I want to create a "Pay what you want" paypal button with minimum amount set.
I am adding the following code on my website
<form name="_xclick" action="https://www.paypal.com/us/cgi-bin/webscr"
method="post">
<input type="hidden" name="cmd" value="_xclick" />
<input type="hidden" name="business" value="YOUR EMAIL ADDRESS" />
<input type="hidden" name="currency_code" value="EUR" />
<input type="hidden" name="item_name" value="YOUR_PRODUCT_NAME" />
<input type="hidden" name="no_shipping" value="1" />
<input type="hidden" name="address_override" value="1">
<input type="number" name="amount" value="5" placeholder="5" min="5"/>
<input type="image" src="http://www.paypalobjects.com/en_US/i/btn/btn_buynow_LG.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!" />
</form>
Since this code is easily visible on the source code of my web page
1) Anyone can see my email
2) Anyone can change the code to start paying say EUR 0.01. Since I will be charged for each transaction 1.9% + EUR 0.35, someone can easily piss me off!
Please let me know is it safe!
Note :
1)I have no issue regarding payment with a changed price since I will first see the transaction and then deliver the product.
2)I don't want a hosted button because I need variable pricing and don't want to use donate button (as it is not for personal blog fundraising, I guess).
Thanks!
There isn't any way to do it with the standard buttons. A user could easily tamper the payment between your site and PayPal. The only way to do it would be with the encrypted website payments.
Read more here: https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/encryptedwebpayments/#id08A3I0P017Q
You must be comfortable programming in scripts like PHP and ASP to use Encrypted Website Payments.
This will make your payment buttons tamper proof.
Related
I'm currently looking to integrate Worldpay into a custom shopping cart. (What a horrible system to integrate with.) Anyway, from the little information I can find i've opted for a simple form for sending the payment information over.
But worldpay seems to want to ask for my customers cardholders details again on the worldpay form. Can these at least be prefilled?
My code is (for example):
<form action="https://secure.worldpay.com/wcc/purchase" method="POST">
<input type="hidden" name="testMode" value="100" />
<input type="hidden" name="instId" value="XXX">
<input type="hidden" name="amount" value="20.00">
<input type="hidden" name="currency" value="GBP">
<input type="submit" value="Buy" />
</form>
I've dug around the WP documentation to no avail. Wish we'd opted for PayPal now!
You need to send the name and address details as well. See integration examples here, example 05 has name and address fields > http://support.worldpay.com/support/bg/index.php?page=development&sub=integration&subsub=examples#basic
and look at this pdf, around page 21 http://support.worldpay.com/support/kb/bg/pdf/rhtml.pdf
I've set up a payment button on my website and users can choose what they want and make payments fine. What I am struggling with is working out how to give them what they paid for. So for example they paid $10 for a book, I want the book to be awarded to their account once the payment has gone through.
What I've found is that you need to use an IPN but for that you need an API, whatever these are. Is this the only way to do it in php? Looks very complicated for such a simple task and I'd rather get them to send payments to me and I will manually add what they paid for.
EDIT
Here's what I'm following: https://developer.paypal.com/webapps/developer/docs/classic/products/instant-payment-notification/
This is how I set up my paypal checkouts in my websites:
<form name="_xclick" action="https://www.sandbox.paypal.com/cgi-bin/webscr"
method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="YOUR SANDBOX SELLER EMAIL">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="item_name" value="Digital Download">
<input type="hidden" name="amount" value="9.99">
<input type="hidden" name="return" value="THIS URL">
<input type="hidden" name="notify_url" value="THE URL TO YOUR ipn.php SCRIPT">
<input type="image" src="http://www.paypal.com/en_US/i/btn/btn_buynow_LG.gif"
border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>
Inside your ipn.php you can add a sql statement to change the user access to the book.
I have found this tutorial very useful when it comes to paypal forms:
http://www.micahcarrick.com/paypal-ipn-with-php.html
Paypal form API:
https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/formbasics/
I'm working on a standard paypal button "Buy Now". Currently I'm still working with Sandbox accounts but there's something weird...
Here is my HTML :
<input type="hidden" value="address#gmail.com" name="business">
<input type="hidden" value="EUR" name="currency_code">
<input type="hidden" value="FR" name="lc">
<input type="hidden" value="" name="encrypt">
<input type="hidden" value="http://mywebsite.com/paypal_ipn/process" name="notify_url">
<input type="hidden" value="http://mywebsite.com/thanks" name="return">
<input type="hidden" value="http://mywebsite.com/cancel" name="cancel_return">
<input type="hidden" value="Item 1" name="item_name">
<input type="hidden" value="0.89" name="amount">
<input type="hidden" value="1" name="test">
<input type="hidden" value="2" name="rm">
<input type="hidden" value="paynow" name="type">
<input type="hidden" value="_xclick" name="cmd">
I wanted to see if I could just change the amount value using web inspector (like Firebug) to change my product price before accessing Paypal transaction... and yes I just could buy my product with 0.01 instead of 0.89...
HOW CAN I SECURE THIS !!! THANKS
The easiest way is to generate encrypted PayPal buttons from within the PayPal site itself. Folks cannot change the price or other items before sending them to the gateway.
Also, PayPal has an API that you can use to securely send information to their gateway.
https://www.paypal.com/cgi-bin/webscr?cmd=_dcc_hub-outside
Direct Payment API offers you direct credit card payment processing capability through PayPal. For credit card transactions, customers stay on your website as PayPal processes the payment in the background.
By integrating Direct Payment API with Express Checkout, as part of the Website Payments Pro solution, you can accept all major payment types, including PayPal, while working with a single provider that processes and manages all your online payments for you.
It's quite a bit more complex to get implemented than the "Generate Button" method, but it also has other benefits, namely better security and that the user does not have to leave your site to check out.
What's the best way to dynamically generate an "Add to Cart" PayPal button in PHP? My idea is to take the basic HTML code and simply echo the required variable but I'm not sure if it's the most secure way...
<form name="_xclick" action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="me#mybusiness.com">
<input type="hidden" name="currency_code" value="NZD">
<input type="hidden" name="item_name" value="<?=$name?>">
<input type="hidden" name="amount" value="<?=$price?>">
<input type="image" src="http://www.paypalobjects.com/en_US/i/btn/btn_buynow_LG.gif"
border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>
(Code above from PayPal's Advanced Techniques page)
Doing it that way isn't very secure because people can still view source and see the end-result on your page. Then they could take that, make changes to it, load it in their own browser and pay you for an item at a much lower price.
You can utilize IPN to help flag orders that don't look accurate by cross-references your pricing, but this can be a hassle.
You could use the Button Manager API to generate your buttons as hosted buttons on PayPal. This way people can't see the details in the source code and wouldn't be able to make changes.
Alternatively, you could use the Express Checkout API which is what I prefer and recommend if you know how to work with web service API's.
I use following html to create paypal subscription:
<form action="http://paypal/url/..." ...>
<input type="hidden" name="cmd" value="_xclick-subscriptions">
<input type="hidden" name="business" value="selleremail#somedomain.com">
<input type="hidden" name="item_name" value="My Subscription">
<input type="hidden" name="currency_code" value="GBP">
<input type="hidden" name="p3" value="1">
<input type="hidden" name="t3" value="M">
<input type="hidden" name="tax" value="0.00">
<input type="hidden" name="no_shipping" value="1">
<input type="hidden" name="shipping" value="0.00">
<input type="hidden" name="no_note" value="1">
<input type="hidden" name="src" value="1">
<input type="hidden" name="cancel_return" value="http://mysite/paypal/cancel.page">
<input type="hidden" name="return" value="http://mysite/paypal/success.page">
<input type="hidden" name="notify_url" value="http://mysite/paypal/ipn.page">
</form>
Everything works well, new subscriptions are created, IPN notifications are got by my scenario. One thing is bother me. If some payment is failed, appropriate subscription becomes suspended. It happens due to default settings of a subscription. There is set 1 failed payments allowed before suspending subscription profile.
I can turn it off manually as described in documentation, but how to setup it on subscription creation stage? And is it worth to turn off it or better to set some number of fails?
The answer from a person at paypal developer network:
Currently there is not a variable you can pass in the subscription
button code to change the number of failed payments allowed before the
profile is suspended. The default value at this time is one and you
can change it manually in the account as you mentioned above. A
feature request has been submitted for about adding this functionality
but there is no timeframe on when this may be done. However, if using
Express Checkout API to create the recurring profiles, you can specify
a value for MAXFAILEDPAYMENTS.
Add this to your form:
<input type="hidden" name="reattempt" value="1">
This causes failed payments to be reattempted (up to 3 times, I think, with 1 day between attempts). As for whether it's better to turn it on or off, I can't really think of a scenario where reattempts are bad for you: it gives customers extra chances to give you money. If you think that people using the service for free for a couple of days after payment failes is really a problem, suspend the account when you get a subscr_failed IPN until there has been a successful payment.
There is no cancellation on payment failure. After the initial failure PayPal will try to take payment again after 5 days. If that also fails that PayPal will try a third and final time after a further 5 days.
When you can set up the original PayPal Profile you have two options for dealing with failed charges. This is found in the Recurring Charges section for the subscription on profile.
The terms you will get here like:
recurring_payment_suspended_due_to_max_failed_payment
and this will also give you term for the retry date when next attempt is going to be execute.
'retry_at' => '02:00:00 Feb 08, 2017 PST',