I have a website (built in Laravel) that allow merchants with a PayPal account to sell their items, which is similar to eBay with no cart function. However, I have issue on integrating PayPal into my website as I do not know what is the best way to ensure the data are correct. I have think of the follow method to implement, but it seems none of the are looking good for me.
Using JavaScript button
<script src="/js/paypal-button.min.js?merchant=MERCHANT_EMAIL"
data-button="buynow"
data-name="My product"
data-amount="1.00"
async
></script>
This is not secure as any user can tamper with the detail of the order such as price and there is no way to prevent this.
Using HTML form
<form method="post" action="https://www.paypal.com/cgi-bin/webscr" class="paypal-button" target="_top">
<div class="hide" id="errorBox"></div>
<input type="hidden" name="button" value="buynow">
<input type="hidden" name="item_name" value="My product">
<input type="hidden" name="amount" value="1.00">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="MERCHANT_EMAIL">
<input type="hidden" name="env" value="www">
<button type="submit" class="paypal-button large">Buy Now</button>
</form>
This method also have the same issue as method 1 as user can change the value in the form before submitting the order.
Using PayPal Hosted Button
By far, I think this is one of the secure way to integrate a PayPal Pay button into my website. But I cannot dynamically change the item details and price on my website as the button is hosted in PayPal.
Using PayPal IPN
The PayPal IPN is used to validate the payment detail after the payment is done by the user. As each of the merchant has different PayPal account, I could not configure the IPN url for each of their account. So passing notify_url variable while submitting the payment form are necessary to make sure all the payment detail are sent and returned to my dedicated IPN url.
I searched online and found most of the people are using this method to validate the fraud payment, but I think this is only suitable for payment to only one PayPal account instead of dynamic merchant's PayPal account. If I passed the notify_url variable in HTML form, the user can still tamper with the value which lead to the failure of validating the payment detail as the IPN url is not valid or tampered, and in the end the result would be either Payment Pending or Payment not received as I couldn't validate the payment details.
Is there a good solution or suggestion to my problem?
Related
The website already accepts payment, and send you your details once the payment has been made.
How can I do this with paypal? I know how to add a paypal button, but how do I link it with my website to trigger the confirmation email once the payment has been processed through paypal?
When submitting the form to PayPal insert another input with the name of return where the PayPal should return when a successful payment has been done.
<input type="hidden" name="return" value="www.yourwebsite.com/payment-done">
Give a link to your website and then you can send the confirmation email to the client through your server.
Example:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="business" value="seller#designerfotos.com">
<input type="hidden" name="item_name" value="hat">
<input type="hidden" name="amount" value="15.00">
<input type="hidden" name="return" value="www.yourwebsite.com/payment-done">
</form>
There are several variables that you can use;
return - The URL to which PayPal redirects buyers' browser after they complete their payments.
rm - Return method. The FORM METHOD used to send data to the URL specified by the return variable.
cancel_return - A URL to which PayPal redirects the buyers' browsers if they cancel checkout before completing their payments.
Read more;
PayPal Checkout Page Variables - PayPal Developer
HTML Form Basics - PayPal Developer
I have payments set up (using php) so that when a customer returns to the success.php file (after payment process on Paypal using an IPN listener) they are added to the db with a new membership number, which is also generated in the success.php file. The process works fine if the customer pays as a guest, they are returned to the success.php page as they should be. However, if the customer logs in to paypal rather than paying as a guest they are redirected to the Paypal user account page instead of back to the success.php page on my site. This means the payment has been taken but their membership number is not created or added to the db.
Is there a way to force ALL customers back to my success page or should the code to create the new member be added to the ipn listener (ipn.php) file so it wouldn't matter if they didn't come back to the success page?
This is the code I use in the checkout page to set the return url.
<form action="<?php echo $paypalURL; ?>" method="post">
<!-- Identify your business so that you can collect the payments. -->
<input type="hidden" name="business" value="<?php echo $paypalID; ?>">
<!-- Specify a Buy Now button. -->
<input type="hidden" name="cmd" value="_xclick">
<!-- Specify details about the item that buyers will purchase. -->
<input type="hidden" name="item_name" value="<?php echo $item_name; ?>">
<input type="hidden" name="item_number" value="<?php echo $item_number; ?>">
<input type="hidden" name="amount" value="<?php echo $price; ?>">
<input type="hidden" name="currency_code" value="GBP">
<!-- Specify URLs -->
<input type='hidden' name='cancel_return' value='http://example.com/payment-cancelled'>
<input type='hidden' name='return' value='http://example.com/thanks-for-joining/'>
<!-- Display the payment button. -->
<input type="submit" name="submit" class="button" value="Pay Now">
</form>
I should add that I have only tested this in sandbox mode so far, so if anyone knows if this is a sandbox only issue, please let me know.
UPDATE: Further testing shows that the return url no longer works with a guest check out either. This has only started happening since sandbox payments are going through the new payment pages (screenshot attached).
Has paypal changed the method of requesting a return url?
I fought with a few ways of integrating paypal's payments into my site. From what I've read here on stackoverflow, on paypal's site, and all over the web, it is probably best to put all of that backend work into your listener. You could set up something on the front-end to prep your DB for the customer, but the major problem with using the success page for this information is that:
1) your customers could just enter the URL of your success page if known
2) A customer can choose not to be redirected after paypal and may not return to your site at all (this is the best reason as I can see it).
3) Sometimes paypal redirects, but the listener may not have received paypals response of completed, pending, .etc (this is why they wait 10sec before redirection), so you do not want the user to go elsewhere or have been verified prematurely.
Honestly, placing all the code in your listener is quite simple as well and reduces miscommunication between your success page and paypal. As for testing, I just used the IPN simulator to test my code and it was fine.
As for the redirect URL, there are a few redudancies in paypal, if you use buttons, the option 3 (I believe) will provide a return URL that overrides the others. I'm not sure about using sandbox, but make sure you have .sandbox.paypal in your code to ensure it works (https://gist.github.com/xcommerce-gists/3440401#file-completelistener-php).
I hope this helps.
I've got a custom form which makes a request to paypal. The problem with this is that people can edit this in inspector.
I've got the cart info into a cookie and database too. is there a way to first go to the back end, check all info there and then send it to paypal?
I've looked into IPN but don't understand it really. also my website is currently running on localhost so I need to set some ports open to get messages from paypal. which can't because I'm working on a network where I can't access the router.
I've tried send the form to the backend, compared it with the cart cookie & database. But I don't know if I can send the form in backend.
<div class="paypal pull-right">
<form name="_xclick" action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_cart">
<input type="hidden" name="upload" value="1">
<input type="hidden" name="business" value="[Business name here]">
<input type="hidden" name="currency_code" value="EUR">
<input type="hidden" name="return" value="http://domain/shop/paid">
<input type="hidden" name="cancel_return" value="http://domain/shop/payment_failed">
<?php
$i = 1;
?>
#foreach($cart as $item)
<input type="hidden" name="item_name_{{ $i }}" value="{{$item['name']}}" />
<input type="hidden" name="amount_{{ $i }}" value="{{$item['price']}}" />
<input type="hidden" name="quantity_{{ $i }}" value="{{$item['quantity']}}" />
<?php $i++; ?>
#endforeach
<input type="image" src="http://www.paypalobjects.com/en_US/i/btn/btn_buynow_LG.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>
You could just create a hosted button and then people can't edit the info for the transaction. When creating the button in your PayPal account just make sure to use the "Save at PayPal" option.
EDIT You won't be able to use a hosted button because of your itemized, dynamic pricing, so Express Checkout is going to be your best bet.
I would recommend you switch to using the Express Checkout APIs instead of Payments Standard. It has quite a few advantages over Payments Standard, primarily the ability the force the guest checkout experience so non-PayPal account holders can easily pay with a credit card.
This PayPal PHP SDK will make the API calls very quick and easy for you.
Basically, you'll use SetExpressCheckout to start the process, then GetExpressCheckoutDetails to pull the buyer's details from PayPal after they've logged in, and then DoExpressCheckoutPayment to finalize the transaction and process the payment.
This method will also keep people from doing anything with the button code because it's all in PHP and API calls.
IPN is still a great tool, but you wouldn't need it to validate your pricing or anything like that (unless you just still wanted to for any reason).
It's a tool you can use to automate pretty much any post-transaction task. This includes payments, refunds, disputes, cleared e-checks, etc. So you can update your database, send custom email notifications, hit 3rd party web services, etc. automatically when transactions hit your PayPal account.
I'm integrating paypal and I have done it correctly. I have set the return URL, so it give me below result set in url $_GET.
Array ( [tx] => 7XV08083GT683520Y [st] => Completed [amt] => 22.16 [cc] => USD [cm] => [item_number] => item_number )
My concern is there is no way to validate the data that has returned from Paypal. I have experienced with other payment gateways. Other payment gateways allow you to do hashMatch which allows to make sure that submitted data by the form has been not edited.
My form is as below.
<form method="post" action="https://www.sandbox.paypal.com/cgi-bin/webscr">
<!-- Identify your business so that you can collect the payments. -->
<input type="hidden" value="dasun_1358759028_biz#archmage.lk" name="business">
<!-- Specify a Buy Now button. -->
<input type="hidden" value="_xclick" name="cmd">
<!-- Specify details about the item that buyers will purchase. -->
<input type="hidden" value="AM Test Item" name="item_name">
<input type="hidden" value="22.16" name="amount">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" value="item_number" name="item_number">
<!-- Display the payment button. -->
<input type="image" name="submit" border="0" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynow_LG.gif" alt="PayPal - The safer, easier way to pay online">
<img alt="" border="0" width="1" height="1" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" >
</form>
My php code output
<input type="hidden" value="50.16" name="amount">
But I used firebug and edited it to below & did the payment.
<input type="hidden" value="22.16" name="amount">
Still I get the result as it's a Completed payment but It should not be since I have made changes manually. Anyone who has a knowledge can edit them. How can I make sure that this is a valid payment ? How can I make sure that form data is not edited like I did ?
Anything that is critical and requires DB interaction should use Paypals IPN for data that MUST be verified. Essentially Paypal will Post the URL on your website with data and your script will have to post the exact data back plus a command to verify that the data is indeed correct. After Paypal gives an "verified" response, then you update your data.
Another alternative is using Paypal's express checkout, essentially you are getting an "ok" to charge a customer for "x" amount, once the customer agrees to pay the amount, you post the data to Paypal with the customers "agreement" and you will get a response if the transaction was complete or not.
https://www.paypal.com/ipn
https://www.x.com/developers/paypal/documentation-tools/express-checkout/integration-guide/ECGettingStarted
Before redirecing to paypal store your data in database (product_id, amount, quantity, etc)
After returning from payapl check the return values with your database.
This is the proper way of doing it.
If you want to notify whether you are returned from paypal than You should use Paypal API instead of "Buy now" button API provide more flexibility and power to control your payment process
You may try some of these:
1) Creating an Encrypted Button on the PayPal Website
2) Encrypting Buttons Dynamically With Encrypted Website Payments (EWP)
available at: http://www.paypalobjects.com/en_US/ebook/PP_WebsitePaymentsStandard_IntegrationGuide/encryptedwebpayments.html
Also, this SO link has some details:
Dynamic PayPal button generation - isn't it very insecure?
How can I verify a paypal donation?
In the user panel I have a donate button. And once someone actually donates I want to do something to him. But I do not know how to check if the user actually donated or just clicked the donate button.
Look in to Paypal's IPN (Instant Payment Notification)
When someone makes a payment or donation to your Paypal account, Paypal will send a post message to your web server with all the payment details. You can then send a message back to Paypal to make sure that the payment was real...
There are even some code examples on paypal's website. Including one for PHP.
Note you have to enable IPN and define the call back URL in your paypal account before you can start using IPN.
It's in the same manual. It may be a bit tougher to do however, as you will need a PHP script that receives the payment info.
Return URL – Let people return to a page on your website if they
click a return link or button on the
PayPal payment confirmation page.
To learn more, see Step 2 of Page 2 – Specifying Advanced Features
of Your Donate Button or HTML
Variables for Displaying PayPal
Checkout Pages.
Auto Return – Have PayPal return people automatically to a page on your
website.
Important: PayPal recommends that you turn Payment Data Transfer on
when you turn Auto Return on. With
Auto Return on, PayPal redirects
people to your website from an
alternative PayPal payment
confirmation page that does not
display a View Printable Receipt link,
so people cannot print PayPal payment
receipts. Payment Data Transfer
provides the transaction information
that you need to let people print
receipts from your website.
To learn more, see Auto Return.
Payment Data Transfer – PayPal includes information about the
completed transaction when you use a
return URL or Auto Return to send
people back to your website. Use the
information that Payment Data Transfer
provides to display a “thank you,
print your receipt” page on your
website.
To learn more, see the Payment Data Transfer page on Developer
Central.
There are two way to check donor made donation:
1) used "notify_url" parameter (safe)
2) used "return" parameter ( unsafe)
Code example:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<!-- Identify your business so that you can collect the payments. -->
<input type="hidden" name="business"
value="donations#kcparkfriends.org">
<input type="hidden" name="bn" value="mbjtechnolabs_SP">
<!-- Specify a Donate button. -->
<input type="hidden" name="cmd" value="_donations">
<!-- Specify details about the contribution -->
<input type="hidden" name="item_name" value="Friends of the Park">
<input type="hidden" name="item_number" value="Fall Cleanup Campaign">
<input type="hidden" name="amount" value="25.00">
<input type="hidden" name="currency_code" value="USD">
<!-- Display the payment button. -->
<input type="image" name="submit" border="0"
src="https://www.paypalobjects.com/en_US/i/btn/btn_donate_LG.gif"
alt="PayPal - The safer, easier way to pay online">
<img alt="" border="0" width="1" height="1"
src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" >
</form>
When some one made donation donor automatically redirect to return url but this option is not safe because may be some one direct open this url.
best way to know donor made donation choose paypal notify_url parameter.
PayPal will send post request to notify_url.