I just set up an ARB page for my sandbox authorize.net account and I am fairly certain the transaction is going through, as my error_log has nothing in it, but I wanted to view the dummy info that I sent to make sure it's actually logging this transaction somehow if that is even possible. I'm just using the sample data from that test subscription page and sending it out. Am I able to view that my authorize.net sandbox account received this data anywhere?
I have tried this in both live/test modes and subscriptions remain at 0 for both modes.
If I cannot test it this way, how can I get the page that's sending the request to report back to me that the request/response was successful?
Thanks
you have to login in authorize.net merchant account and then set a silent post url there and when ever a transaction will be done then it will return response in json format and you need to capture that event in your silent post url script and that response need to store in a table field and later on you can check about it.
for further assistance you can check following url.
http://www.johnconde.net/blog/tutorial-integrate-the-authorize-net-arb-api-with-php/
Related
I currently have a fully working cart and checkout process through PayPal _xcart method, but I want to migrate it to REST API, mainly because I want to mitigate the possibility of price-jacking. Currently my IPN does check for price jack and sets the according flags so the product doesn't get downloaded (selling digital products only). Anyway more to the point, I found the PayPal documentation very confusing and I'm struggling to get the full grips of it.
This is what I have understood and worked out till now.
Using my PHP script (let's call it page A) I create the cart content, then I create a new PayPal sale and redirect the client to PayPal for authentication
Client authentication on PayPal, then it's redirected back to my site to page B (page B is defined in page A)
Page B needs to get the PaymentID (from page A) and use it to effectively complete the transaction. Once competed finalize the checkout.
Now here are my problems:
a) I had read quite a few forums and tutorials and they all mention that I should use a session to store the PaymentId from Page A and then use it in Page B to finalize the transaction. Some threads on SO suggests that PayPal should actually include the PaymentID in the call to page B, along with the token and the PayerID. Those are almost 3 years old posts and during my testing I see that PayPal now does return the PaymentID as well.
Is this a new thing, did PayPal really started to send the PaymentID as a GET variable? OK I found this on PayPal SDK documentation (not PHP of course some other language) that they return the PaymentID as well as a GET.
Is there any disadvantage on using the GET presented by PayPal compared to storing a session from page A to B? I don't really wan't sessions, so GET will be ideal for me. I guess if it is on PayPal documentation it's safe to use.
Will this work on the live page as well or only in Sandbox?
b) On Page B when I execute the Payment I get a nice JSON as response, but in the same time my IPN listener also gets called, and this is what confuses me big time. Can/Should I just trust all the data which is in the JSON response and more or less ignore the IPN listener? This will make sense for instant download, for example, much more easier to process, or should I still rely on the IPN for data validation?
If I use only the JSON returned to Page B, which are the correct fields to look for and what values? For example, there is a state field which is approved and another (Transactions -> related items -> state) which is competed. Which one do I need to check?
If I rely on the JSON do I still need to check if the paid amount matches the original amount or can I trust that the payment is equal to the amount I have requested in my call?
If I use the IPN how can I pare it with the transaction? The PaymentID doesn't show up in the variables posted to the IPN. The only way I could think of is to get the txn_id from the JSON response, but somehow that feels odd, plus how can I know if the JSON response hit the server BEFORE the IPN?
Can/Should I just trust all the data which is in the JSON response and more or less ignore the IPN listener?
Yes, and no. In that order.
In a nutshell, you can't trust the payment ID in the call to "Page B" (it could be forged, faked, repeated etc) but you can trust the response YourServer->PayPalServer as it can't be intercepted and faked by the end user.
So your process is (as you describe above)
Page A: Create a sessionID (cookie), amount, cart details etc and store in a local database/storage. You can also create a "custom" field to store your own saleID
Send off amount etc to Paypal, which returns you to ....
Page B: Grab the PayPal TransactionID and send back (server->server) to PayPal. Paypal returns the amount, state etc. Then check your database that the amount is the same and that it belongs to the sessionID. If you also use custom fields, check that too. If everything marries, you're good. If not, it's up to you how to handle.
The status should be "complete" for a simple sale at this point; but (as with IPN below) you should verify this.
Do check the amounts, just in case. They should match, but if not, the PayPal one will be what you receive and it's up to you to accept it, flag it (and phone up) or refund through the API and reject the order etc.
So why have IPN?
It is possible that the user completes the transaction on Paypal and then closes their browser before "Page B" is called. In this case, the only way you know about the order is through the IPN.
If you get an IPN notification going to your IPN handler, IPN can still be faked, but there's a slightly different way of verifying.
You actually send the IPN information back to Paypal (server to server) and Paypal confirms it's correct or wrong (https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNIntro/). Your IPN handler will then check the transaction ID (yes, that's what you use) and verify everything matches in the database (just like you do in "Page B"). If it does, mark the order as complete if the status is complete (and if not already marked as complete in "Page B").
Obviously you can't display anything to the user at this point as they are not the ones that called the page.
The docs above warns you that you can get multiple IPNs for the same transaction so you also need to check status.
(Note: you could use the APIs to verify the transactionID as you do in "Page B").
So why not reply on IPN?
Paypal warn that the IPN may not arrive. Paypal explains it best:
Although PayPal usually processes IPN messages immediately, IPN is not synchronized with actions on your website. Internet connectivity is not always 100% reliable and IPN messages can be lost or delayed. The IPN service automatically resends messages until the listener acknowledges them. The service resends messages for up to 4 days.
Because IPN is not a real-time service, your checkout flow should not wait for the IPN message before it is allowed to complete. If the checkout flow is dependent on receiving an IPN message, processing can be delayed by system load or other reasons. You should configure your checkout flow to handle a possible delay.
So back to the original question
Yes: rely on the JSON (server->server) call you make to verify the parameters to "Page B" (and in and the IPN handler if you choose)
No: Don't ignore the IPN in case Page B never gets called. But still run the verification checks here too.
Yes: Check state = complete for both "Page B" and "IPN handler"
Yes: Use the Paypal TransactionID, but mix into your own database with either custom fields or sessionID.
Yes, you can/will get both Page B and IPN notifications, I'd suggest ignoring the IPN if the payment is already marked as completed, otherwise process and handle appropriately. They should be using the same database.
I am currently using the following library:
https://github.com/paypal/adaptiveaccounts-sdk-php/tree/master/samples/IPN
And Paypal IPN seems to be working fine... I can successfully checkout and all of the POST data from Paypal is logged to my server, only problem is - How do I check against it when the user is back on the site?
I currently have the return URL set to the same as the IPN url (look in github for code) and after I get all of the valid data, the user gets returned to the IPN page and it says invalid.
Not quite sure, any thoughts?
IPN should NOT be used as the return URL.
Return URL brings the buyer back to your site. The page at the return URL should display either a generic thank you page, or a page indicating the status of the buyer's order. Which one of the above to choose, depends on the PayPal product you select, your integration and your purchasing flow.
The script URL of the IPN listener is used to automate your order handling process. The IPN listener gets the IPN messages, processes your order in your own defined way.
IPN listener should post back very specific data to PayPal IPN endpoint with HTTP Status 200. If it also outputs a page, it makes things too complicated. You would need to differentiate between a buyer visit and a PayPal IPN message, and need to do corresponding display or IPN verification. To make things simple, separating the two things into two pages / scripts would be better and more logical.
I think this is the reason why your buyer gets "invalid": your IPN listener gets the request data when a buyer returns to your listener, and uses the data to verify IPN with PayPal. PayPal returns "invalid" as the data are not from valid IPN messages and thus cannot be verified.
Not a Php dev and haven't looked, but if you really want to use the same URL (I wouldn't - they serve different purposes), then the difference would be the (http) request method:
GET for a redirect and
POST for IPN
That would be one way you'd determine what kind of Request that url is getting and handle as you deem fit.
so I got a guy to code this IPN feature for my website.
Basically a user pays thought the main site then it forwards the ipn stuff to another server and that server sends ipn payment to paypal. For some reason it keeps saying "retrying" under the paypal IPN history. Is paypal blocking this and does the payment have to be made from the same server? Thanks hopefully this makes sense!
IPN does not happen until after any transaction has occurred, so what you're saying here doesn't really make sense. There's no way IPN would be sending any payment to PayPal. PayPal simply POSTs transaction data to your IPN URL after the transaction has taken place.
That said, if you're seeing "retrying" in your IPN History that means your IPN script is not completing successfully, and as such, is not returning a 200 result code back to PayPal's server. You need to troubleshoot your IPN script to figure out what's failing and get it fixed.
Your web server logs should provide the information you need. If you look there you should see a log of when your IPN URL was hit and it should also provide the result including any errors that were generated from the request to that script.
I like to create a simple HTML form with the action set to my IPN URL and then include hidden fields that match the fields/values that I would expect to get from IPN. This way you can load that in a browser and submit it directly so that you can see the result on screen which can help with troubleshooting and debugging.
Keep in mind that when testing that way, though, the data is not coming from PayPal's servers, so it will not verify. You'll need to make sure your script is setup to handle this accordingly for testing purposes.
I have an option on my phpBB forum to add a Paypal Buy Now button to enable users to sell and purchase items. I would like to have the ability to automatically close a topic once a user makes a purchase through paypal to avoid multiple users from purchasing the same item.
Is it possible to get the user's session data from paypal once they make a transaction? Then incorperate session data into a variable like:
$paypal = (isset($_POST['purchased'])) ? true : false;
Not sure if I need to download the Paypal SDK for this or not.
Any suggestions would be great, thanks.
Is it possible to get the user's session data from paypal once they
make a transaction?
You really want to trust the user's session data? I am sure you can read the session data, you don't want to do that, would be trivial task to alter it. Even if you can you really shouldn't read the session data for another website.
Not sure if I need to download the Paypal SDK for this or not.
This would be the correct way to do it.
When I last used it, Paypal Standard allowed you to specify a return URL (where to send the user) for failures and for successes. Dynamically generate some secret hashes to facilitate when the user is finally redirected.
Or you can use IPN.
Don't rely on the return URL. Buyers can (and will) close their browser / tab after completing a payment.
Instead, use PayPal Instant Payment Notifications to receive a server-to-server notification from PayPal which you can subsequently verify and use to update your database with the appropriate flag for a phpBB closed thread.
IPN works as follows:
You create the PayPal and incude a "notify_url". The value for this parameter will be the full URL to a script on your server, called the 'IPN script' or 'IPN handler'.
You can specify an IPN handler as follows for Website Payments Standard
<input type="hidden" name="notify_url" value="http://blah.com/ipn.php
For Express Checkout or Website Payments Pro, simply include the following in your SetExpressCheckout/DoExpressCheckoutPayment or DoDirectPayment API call respectively.
NOTIFYURL=http://blah.com/ipn.php
A buyer completes a transaction via PayPal
Once the buyer completes the transaction, he/she may close the browser, or return to your website
Once the transaction is accepted and processed by PayPal, PayPal will send out a notification to http://blah.com/ipn.php
You need to take all POST data that was sent to this script, and POST it back to https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate
If the data you send back matches the data PayPal sent you, a 'VERIFIED' response is returned.
If the response is VERIFIED, it's at this point that you would look up the matching transaction/buyer on your end, and update the phpBB thread status appropriately.
Some sample code and documentation for PayPal IPN is available at https://www.paypal.com/ipn/
In addition, some tips on making a secure IPN script are available at https://www.x.com/developers/community/blogs/ppmtsrobertg/securing-your-instant-payment-notification-ipn-script
Note: If you want to include any custom data along with the transaction which you can read out later, use 'custom'.
<input type="hidden" name="custom" value="xxxxx">
This will also be returned in the IPN POST data sent from PayPal.
I created a hosted button using a business account and integrated that code with my php application.
I use 'Website Payments Standard' and generated the 'Buy Now Button' using the tool provided in 'Merchant Services' page.
I am using http://sandbox.paypal.com/ to test this.
Configurations in Merchant Profile:
Instant Payment Notification (IPN) is
'Enabled' and 'Notification URL'
given.
Auto Return is On.
Return URL specified (the same given above in notification URL)
Payment Data Transfer is On
Website Payment is Off
PayPal Account Optional: is Off
While creating the button also in the third option I gave the same notify_url.
Transaction happens successfully and gets redirected to my notify_url.
The issue is, $_POST from paypal response in my notified page is empty.
I printed the $_POST in the first line of my notifier page itself. Do I need to add any other configuration? Am I making any mistake?
The data is going to the IPN url. Log the $_POST data to a file from the script at the IPN URL and see what you are getting. I think if you turn off the IPN, you may then get the data on the notify_url (been a while though, not 100% sure on that part).
the notify url is just for receiving the data from paypal about the transaction, it's not a webpage that you can display, because it doesn't happen inside the normal page flow, paypal simple opens a curl command (or similar) to your server and dumps all the data over $_POST
the return url is only used when the user clicks to return to your website.
so don't use the return url for recording the status of the payment, or sending emails, it'll fail badly, always use the notify url for doing that, the return url is just to show the user something pretty after he's paid, or not pretty if it failed