I sell a (very cheap and dynamically generated through PHP) file of data online. For the payment, I use a basic PayPal button.
This has two advantages I want to keep:
PayPal is known, and people are not afraid to proceed to payment, as they are on PayPal website when they pay (they get redirected to my website at the end of the process, and the file automatically downloads).
I don't need any SSL certificate on my website (quite expensive).
This has several drawbacks, I would like to be fixing:
As the file is dynamically generated in PHP, I would like to be choosing the price and the currency dynamically (according to many parameters; currently the price is fixed).
In my JavaScript, there is POST action, with a hidden "return" parameter (the URL customer get redirected to once payment is successful). If you know this URL, you can get the file without paying. This is a big security flaw here in my implementation (even if most of my users won't know how to inspect client code)
I understand I should be using the PHP PayPal API rather than the basic PayPal button. The workflow I imagine is:
a PayPal button on the page when clicked, triggers a server side PHP script.
this PHP script decides of the price, contacts PayPal with the return URL (not available on client side) and redirects the client to this payment page on PayPal.
the client pays in PayPal secure environment and, once payment is successful, gets redirected to my website with a temporary authenticated token (?) so he cannot transfer this URL to someone else and the file download happens.
I am a little lost with the PayPal documentation. Could you confirm my architecture principles and provides me some sample PHP codes in order to achieve all that?
Other questions: I currently have a basic PayPal account. Do I need I business account? Do I need an SSL certificate? Do you know good alternatives to PayPal to do all that? Google? Visa?
Related
So I have a paypal shop set up, im using the rest php api. for credit card transactions, the api allows me to make my own form on my site, but if paying with a paypal account, part of the api call redirects a user to the paypal.com site to log in. I understand that for security reasons, paypal doesn't want the user giving their username/password to my site. However, i do not want the user to be redirected away from my site. is there a way to make that auto redirect in a new window, instead of the current window being changed? Ideally, the flow would be pop paypal.com window, complete payment, close window, and now back on my original page.
is this possible?
PayPal has a feature that does exactly that. It is called DigitalGoods. Unfortunately, it is still not available with their REST API.
If you examine their REST API then you'll notice that you are handing over the control of workflow to PayPal and you don't get to open or close windows.
So, no. You cannot do what you are trying to do with the REST API.
After banging my head several times on my desk I gave up on their latest and greatest REST API and went back to their DigitalGoods API. My suggestion is you do the same and save yourself the agony I went through.
BTW, I recommend using a library such as this one. This way you don't have to learn the innards of the Digital Goods API in order to use it.
I got a simple Digital Goods Checkout to work in Sandbox mode. I have a "Pay with PayPal" button that I can click which pops up an window for logging into PayPal. After that it redirects me to my purchasemade.php script, and from there I can successfully download a file.
My problem is that on my website I'm going to sell many products, so I need to know which product they want to download when they finish the purchase. Each product has a unique ID, so I thought I'd pass that ID as the item number in the HTML form as a hidden field named "item_number". However, I don't know how to read that value once I reach the purchasemade.php.
How do I read values passed in POST in the original form? Otherwise, what's the best way of identifying a product? I'm using PHP as my scripting language for this project.
If you're going to stick with Payments Standard I would recommend using IPN to deliver your digital goods. You could use PDT (which is very similar to IPN) to send order data back to the page the user gets redirected to, however, there is no guarantee they will make here even with Auto-Return enabled in your PayPal account.
Alternatively, you could use the Express Checkout API instead of Payments Standard. This method guarantees the user will make it back to your site prior to completing payment. This will allow you to utilize session variables so you can present the download to the user on the thank you/receipt page.
Still, though, I think IPN would be your best bet regardless of which way you go. You can use it to auto-deliver the digital goods, send out general email notifications, update your database, hit third party web services, etc. all in real-time.
I'm looking for a way to build a web application using paypal payments standard. I'd like the user to get redirected to paypal, then fill out their information, and upon completion, add a value in our database saying that they successfully paid. I haven't found a solution or answer to this.
I found this thread for RoR, but didn't find anything for PHP
Paypal Website Payments Standard with a Ruby/Rails application
You can see instructions for a Payment Data Transfer at PayPal's site. Basically, you post the transaction amount and an ID token to their site, the customer pays on paypal.com, and then they're sent back to a pre-defined URL on your site with the transaction details.
I used the NVP API to do that.
I'm trying to link my 3rd party shopping cart to PayPal, and in the process I'm finding that my variables are extremely exposed, such that, if someone uses, say, Firebug, to manipulate the values of my variables, they can change the cost of the items in the transaction.
I'm very new to online carts and shopping, so my question is how do I keep this layer of exposure away from users and secure for the website?
The answer is in the Instant Payment Notification service.
Upon completing the transaction, PayPal notifies you, in a separate process, of the payment details for the last transaction.
You can check these details against the data you stored locally. If they match, all is fine. If they do not match, you will need to investigate the issue.
Never understood why PayPal does not allow the data to be signed with some sort of hash + shared secret... but that does not help you any further.
If you POST the variables to PayPal, you can encrypt the data. Unfortunately, this is not possible for a GET request, triggered from a redirect.
There is a way of getting PayPal to host the button variables on their side. Look out for PayPal Hosted Buttons in their documentation:
https://cms.paypal.com/uk/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_ButtonMgrAPIIntro#id093VD0JE0Y4
Otherwise verify with IPN as mentioned bu Jacco.
Use the PayPal NVP or SOAP API to create an encrypted button. Basically you set all the information using PHP and then the API gives you the HTML.
Alternatively if you only have a couple of products you can make custom buttons.
The API's are well documented and easy to use. Personally I used the NVP as it was recommended for less experienced programmers. You can also use both in with the IPN (Instant Payment Notification) system so that for example digital products can be automatically emailed.
I want to achieve something like this
http://depositfiles.com/en/gold/payment.php
I have normal users signed up. I want them to upgrade to premium user. Once a person pays, how do I know which user he was signed in ? How do i force the user to login first before being able to click the paypal button and make payment ? Otherwise, I would receive money, but wouldn't know which user to mark as "PAID" in my database.
when you click on the paypal button, it redirects you to the paypal page where you can login and pay.
I also want to accept Visa and Mastercards, is it doable through paypal using the same method ?
Paypal's information can be found here:
Part 1
You can create a subscribe button for each type of subscription you want and use the HTML variables in Part 2 to enable you to know what type of product and what user is included in the invoice.
This needs a lot more details than you currently provide. What language have you written your website in? Static HTML? Ruby? PHP? How does PayPal's payment system work?
normally the way it will work is that your site will pass information to paypal (http://paypal.sourceforge.net/ is one toolkit that seems to be made for php, thought I've never used it so I can't really promise its not abandonware).
once the paypal transaction is completed successfully, control is passed back to your site. you can then set the user's flag in your database as a premium user.
as far as I can tell, you tell paypal to handle payments for you, and the user picks a funding source in paypal. if you want to have visa/mastercard separately handled from paypal you'll need another payment gateway to handle it, like mirapay or something else.