I have written a PHP code. When a user submits the form, it saves all information in session and redirect user to PayPal Payment page. When user successfully makes Payment, Paypal sends user to Return path. The return path page gets values from session and enter user in database. But, after submitting the form if user manually visit Return path URL, it will save information in database without getting payment. Any solution for this?
Without sharing your code, it's difficult to give an accurate answer, but based upon what you've provided...
Paypal allows you to provide 2 URLs to it's submission, a return_url and a notify_url.
With the return_url, it should be for display only (e.g. www.website.com/order_complete/), and should NEVER have any functionality behind it, such as updating an order status for the exact reason you've asked the question. Therefore, when you query the order in the DB, it would still be marked as unpaid, and then you can put in the appropriate response.
Validating the order is what the notify_url is for (see https://developer.paypal.com/docs/classic/products/instant-payment-notification/ for more information). Basically, this does a checkback to paypal to confirm that the order you have attempted to make has actually gone through successfully, and then you do your DB updates (setting the order to complete).
The solution for you would be to remove the 'order updating' functionality from the return_url, and implement the IPN.
Related
I'm struggling to complete a Amazon Pay transaction in PHP.
First of all I followed this guide https://developer.amazon.com/de/docs/amazon-pay-checkout/get-set-up-for-integration.html and implemented version 2 of Amazon Pay. For implementation I used the following PHP Amazon Pay SDK: https://github.com/amzn/amazon-pay-api-sdk-php
Up to point 4 (Set payment info) I got everything working. But here I am stuck. 4.2 says that the response contains an amazonPayRedirectUrl to which the user has to be redirected.
My problem is the following:
I am working with a kind of legacy software where there are a lot of forms in an online shop. When these forms are submitted they are always posting to the same url and depending on the payload data different views are loaded to proceed in the checkout process. When I am now redirecting the user via the generated amazonPayRedirectUrl (using header function of PHP) the user is redirected to the shops landing page (due to htaccess config) instead of the page/view which should logically follow in the checkout process because the redirect does not include the payload data of the submit form.
I already tried to save the needed checkout session id (which is appened as a query parameter to the amazonPayRedirectUrl) into the session to complete the transaction without redirecting the user but this does not work. When calling $client->completeCheckoutSession I get an error message in the response: InvalidCheckoutSessionStatus You tried to call an operation on a Checkout Session that is in a state where that operation is not allowed. The status of the checkout session in the response is "open" instead of "completed". I assume this error occurs because I did not redirect the user (not sure though).
What would be the best way to redirect the user to the correct logically following view/page in the checkout process? Do I somehow have to gather the submit data and do an ajax call including this payload data while calling the amazonPayRedirectUrl or how do I prevent being redirected to the shops landing page respectivly load the correct following view/form?
Thanks in advance!
I have a webpage on my website at www.example.com/complete.html
As it is right now, anyone can access this page by visiting the website through the URL.
When I set up my paypal payment buttons on my website, after the payment is successful, the user is redirected to www.example.com/complete.html
I don't want anyone to be able to access this page unless they are sent their by the paypal system. How can I do this?
See:
Auto Return and note the option to override with parameters you can use to check or verify upon return to your site.
Payment Data Transfer - which similarly allows you to check or verify upon return to your site/returnUrl
There are other ways depending on how you implement Paypal, but the idea is similar - you will need to check or verify data, either from Paypal, or something you expect back (as described in the Auto Return custom variable - e.g. Session ID that you check/compare when user comes back) before displaying some page on your site.
Hth..
We have a donation button on our web site that goes to PayPal. The donation gets processed, the user clicks a button on the PayPal success page and is then redirected back to a PHP page with a list of maps to download. I want to limit who can access this page to users coming from PayPal or users coming from our site. I have tried various .htaccess rules and they don't seem to work with users coming from PayPal http_referrer wise. And the referring IP always ends up being my IP address at home. I also tried coding the PHP redirect target form such that it with only renders the page if they are coming from paypal.com or from our site. Otherwise, they get an error page. So can anyone please suggest a better way to restrict access to the redirect page after the PayPal success page? Thanks.
There are many ways to go about it. This is something I have used in the past.
Firstly, you want to give access to users who have made a payment (or donated). Depending on whether you want to give users (who have paid) a one time access or allow multiple visits even after they log out, you can check whether this user, in this session, made a payment or not.
Here's one way to achieve it:
// PAYMENT CONFIRMATION
$payment_success="FALSE"; // DEFAULT to payment failed
$payment=mysql_real_escape_string($_GET['payment']);
$ab=$_REQUEST['ab'];
$tx=$_REQUEST['tx'];
$st=$_REQUEST['st'];
$amt=$_REQUEST['amt'];
if(($tx!="") AND ($st=="Completed") AND ($amt!="")){
$payment_success="TRUE";
}else{
header("location: index.php"); // or wherever you want to send users who haven't paid.
}
If you want to give access to users who have paid even after they have logged out, then you need to either set a cookie on their browser using setcookie(); or track their IP [$_SERVER\['REMOTE_ADDR'\]][2]and add to your DB so every time a user comes to your page, you can run a check to see if they are in your safe list or not.
Good luck
I ended up just adding a static token to the end of the PayPal redirect URL back to my site. I test the token within the target PHP page and let them access the target maps page if the token is correct. And I give them an error screen if it is not. This is a short term fix as I will have to manually change the token every now and then to keep people from bookmarking the page and downloading our maps more than once.
I'm going to experiment with either generating random buttons with different tokens or seeing if PayPal has something that they can send from their end that I can verify.
Thanks for the reply.
I am hoping to use the PayPal Pro Hosted Solution to handle payments for my website, and what i would like to achieve is that user submitted data is NOT inserted into my database until PayPal confirms i have received payment for their entry.
From what I've read, i understand the IPN is the best way to achieve this.
So at the moment, users are entering their data with a form, which i am then previewing to them, and if they approve their entry, i am inserting into a database (using PHP/MySQL). The form data at the moment is being passed along in SESSION variables and working fine. The file process is:
User enters data
User is presented with their entered data on a knew page and if they approve...
They click a button which handles the insert into the database.
However what i would like to do is, if they approve their entry on the preview page, when they click approve, instead of the database being updated there and then, send them to PayPal to make the payment and only update the database with their entry if the payment is approved, like this:
User enters data
User is presented with their entered data on a knew page and if they approve...
They click a button which takes them to the payment page
If payment is received, their data is added to the database.
Does anyone have any experience of this type of approach point me in the right direction or give me some guidance on how to go about this please?
I have looked over the PayPal documentation but because I'm new to this, i need things explained in a pretty simple manner.
My original idea was just to store the form is SESSION variables but i will lose this by redirecting people to the payment page. Another thought i had was to create an identical database to what i already have as a temporary holding stage for data, then if the IPN comes back approved, move the data to the final hosting database, but this seems like over engineering the problem a bit.
I hope someone can help.
Thanks
Dan
Using PayPal IPN seems to be the best solution in this case.
In my opinion, using temporary table seems to be the best solution. It'll be following KISS rule.
Please consider using following scenario:
user enters the data
the form is being submitted
data is stored in temporary table in database
while redirecting to PayPal website you can add custom field that will be used to identify user when we be back on your page
update transaction status
insert data in the table of your needs
It seems to be the simplest solution.
One matter to recognize regarding IPN is that it is an 'Asynchronous' response from PayPal - it is not in the user's browser session, so session variables will not work if you are relying exclusively on IPN (other than if you receive the IPN response and then match it to the user's session). PayPal also offers PDT (Payment Data Transfer) which is an 'in-session' response which could return the user to your site.
I would not rely exclusively on IPN for payment notifications (see my answer in the following SO topic) Can one rely on Paypal IPN solely to record purchases?.
Our system uses a combination of both IPN and PDT, with the 'cart' data stored in a DB (as your 'temporary' record) until notification of the completed payment by either PDT or IPN - whichever arrives first which completes the transaction (your 'permanent' database insertion) and deletes the 'temporary' record (so a subsequent IPN or PDT does not trigger a duplicate transaction).
My original idea was just to store the form is SESSION variables but i will lose this by redirecting people to the payment page.
Not necessarily. Sessions can generally persist for as long as the current browser (session) is open. This is not the same as "as long as the current page is viewed" provided you set the session cookie correctly. You can if you do it right have the sessions persist for days, months, years...
Another thought i had was to create an identical database to what i already have as a temporary holding stage for data, then if the IPN comes back approved, move the data to the final hosting database, but this seems like over engineering the problem a bit.
No this is not overkill.
It deals with the situation where a transaction is not completed. This could occur for a number of reasons, for example your user goes to lunch and forgets to complete the process before the session times out (the default is 20 or so minutes) or where there is a problem with the Paypal end (unlikely but you have to presume it can occur) or where there is a general network issue (isp goes down mid transaction), or where your mobile users goes out of network coverage. Anything can disturb a transaction and you need to have a fall-back position. Otherwise it becomes annoying for you (because you don't know anything about what interrupted the transaction and at what point) and for your user who has to start over again.
Having a temporary database allows you to monitor incomplete transactions and if necessary prompting the user to complete if they do not do so within a given period of time.
I have a form were a user enters information, and then I have a PayPal button that the user will click once the fields have been filled in. The problem I'm having is how to you capture the user information when the paypal button is clicked, if the form has action="http://paypl.com/something/something".
Do I have to make this a 2 page process - one for me to capture the user information and then one to have the user click the paypal button?
By the way - the PayPal button directs the user to paypal.com to actually make the payment.
Guys, there's an easier solution here. Paypal allows you to pass those values through to it, then it will spit them back to you. There's actually two methods of getting the data back--a return URL that posts upon completion with return values (I've not been terribly lucky making that work) then a separate function that sends you a post upon completion of a transaction to a separate page on your site, where you can collect back all the variables you posted to the site. I suggest the latter because on a buy it now page there's a possibility of the user not being returned to the site because the return button UI is pretty weak on PayPal's end.
To set it up you'd log in to your PayPal account, click on myaccount > profile > website payment preferences. Enabling the "payment data transfer" will do the trick. Once you've got it setup correctly, upon completion of a transaction it'll send to the page of your choice a post of everything you sent it....remember, you can send in variables such as Name, Address, etc just by defining them properly in the form. All the variables available are found here
Sure, you could go through grabbing the elements from the form via Jquery or the like, then do an onclick save to DB, but why fight it? It's a heck of a lot more work and may have issues if Javascript is off.
Don't forget to build a sandbox site to test! Good Luck.
You have a few options here. You could make two forms, one which submits to your server where you capture the user information, and then display a second form with a "Pay Now" button. As a second option, you could extract the information from the form using JavaScript and submit it to your server using AJAX, then submit the form to PayPal when the AJAX request completes. This may or may not be more complicated, but it will not alter the existing user interface, which may be desirable.
I would make the action the current page, catch the button click and store the user information, then use header: Location("http://paypl.com/something/something");. Its something like that anyway. Hope this helps.
Edit: Also see the other answer by Josh. They are equally good possibilities. Note that the Ajax option would require JavaScript to be switched on - so safeguards would have to be put in place in case it is switched off.
My recommendation would be to add all of your user/order data into your own local database so that you can generate an order ID of some kind. You can then pass this order ID into your PayPal button code in a field named invoice.
This value will then come back in PDT/IPN as $_POST['invoice'] so you can easily pull all of that data back out and handle it within your application accordingly.
Another alternative would be to use Express Checkout instead of Payments Standard. It's a little bit more involved, but it has fewer limitations.
Even with EC, though, I still recommend sending an order ID of some sort along with the payment request so you can relate everything back and forth easily.