the payment.
How could I fix this? Any ideas?
Thanks.
Encryption is the only way to thwart this, there's nothing you can do client side. You could try to add some verification server side or use the _SESSION, but those are your only options.
You could use the PayPal Instant Payment Notification System (IPN). You supply the URL to a script on your website which can handle the payment. It is there somewhere when you login to your PayPal account.
Every time a new payment is made PayPal will send a request to your IPN script with all the details of the payment (item ID,name, price, whatever you want and you can then verify in the script using your database if the prices match for the supplied item ID's.
It is very easy to implement in my opinion and very flexible. It is very well documented too on the PayPal website. It does not take too long to understand it.
You should never rely on the price from the web form. Because the item has its ID, it's perfectly valid to send only the ID and required quantity to the process.php. This, in turn, should fetch the prices straight from the source (database, config...), not from the (possibly tampered) web form data.