I want to automate BITCOIN payments and i need to make a donate button that sends an aditionally OP_RETURN parameter with the value of the encrypted order id. I just want to send a small message with the payment. I have documented myself a little bit and i saw that OP_RETURN parameter may help me.
OP_RETURN :
http://bitzuma.com/posts/op-return-and-the-future-of-bitcoin/
How do i make that happen? Is there a wallet that does that? Or I have to do it from bitcoin-cli?
I also want to make this in PHP and here is an example that i don't understand :
https://github.com/coinspark/php-OP_RETURN
I mean i need a button that will make a payment with that encrypted order id.
Thanks in advice.
You will want to do that server side via encrypted and authenticated client using BIP 70 - AKA The Bitcoin Payment Protocol.
You can create a browser side client to do as you described but you do not want to trust the data the client sends along without verification and you checking the transaction before it is sent to the network will not make you trustworthy as a merchant but rather a MIM between the user and the blockchain.
For more information on BIP 70 The Payments Protocol
See: https://github.com/bitcoin/bips/blob/master/bip-0070.mediawiki
Related
I'm just now trying to get up to speed with PayPal Express Checkout (i.e. checkout.js), using the client-side REST integration described here. I see that when payment is complete, my onAuthorize function is invoked with a "payment" object.
I can't find any documentation on this object, but some poking at it reveals the following properties (at least today):
paymentToken
payerID
paymentID
intent
returnUrl
Now I need to redirect the user to the next step on my website, where I show a receipt confirming they've paid, etc. I guess I send the above data to the server, but since that step could be easily spoofed by a malicious user, I will need to verify those details in the PHP code, server side.
How do I do that?
You can make a GET call on your server side to /v1/payments/payment/PAY-XXXXXX with the paymentID and the payerID to get the payment details, and verify those details there.
https://developer.paypal.com/docs/integration/direct/express-checkout/integration-jsv4/advanced-payments-api/show-payment-details/
See https://developer.paypal.com/docs/api/overview/#make-your-first-call for some basics on calling the REST api from your server
Assuming you are using PayPal Encrypted Buttons, you don't actually need to verify the amounts sent through server-side. Although a user could indeed manipulate the $_POST data, PayPal's got you covered, and won't allow the transaction to go through. This is because PayPal Encrypted Buttons are generated with your variables such as price built-in to the ID. If the variables don't align with those used to create the button, the transaction is denied.
Alternatively, if you are simply using your own code to make the request, you can secure the payments with PayPal's Instant Payment Notification. Again, this allows any $_POST data to be sent through for the payment. Afterwards, PayPal makes a call to your IPN page in order to validate that the parameters are correct. This is demonstrated in the following workflow:
When communicating with your IPN, if PayPal finds that the values don't match up, the order is cancelled. Assuming that the values match up, you can safely redirect them to your confirmation page.
Hope this helps! :)
My requirement is that i need to use a Hosted (uk) solution to generate a reference transaction token that can then be called periodically without the user having to initiate the transaction again.
Currently, using the classic API I have something akin to a reference transaction working, however this requires the user to have a PayPal account - I also need to be able to accept card details (no PayPal account).
The only way to accept card details seems to be with the hosted (uk) solution however I have no idea how to set this up. So, I guess the questions are this:
1) Am I able to allow card AND PayPal account for the reference transactions?
or
2) How do I setup / configure a hosted solution? or is this simply a case of using the docs and an iframe with no config in the PayPal account?
For your second question - Yes it is straightforward. See the Hosted Docs and integrate.
As #DiceyRamp has stated the hosted solution is just a case of using the docs, no account specific setup is required.
To answer the first question :- it is NOT possible to use the PayPal Hosted API for Reference Transactions. You instead must use the Button API to create a reference token. In order to generate a token without a purchase you must go one further, generate an order and then immediately void it.
Credit where credit is due, this was answered for me over email by another developer. Im including his explanation here in the hope that it helps others.
Paypal button API Examples
The specific process is this:
We create an iframe url using the PayPal BMCreateButton method, with the BUTTONTYPE set to “PAYMENT” and the BUTTONCODE as “TOKEN”. We then set all the usual order parameters up (name, address, notify_url etc) and then url encode them. We then execute the BMCreateButton with the above arguments set, this gives us an iframe url which we render on the page.
To generate a token we use a dummy £1 order.
The code that executes on the “notify_url” basically takes the IPN message, and if the result is ‘VERIFIED’ then it stores the ‘txn_id’ as the token.
This can then be used later on a Paypal DoReferenceTransaction API call, using the txn_id as the “REFERENCEID” parameter. The notify_url code will NOT store the txn_id if the IPN states the order was a VOID, you can’t do a repeat against a void, so we never store the void txn_id as a token.
I want to get post data only from specific url(s), when someone post to my page some data from unwanted url, my page should not let the data pass. I couldn't find any example or documentation about this control or i'm asking wrong question to google, maybe it is simple but i have never needed such control.
E.g i want to let only paypal to send post data to my page. Hope you can help me. Thanks in advance.
Data is never sent to you by a "domain". I.e., neither "Paypal" nor paypal.com are sending you POST requests; some computer is sending you POST requests. That computer may or may not be under the control of Paypal the company, serve the website paypal.com or be within a network that belongs to Paypal (company or website).
Obviously you cannot programmatically figure out whether the server legally belongs to Paypal the company.
You can figure out what IP address paypal.com has and compare that to the IP address that's sending you POST requests, but this doesn't have to mean anything since Paypal has hundreds or thousands of servers, and the servers that serve paypal.com the website are likely not the same that are working on the backend to handle transactions.
You need to establish some form of trust between Paypal and yourself some other way. Either Paypal will promise to only ever send requests from one specific IP address, which you can check against. Or they promise to send a secret authentication with the request, which only you and Paypal know. Or you'll agree to use SSL client certificates to establish mutual trust. Or Paypal sends some transaction id which only it could know about which you can validate against.
You can use $_SERVER['HTTP_REFERER'] to check which page the data is passed from
Come secret key (only your page can generate) can be passed along with the form
Use a captcha image/ generate a session variable from the form page
Basically I want my users to associate PayPal account in their accounts for identify verification purposes. I am developing a marketplace site and wanted to integrate paypal as my identity verification procedure.
Is there a way to verify email address, first name and last name using PHP like using $_GET variables or $_POST variables? If there is can you show me how?
I tried search and I get Adaptive Accounts GetVerifiedStatus API. But that totally new to me, I don't know where and how to start.
Your best bet here is to make them start, but not complete, an Express Checkout. A normal Express Checkout (referencing Classic but REST works the same way) looks like this
SetExpressCheckout - Tell PayPal you want to authorize $1.00 and have them log in and authorize the payment
GetExpressCheckoutDetails - Take the token from step 1 and get their PayPal account details. Included in this is PAYERSTATUS, which will tell you if their PayPal account is verified or not
DoExpressCheckout - You won't do this, but this is where you finish the process and get funds. Since the data you want is in Step 2, just ignore it and the session will expire.
You could implement GetVerifiedStatus API to determine whether the specified Paypal account's status is verified or unverified.
To use that API, you need to submit the application request to Paypal for approval first. Submission portal link here.
Then use the GetVerifiedStatus API call directly, refer to API request fields,link.
Sample SDK download link.
I've been curious about this for awhile and could never find any good information. I used to work at a pizza place that did online ordering. The user would submit their card information and we would run it at the store. I was wondering if someone could give me an idea as to how this transaction took place. If it was PCI compliant, and how it would be sent to the printer. I could think of a couple ways but none of them really seem to be the correct way. I'm looking to do this in PHP. Thanks.
If I where to design this system it would be like this:
The customer posts the order and CC information using a webform over a secure link to the server (using php to generate the page and take the info back in).
The server would use a payment gateway and bill the card on the server (server side PHP script).
On a successful billing it would contact a application running on a box at the restaurant with what to print on the order ticket (only the last 4 digits of the CC info is sent to the restaurant)
Updated with Chris's suggestion
Another option is to use PGP to encode the credit card on the server with the public key. When the CC is sent to the store, it can the be decoded with the Private Key and viewed in order to charge it. But when you are passing credit card information around like that, you always run the risk of something going terribly wrong. It's always better to use a gateway and charge the card immediately or authorize the transaction and then go back and collect the funds by running the authorization number.