Send POST variables to a second script on another server - php

Okay, so on a website I'm developing, I need to add a PayPal checkout. I've not done a website with online payments before, so I'm new to it, but I think I understand how it works. However, I'm not too sure how to set up the form submission part.
PayPal offer premade button forms, which I'm going to use for this. The button is set up so on submit, it will go to a script on the PayPal servers. However, I want to pass the variables onto a PHP script of my own first, to save them into a database before the user is directed to PayPal's own checkout/pay system.
I know you can send a custom variable through the system, which PayPal send to your IPN listener, however I have a lot of variables that for different reasons, I want stored into a database before the user pays, not after.
So basically:
User fills out form and sumbits > PHP saves form data > Variables are past onto the PayPal server using POST method without the user having to go to a second page before they see the PayPal page
Not sure if I've worded that very well, but hopefully you get my point. I simply want to send variables form one PHP script to another using POST variables.
Note: As I can't edit the PayPal script, session variables are not an option, neither are GET variables. Has to be POST
Also, my server has PHP version 5.3 and supports cURL and all that stuff

Why can't you edit the PayPal script? It would be very simple to build a form, set the action of it to your own PHP, and within that PHP set all the data to session vars, save it to your database, etc.
Then you can put together a payment request string using the cart upload command method that PayPal provides and redirect the user to PayPal accordingly, so all they'd see is PayPal. They wouldn't see anything with your "processor" script.
Even better would be to use the Express Checkout APIs as they provide more freedom and functionality to customize things how you want than Payments Standard does.
Since you're working with PHP you may be interested in my class library for PayPal. It would make Express Checkout calls very simple for you, and you can do whatever you need to do with your database within those scripts.

Related

Get the form details after being redirected to paypal page

I want to get the details form the paypal form. I redirect my clients to this form after they select a certain amount. Can i get the details of the form below?
I am not sure. Since paypal is asking for the creditcard number and all that, for security purposes it should not allow to get this form data. But again, just wondering, is it possible?
Short answer: no.
Certainly not using PHP (going by your tags here), which is server side, and this would be a javascript hack. The way that immediately leapt to mind would be to invoke Javascript in a child iframe that contained the Paypal form, but there are two immediately apparent problems with that:
I doubt Paypal would allow that page to be opened in an iframe
You can't invoke javascript in an iframe if the page in that frame is not on the same domain as the calling page.
The best way I can think of to achieve this would be to make a Greasemonkey/Chrome/whatever extension using javascript to fish the data and send it off, but then there's this: No-one will willingly install something that they know to steal credit card information on their computer. Why on earth do you want to do this?
On a related, though unhelpful note, if you are interested in trying this for a purpose that is less illegal and immoral, one thing you might want to look at is this. It shows how to do cross-domain communication using frames if you have permission to write javascript on both pages (or have found an unsanitised field to inject it with)...

Best practice for POST'ing to a new page with a redirect?

I am trying to solve a workflow that looks something like this: (in PHP)
User enters order information in my shopping cart.
The order is captured and stored to my database (w/o credit card info)
The user is redirected to authorize.net's SIM page for payment
Current setup:
shoppingcart.php - collects user shipping information/etc
storeorder.php - stores the order in my database, and then assembles a form with the appropriate required authorize.net POST fields
In short, the user ends up having to view an unnecessary intermediate page where they have to click a "Make Payment" form submit button which then sends them to authorize.net.
What is the best practice for combining these steps? (receiving a POST, storing info in my DB, and then auto-redirecting to authorize.net with new POST fields without any user interaction)
DO NOT INTERFERE WITH USER's MONEY!
Even if you don't want store the credit card details, your site can be hacked and an attacker would get it.
User enters order information in my shopping cart.
The order is processed via authorize.net's SIM page for payment
authorize.net contact your site with payment details.
is the onlly proper way.
EVERY site in the world works this way. So you have to. Don't take yourself a smart ace.
On shoppingcart.php you can place a button for Checkout. On pressing that the User action is submitted. Do not save item prices/quantity in hidden fields. on the POSTing of the user checkout button you can save all the info in your DB and make an HTML form in the PHP Post condition to set values for authorize.net and redirect your header to the PAYMENT page.
Does the user have to do any type of input on the authorize.net page or does your form supply all the needed information? If you generate all the information then the easiest way to do it is via a cUrl call to authorize.net pushing the data directly to them and checking the return status code / output to see if it was a success / not etc.
If the user needs to still enter billing details use the following method.
Form posts to /somepage.php
somepage.php runs it's processing and all the way at the bottom once processing is completed add header("Location: https://www.authorize.net/dopaymenthere");
make sure you still echo the make payment button on this page, just in case the user does something wacky out of the ordinary where they force redirects to stop etc. That way it doesn't look like broken code, but for the few exceptions that do out of the ordinary things to their browsers etc you can still handle them gracefully
PS: this would only work by concatenating the post variables as get requests, assuming that authorize.net would handle the get requests as variables.
The really easy way to do this without using a get request is with javascript by submitting the form on dom ready... that way you can show a processing order message to the user. and post them with an embedded hidden form directly to authorize.net in case your processing takes longer than expected etc.
In jquery terms on the processing.php page you would have something like:
echo $form; // HTML form with all it's values required by authorize.net
echo "<h1>Processing your request</h1>";
<script type='text/javascript'>$(document).ready(function(){$('#hiddenformid').submit();});</script>

Action happens when paypal payment is paid

i'm a newbie to web dev and what I need to do is create a form where a user inputs something into a field lets just call it name for now.....then when they go to paypal they donate $1 (predetermined) then from when paid to paypal, they are redirected to a success page and what I want that success page to do is say "confirmed" and the action for it to do is grab the "name" that was given and input it into a txt file on the server
Is there a way I can do this securely...i've never had to do anything with paypal before that wasn't a premade script.
(would be using php)
(if there is a script in wordpress/joomla (haven't decided which i'll use yet i'd probably use it)
As long as I can somehow get that variable "name" and do what I want with it at the end.
It's called the paypal IPN and there are a number of implementations and tutorials on it, try googling for it...

How do I capture user information when the PayPal button is clicked?

I have a form were a user enters information, and then I have a PayPal button that the user will click once the fields have been filled in. The problem I'm having is how to you capture the user information when the paypal button is clicked, if the form has action="http://paypl.com/something/something".
Do I have to make this a 2 page process - one for me to capture the user information and then one to have the user click the paypal button?
By the way - the PayPal button directs the user to paypal.com to actually make the payment.
Guys, there's an easier solution here. Paypal allows you to pass those values through to it, then it will spit them back to you. There's actually two methods of getting the data back--a return URL that posts upon completion with return values (I've not been terribly lucky making that work) then a separate function that sends you a post upon completion of a transaction to a separate page on your site, where you can collect back all the variables you posted to the site. I suggest the latter because on a buy it now page there's a possibility of the user not being returned to the site because the return button UI is pretty weak on PayPal's end.
To set it up you'd log in to your PayPal account, click on myaccount > profile > website payment preferences. Enabling the "payment data transfer" will do the trick. Once you've got it setup correctly, upon completion of a transaction it'll send to the page of your choice a post of everything you sent it....remember, you can send in variables such as Name, Address, etc just by defining them properly in the form. All the variables available are found here
Sure, you could go through grabbing the elements from the form via Jquery or the like, then do an onclick save to DB, but why fight it? It's a heck of a lot more work and may have issues if Javascript is off.
Don't forget to build a sandbox site to test! Good Luck.
You have a few options here. You could make two forms, one which submits to your server where you capture the user information, and then display a second form with a "Pay Now" button. As a second option, you could extract the information from the form using JavaScript and submit it to your server using AJAX, then submit the form to PayPal when the AJAX request completes. This may or may not be more complicated, but it will not alter the existing user interface, which may be desirable.
I would make the action the current page, catch the button click and store the user information, then use header: Location("http://paypl.com/something/something");. Its something like that anyway. Hope this helps.
Edit: Also see the other answer by Josh. They are equally good possibilities. Note that the Ajax option would require JavaScript to be switched on - so safeguards would have to be put in place in case it is switched off.
My recommendation would be to add all of your user/order data into your own local database so that you can generate an order ID of some kind. You can then pass this order ID into your PayPal button code in a field named invoice.
This value will then come back in PDT/IPN as $_POST['invoice'] so you can easily pull all of that data back out and handle it within your application accordingly.
Another alternative would be to use Express Checkout instead of Payments Standard. It's a little bit more involved, but it has fewer limitations.
Even with EC, though, I still recommend sending an order ID of some sort along with the payment request so you can relate everything back and forth easily.

PHP Validation - passing http POST values forwards to a 3rd party checkout

I don't know whether this is possible, I can't seem to find any other help guides so this may not be possible...
I have a checkout page which POSTs a load of variables forwards to a 3rd party payment processor (WorldPay).
I want to know if it is possible to put a PHP script of some sort inbetween the two pages for validation purposes.
EG if an item in the basket has sold out while they were filling out the form, it could catch the customer before money is taken. Or useful if they tamper with form data.
If I do this on my own site I could use sessions to pass the POST data forward but as it's an external website, I don't know how to send the data without making another HTML page with a hidden form & refresh for instance.
Is it possible to do this 'invisibly' - not actually showing a HTML page inbetween?
Yes you can do that by hooking into the onsubmit hook of the form and sending out an Ajax call like this (using jQuery):
$('#myform')[0].onsubmit = function() {
if (form_check_elements(this.elements)) { /* ««« eg JS validator here */
data = $('#myform').serialize();
$.post('/ajax_validator.php', data, function(data, textStatus) {
$('#myform')[0].submit(); /* ««« check the textStatus before here and
eventually do not submit (wrap it in
an if-clause) */
});
return false; /* make the form not post directly */
} else {
return false; /* do not post if JS validation fails */
}
};
We use this snippet to store form data in a session before posting to a 3rd party so we have it available when the 3rd party returns to our page.
Edit: Keep in mind that this will only work with JS enabled, but it is fallback-safe: The form still submits without JS support.
EDIT:
Ashley said:
Okay, i've taken a look at the cURL
manual and written this very simple
script to forward the POST values to
the 3rd party checkout. This just
displays the contents of the checkout
page though. The URL address shows the
script currently running rather than
forwarding to the 3rd party site. Also
all their relatively linked graphics
will not work. Can 'true' forwarding
be achieved using cURL?
The short answer - no.
With the way you described your payment process if you want to step in the middle of the offsite process to do things (customize html/messages, validate data, etc.) then you need to handle the entire process which cURL would allow you to do.
With cURL, you dont "forward" the request - you sort of "proxy" the request. So the fact that the browser URL never changes and that the relative graphics dont work is expected. With the use of cURL or something similar you would never let the user end user know that they are even touching an external page. you would be handling all the requests to that external server on your server and then simply displaying the response from the external server to your user OR parsing that response so that you can use the data from it in a customized way.
Essentially this means if secure.wp3.rbsworldpay.com/wcc/purchase is returning a form that requires futher interaction from the user you have to mimic this form on your server and display that instead. Then when the user submits your form you use cURL again to make a request to the external server - this time to post the next round of data submitted by the user. So for example lets say:
secure.wp3.rbsworldpay.com/wcc/purchase shows the cart
secure.wp3.rbsworldpay.com/wcc/confirm shows a final confirmation of the payment to be made
secure.wp3.rbsworldpay.com/wcc/success and secure.wp3.rbsworldpay.com/wcc/error show whether the transaction succeeded or failed respectively.
Then you are actuall going to need to make 2 requests externally as part of you transaction process which could be summarized like so:
User shops at your site and adds items to cart
User clicks on checkout and you validate the cart/user data
If the data from #2 was valid you package up the data and post to secure.wp3.rbsworldpay.com/wcc/purchase via cURL
If the cURL response from #3 was successful you build your own confirm page using data from the cURL response and display it to the user.
The user submits the confirmation of the purchase to your server.
You package up the data submitted to your server in #5 and post it to secure.wp3.rbsworldpay.com/wcc/confirm via cURL.
If the cURL response from #6 was successful then you parse it for the expected "error" or "success" message returned from external server and display them or your own custom error messages.
Rinse and repeat in case of error ;-)
Generally speaking most payment processors have an option of processing that supports this basic process often returning easy to parse data as XML, JSON, or Plain Text instead of HTML. You might want to look in to this. A lot of times they will often have libraries built for various programming languages to help ease the integration process.
Yep it sure is... i normally use the curl extension to do stuff like this, or an http client class that utilizes curl. You might want to make it a tad easier on yourself and use one of these class libraries - for example Zend_Http_Client. It supports not only curl but also sockets and proxies.
Yes, you can. What you are looking for is the CURL function:
http://php.net/manual/en/book.curl.php
Also see:
http://php.dzone.com/news/execute-http-post-using-php-cu
I rather like the HTTP_Request2 package from PEAR, which basically wraps cURL and/or sockets in some simple objects. POSTing works great. You can use that to bounce the POST request to your validation-checker, then on to the payment processor.
I would suggest you to go like this:
Before directing a user to the form, you check (through SQL queries) whether the item in the basket has sold out. If it has been sold, redirect the user to some other page saying that this item has been sold out otherwise let him go to the form for new purchase.

Categories