I have a payment button that uses the custom variable to identify in my database who bought what when the ipn message comes. my custom field looks like this :
<input type="hidden" name="custom" value="userName">
My problem is that anybody can change this value to what ever they want, allowing people to buy stuff for other users. Is there any possible way to send this custom value from php to paypal, so that the user cannot change the value to something else?
You can use the Express Checkout APIs instead of standard payment buttons.
You'd make a call to SetExpressCheckout to start the process and obtain a token, then redirect the user to PayPal.
When they're returned from PayPal you can call GetExpressCheckoutDetails to obtain the buyer information as returned by PayPal, and then you call DoExpressCheckoutPayment to finalize the order and actually move the money.
You would include the CUSTOM parameter in that final DECP request the same way you are now, but it would all be hidden in the PHP code, of course. Nothing people would see in HTML.
This PayPal PHP SDK will make those API calls very quick and easy for you.
Related
I'm just now trying to get up to speed with PayPal Express Checkout (i.e. checkout.js), using the client-side REST integration described here. I see that when payment is complete, my onAuthorize function is invoked with a "payment" object.
I can't find any documentation on this object, but some poking at it reveals the following properties (at least today):
paymentToken
payerID
paymentID
intent
returnUrl
Now I need to redirect the user to the next step on my website, where I show a receipt confirming they've paid, etc. I guess I send the above data to the server, but since that step could be easily spoofed by a malicious user, I will need to verify those details in the PHP code, server side.
How do I do that?
You can make a GET call on your server side to /v1/payments/payment/PAY-XXXXXX with the paymentID and the payerID to get the payment details, and verify those details there.
https://developer.paypal.com/docs/integration/direct/express-checkout/integration-jsv4/advanced-payments-api/show-payment-details/
See https://developer.paypal.com/docs/api/overview/#make-your-first-call for some basics on calling the REST api from your server
Assuming you are using PayPal Encrypted Buttons, you don't actually need to verify the amounts sent through server-side. Although a user could indeed manipulate the $_POST data, PayPal's got you covered, and won't allow the transaction to go through. This is because PayPal Encrypted Buttons are generated with your variables such as price built-in to the ID. If the variables don't align with those used to create the button, the transaction is denied.
Alternatively, if you are simply using your own code to make the request, you can secure the payments with PayPal's Instant Payment Notification. Again, this allows any $_POST data to be sent through for the payment. Afterwards, PayPal makes a call to your IPN page in order to validate that the parameters are correct. This is demonstrated in the following workflow:
When communicating with your IPN, if PayPal finds that the values don't match up, the order is cancelled. Assuming that the values match up, you can safely redirect them to your confirmation page.
Hope this helps! :)
I'm using an HTML PayPal button together with IPN to achieve a direct payment on my PHP website. The IPN URL is correctly pinged but I need a way to identify the transaction, because I need to update it on my local database during the IPN call.
So my question is : is there a simple way to send a token / identifier from the HTML button and get it back on the IPN call, so that I retrieve the transaction?
If no, I guess I'll have to use the API but the code samples I found on the PayPal website confused me. I need the payment to offer both Paypal / Credit Card options to the user once he lands on the PayPal payment page. This is what they call a "Direct Payment" but is there any clear Direct Payment code samples I can use somewhere?
Thanks!
I used the simple form to redirect customers to paypal. In this form i have a hidden input <input type="hidden" name="invoice" value="myCustomInvoiceId" />.
After the customer finished his payment, paypal will do the IPN call including invoice=myCustomInvoiceId. So yes. There are plenty of variables more that paypal can include in their IPN call. See this link for further reading.
if i remember correctly, you can chose which variables to include in the IPN call in your merchant paypal account.
I have an option on my phpBB forum to add a Paypal Buy Now button to enable users to sell and purchase items. I would like to have the ability to automatically close a topic once a user makes a purchase through paypal to avoid multiple users from purchasing the same item.
Is it possible to get the user's session data from paypal once they make a transaction? Then incorperate session data into a variable like:
$paypal = (isset($_POST['purchased'])) ? true : false;
Not sure if I need to download the Paypal SDK for this or not.
Any suggestions would be great, thanks.
Is it possible to get the user's session data from paypal once they
make a transaction?
You really want to trust the user's session data? I am sure you can read the session data, you don't want to do that, would be trivial task to alter it. Even if you can you really shouldn't read the session data for another website.
Not sure if I need to download the Paypal SDK for this or not.
This would be the correct way to do it.
When I last used it, Paypal Standard allowed you to specify a return URL (where to send the user) for failures and for successes. Dynamically generate some secret hashes to facilitate when the user is finally redirected.
Or you can use IPN.
Don't rely on the return URL. Buyers can (and will) close their browser / tab after completing a payment.
Instead, use PayPal Instant Payment Notifications to receive a server-to-server notification from PayPal which you can subsequently verify and use to update your database with the appropriate flag for a phpBB closed thread.
IPN works as follows:
You create the PayPal and incude a "notify_url". The value for this parameter will be the full URL to a script on your server, called the 'IPN script' or 'IPN handler'.
You can specify an IPN handler as follows for Website Payments Standard
<input type="hidden" name="notify_url" value="http://blah.com/ipn.php
For Express Checkout or Website Payments Pro, simply include the following in your SetExpressCheckout/DoExpressCheckoutPayment or DoDirectPayment API call respectively.
NOTIFYURL=http://blah.com/ipn.php
A buyer completes a transaction via PayPal
Once the buyer completes the transaction, he/she may close the browser, or return to your website
Once the transaction is accepted and processed by PayPal, PayPal will send out a notification to http://blah.com/ipn.php
You need to take all POST data that was sent to this script, and POST it back to https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate
If the data you send back matches the data PayPal sent you, a 'VERIFIED' response is returned.
If the response is VERIFIED, it's at this point that you would look up the matching transaction/buyer on your end, and update the phpBB thread status appropriately.
Some sample code and documentation for PayPal IPN is available at https://www.paypal.com/ipn/
In addition, some tips on making a secure IPN script are available at https://www.x.com/developers/community/blogs/ppmtsrobertg/securing-your-instant-payment-notification-ipn-script
Note: If you want to include any custom data along with the transaction which you can read out later, use 'custom'.
<input type="hidden" name="custom" value="xxxxx">
This will also be returned in the IPN POST data sent from PayPal.
I have a service I am starting where it's paid. I want to give a PayPal payment a special id. The ID would be passed through IPN and I could read it so I can modify my mysql database with that special ID. If that all makes sense...
I am basically want to upgrade their account without having to do some complicated process which I have already tried where it would send the user the transaction ID and they would have to go to a special URL to change their account information.
See what I mean? How would I go about doing this?
Thanks,
Coulton
If anyone else has a question on how to do it, I've found a way to fix it. When making your button, include this:
<input type='hidden' name='notify_url' value='http://yourdomain.com/paypal/ipn.php?user_id=$user_id'>
So you can pass who has made the payment to the IPN via get. Simply use $_GET['user_id'] to get the data (in my case a user_id). You can pass any variables you wish!
I played around with this for ages before I have realized that you can only send the pre defined paypal variables and not make your own up.
These are listed here
https://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/howto_checkout-outside
One you can use for a custom variable is called 'custom'
<input type="hidden" name="custom" value="<?=$twitId;?>">
You also need to ensure you use this button
<input type="hidden" name="cmd" value="_s-xclick">
You also need to turn on and set a URL for the Instant Payment Notification on PayPal
They call this as a listener but it really just sends the payment data to the paypal page.
Note this is not the URL the customer is returned to after payment completion as set in button preferences.
Retrieve the custom variable in PHP thus
$userID = $_POST[custom];
Full instructions here
http://www.brianmoreau.com/articles/paypal_buy_now_button_sending_custom_variables.php
Hope this saves you the many hours I spent on it.
This method also allows you to obtain the buyer details such as email and address and the transaction reference.
To view the full data paypal sends after payment by clicking on history, IPN history
I have successfully posted my custom shopping cart to PayPal -- it processes the order just beautifully, and when the payment is received, it posts data back to the URL I specified in the config. The code is based on the library found here: http://www.phpfour.com/blog/2009/02/php-payment-gateway-library-for-paypal-authorizenet-and-2checkout/
So I'm successfully verifying the IPN by posting data back to PayPal -- that is all great. Here's my dilemma -- how do I know what order the IPN is confirming?
I am not making use of PayPals shopping cart, I have my own. It has it's own cart ID in my database, and when I receive an IPN for that cart, I'd like to "close" the cart and save it as an order to be looked up at a later date.
I've tried passing an additional custom field along with the redirect to PayPal that populates the cart, but that value isn't returned back to me in the IPN. The documentation on x.com is just plain lacking so I've found no help there.
Does anyone have any experience with PayPal and IPN? Doesn't necessarily have to be with PHP -- I can interpret code -- but if you have a way to send a value to PayPal with an order and then have that value returned with the IPN, that is AWESOME!
If this isn't possible with PayPal's API (which I would find hard to believe) -- any other suggestions on how to handle this?
I do not know if this is a good idea or not, but here are a couple different options:
A: Use the first set of on1 / os1 for the item 1 and add the order id to that.
B: In the custom field, I am not sure what you have in there, but you can make it something like orderidhere41|otheritems here and then just parse this out by exploding at the | to get them separated.
Paypal does limit this, and I do not know why, but both of those should work. Doing it as an on / os will put it on the paypal receipt for the user, so that is my preferred method.
If someone else has a better solution, I would be interested in it as well!
EDIT:
Clarifying on1 os1. These are "options" generally used for Size / color etc. See IPN PDT Paypal variables under option_name1 option_selection(sp) for more information on them. The name of course is the title which would be "Order ID" the os would be the actual id.
EDIT:
Looking through that documentation $my2CO->addField('cart_order_id', rand(1, 100)); is where I would put my own cart order id. That should be the correct field. Sorry for the confusion :)
EDIT:
In the end there is a custom field for the paypal IPN, called "custom" adding data to this will pass through, this will transfer the orderid for you to and from. It must be called custom on both sides.
(this may be different for the other API's).
My experience has been with the Express checkout via C#, but the process should be the same even in PHP. If you're using the Name-Value Pair (NVP) interface right before you redirect the user to PayPal you hit the PayPal site to retrieve the redirection URL. As part of their response they pass back a token to you. You save this token along with your order. When the IPN postback occurs you get this same token back which lets you look up the original order.
The process flow looks like this ("You" being your site):
User fills cart, clicks button/link to check out
Request is sent to your site
Your site receives request, sends data to PayPal
You get an initial response from PayPal which contains a token
You save this token along with this user's shopping cart.
You redirect the user to the link returned by PayPal
User is redirected to PayPal and enters payment info
Payment info is validated by PayPal
User is redirected back to your site
PayPal sends IPN response back to your site
You grab the token included in the response
You look up the token you previously saved to find the shopping cart (they are the same value)
You close out the initial order/shopping cart.
You might want to try out the PHP SDK - scroll down to the Name-Value Pair Interface.
I very much doubt this will help the original poster, but PayPal have either added, or finally documented the option "invoice" which allows you to post the OrderID, and have it posted back via the IPN.
I am currently using this and it seems to work as expected.
For further info see the Website Payments Standard Integration Guide (PDF): Appendix A, Table A.4
You can create and post a custom pass-through variable that's 255 characters long that could hold any data. More info on page 44 in the official Paypal IPN Guide.