Im having a site where I get the payment response sent out by the payment processor.My page is https and whereas my customers page is not.
I post the payment response this way
echo '<html>Redirecting to merchants website..<body>
<form id="myForm" action="'.$response_url.'" method="POST">
<input type="hidden" name="status" value="'.$response['status'].'"/>
<input type="hidden" name="customerReferenceNo" value="'.$data['customerReferenceNo'].'"/>
<input type="hidden" name="amount" value="'.$data['amount'].'"/>
<input type="hidden" name="paymentMode" value="'.$data['paymentMode'].'"/>
<input type="hidden" name="cardProvider" value="'.$data['cardProvider'].'"/>
<input type="hidden" name="orderID" value="'.$orderID.'"/>
<input type="hidden" name="mobileNo" value="'.$mobileNo.'"/>
<input type="hidden" name="email" value="'.$email.'"/>
</form>
<script>document.getElementById("myForm").submit();</script></body></html>';
as an hidden form post.But as Iam posting the values from an https to an http page,its popping up security warning in some browser as:
Although this page is encrypted, the information you have entered is to be sent
over an unencrypted connection and could easily be read by a third party.
Are you sure you want to continue sending this information?
I wonder if this is the correct way to post a response to an external url?Is what Iam doing is right?Is this th exact way I should post a payment response to an external url?
Please help out with some suggestion
As mentioned in the comment above you should definitely take care to post back to a https site. But instead of outputting a hidden form to the browser and posting from there it would be way better to use curl and so sent the data directly from the server to the payment processor.
See curl_exec in php documentation
Related
I implemented a paypal checkout about 3 years ago and it is currently working well. I now want to create a new checkout page for a new set of items. I copied the code from the page that I previously used and updated it for the new items. I set up the new page to use my sandbox for initial testing. The code below is cut from the actual page for display here.
<!DOCTYPE HTML >
<html>
<head>
</head>
<body>
<div>
<form id='paypal_form' action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick" />
<input type="hidden" name="add" value="1" />
<input type="hidden" name="business" value="buyer#test.com" />
<input type="hidden" name="item_name" value="non-member RTV Renewal" />
<input type="hidden" name="amount" value="75.00" />
<input type="hidden" name="custom" value="Id=Joe;fixedName=Joe Smith;pw=1234;email=buyer#google.com;expdate=2024-02-14" />
<input type="hidden" name="currency_code" value="USD" />
<input type="hidden" name="lc" value="US" />
<input type="hidden" name="cancel_return" value="https://www.roundalab.org/Figures_Subscriptions_All/test_renew.htm">
<input type="hidden" name="return" value="https://www.roundalab.org/Figures_Subscriptions_All/success_test.php">
<input type="hidden" name="rm" value="2">
<center>
<div id="add-cart" style="padding:30px;">
<button onClick="document.getElementById('paypal_form').submit();">Click Here To Submit Order To Paypal</button>
</div>
</center>
</form>
</div>
</div>
</body>
</html>
The code works and creates an order in the paypal sandbox. It is then supposed to go the the url in the "return' item, which it does. The problem is that paypal is supposed to return a bunch of data in $_POST. When the return page is displayed, $_POST is empty. I also display $_GET and it contains 1 field which is the payer_id. A couple of questions...
Anyone know why no data in $_POST?
Is there a way that I can get any kind of error message that shows info on why no POST data was sent when going to the url in the return item?
I assume that this method of using paypal is deprecated. Is there a place that I can still get to the docs for using this interface?
The receiving sandbox Business account needs to enable Payment Data Transfer for any data to be returned.
With this sort of HTML-only (no API) PayPal integration that redirects away from your site, a return after a completed transaction is never guaranteed to occur. PayPal may be obligated to show the payer a receipt, or they may never click to return, or their browser may be closed or crash. Therefore, you should not depend on this returned data for absolutely anything of any importance. It is for extra informational purposes only.
If you are trying to do anything important with data returned via _GET/_POST , your integration is flawed.
With such an HTML-only <form> post integration, the only reliable way to receive data is by implementing the IPN service, which is also very old. All of these are poor choices if you need to do anything important with the data being returned.
Instead, use a current PayPal Checkout integration. Follow the Set up standard payments guide and make 2 routes on your server, one for 'Create Order' and one for 'Capture Order', documented here. Both routes should return only JSON data (no HTML or text). Inside the 2nd route, when the capture API is successful you should store its resulting payment details in your database (particularly purchase_units[0].payments.captures[0].id, which is the PayPal transaction ID) and perform any necessary business logic (such as sending confirmation emails or reserving product) immediately before forwarding your return JSON to the frontend caller.
Pair those 2 routes with the frontend approval flow: https://developer.paypal.com/demo/checkout/#/pattern/server
I'm using hosted payment page, here system redirects to nab transact page for payment and displays receipt page after transaction approved.
I set the return_link_url and reply_link_url in input hidden variables as below.
<form action="https://demo.transact.nab.com.au/live/hpp/payment" method="post" id="payment">
<input type="hidden" name="vendor_name" value="XXXXXXX" />
<input type="hidden" name="payment_alert" value="xx#xx.com.au" />
<input type="hidden" name="print_zero_qty" value="false">
<input type="hidden" name="return_link_text" value="Click Here to Return to the Home Page">
<input type="hidden" name="return_link_url" value="http://www.mysite.com.au/index.php?route=payment/nabtrans/callback&order_id=51216" />
<input type="hidden" name="reply_link_url" value="http://www.mysite.com.au/index.php?route=payment/nabtrans/callback&order_id=51216" />
<input type="hidden" name="Pay for Order number 51216" value="22" />
<input type="hidden" name="payment_reference" value="51216" />
<input type="hidden" name="Name" value="XXX XX" />
<input type="hidden" name="information_fields" value="Name">
The problem is the reply_link_url is not getting triggered automatically at the time payment receipt page is displayed to customer as mentioned in guide.
I tried with appropriate cgi handler which does executes if called. So, I used them in the reply link url, but still the link doesn't triggered automatically.
<input type="hidden" name="return_link_url" value="http://www.mysite.com.au/cgi-bin/handler.cgi?orderid=51217" />
<input type="hidden" name="reply_link_url" value="http://www.mysite.com.au/cgi-bin/handler.cgi?orderid=51217" />
I have to click on return link on payment receipt page to come back to website. The reply_link_url never triggered automatically after the receipt page displayed in 15 sec timeout. I made sure to use http in reply link url to make it listening on port 80. The CGI script executes if I run it in browser.
Solved
I used two different url's for reply_link_url and return_link_url.
They are
<input type="hidden" name="return_link_url" value="http://www.mysite.com.au/index.php?route=payment/nabtrans/replyback&order_id=51216" />
<input type="hidden" name="reply_link_url" value="http://www.mysite.com.au/index.php?route=payment/nabtrans/callback&order_id=51216" />
I made sure to add the code inside callback function to execute the background process after payment approves and used code for redirecting to payment success page inside replyback function. Both these functions reside in nabtrans controller. As I noticed the the reply link triggers automatically which executes the background processes to update order, but the last step of displaying the checkout/success page never bring the link from payment success page of nabtrans to the original website. Still I was happy all background tasks done. So, I used the return link for coming back to original website. This solves the purpose completing transaction and coming back to website.
I am trying to send passthrough data in a paypal paynow button and have paypal return that data to my php page when user clicks “return to merchant” button after paying.
For this I am using the “return” facility in the paypal button, together with rm=2 to send all the data back as post. However, I cannot get it to work. Here is my paypal button html:
<form name="paypal2" action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="xxx">
<input type="hidden" name="invoice" value="testinvoice_fromcode2">
<input type="hidden" name="custom" value="testcustom_fromcode1">
<input type="hidden" name="on0" value="yes"><!--agreetc-->
<input type="hidden" name="os0" value="<?php echo $aid; ?>">
<input type="hidden" name="on1" value="<?php echo $id; ?>">
<input type="hidden" name="os1" value="<?php echo $agent; ?>">
<input type="hidden" name="return" value=http://www.example.com/Admin/conpanel/privat/phpvendorpaidad.php>
<input type="hidden" name="rm" value="2">
<input id="submit" type="image" src="https://www.paypalobjects.com/en_GB/i/btn/btn_paynowCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online!">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="1" height="1">
</form>
In the IPN notification, paypal renders:
os0 as option_selection1,
os1 as option_selection2,
on0 as option_name1,
on1 as option_name2,
I know that on0 and os0 are supposed to be used as name value pairs but way back in 2009 when I first wrote this script there were only 2 sets allowed and therefore I used all 4 to carry values and it worked then.
But essentially, I cannot understand why
<input type="hidden" name="return" value=http://www.example.com/Admin/conpanel/privat/phpvendorpaidad.php>
<input type="hidden" name="rm" value="2">
is not working.
I cannot pick up these values in the receiving script, phpvendorpaidad.php, either as
$aid=$_REQUEST['option_selection1'];
or as
$aid=$_REQUEST['os0'];
for example.
Can anyone see what I am doing wrong? Much appreciated.
I also have an IPN listener page that is working normally. Could another way be to build this in to the IPN listener page using javascript to send the form data automatically on page onload?
Is paypal actually POSTing to your return script or using GET? In the latter case, you can see the txn_id and some other info in the query string, but you will NOT get the whole payment detail data.
If you have Auto Return set to On (meaning the user get automatically redirected back to your site, without having to click a button), then paypal with send a GET request and will include only a few items.
var_dump($_REQUEST) and var_dump($_POST) in your script to see what you are getting.
Actually the problem lay in defective if/else logic in my return code, which was set up in 2009 to handle the GET variables that Paypal was sending to the return script in those days. This logic had to differentiate between the POSTed data received from a preceeding form on my server and the GET data received from Paypal. Paypal appears to have chenged since 2009 and no longer sends GET data to the return script but POST data via
<input type="hidden" name="return" value=http://www.example.com/Admin/conpanel/privat/phpvendorpaidad.php>
<input type="hidden" name="rm" value="2">
Once this was corrected the program worked.
However, I was only able to discover the problem thanks to the brilliant suggestion from JBart to var_dump($_REQUEST) (or the more easily read print_r($_REQUEST)). Without this I would still have been floundering. So cheers JBart, would love to buy you a drink if you are in the neighbourhood (NW London)!
And no, I didn't need to extract any variables from the received POSTed array (see my last comment above), just normal '$payment_status = $_POST['payment_status'];'. In this I had misinterpreted another thread on the subject in "How can I get posted data passed along when the user is first redirected through Paypal?"
I am new to Paypal integration, and I am trying to implement Paypal IPN for my android application. For make it working, I have created one web-page (Using PHP and sending to Paypal sandbox account , method (GET) ) in that I am doing payment. And I am getting payment status from this.
Actually this web page working properly and get response after do payment into Computer Browser but same thing if I am doing payment with Android Mobile browser then I am not getting any response form the Paypal for payment I have did.
I am using this url
IPN
Here is my HTML code.
<form name="payment_form" id="payment_form" action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="GET" onSubmit="return form_submit();">
<input type="text" name="amount" id="amount" value="1" readonly class="form-control left-icon">
<input type="hidden" readonly name="cmd" value="_xclick">
<input type="hidden" readonly name="business" value="Bmlpatel#gmail.com">
<input type="hidden" readonly name="item_name" value="TEST Store">
<input type="hidden" readonly name="LC" value="AL">
<input type="hidden" readonly name="country" value="USA">
<input type="hidden" readonly name="quantity" value="1">
<input type="hidden" readonly name="notify_url" value="http://XX.111.XXX.XX/payment/response.php">
<input type="hidden" readonly name="return" value="http://XX.111.XXX.XX/payment/response.php">
<input type="hidden" readonly name="cancel_url" value="http://XX.111.XXX.XX/payment/">
<input class="btn btn-success" name="action" value="Recharge" type="submit">
</form>
So any help to this topic appreciated.
You should make sure you have IPN turned on in your PayPal settings:
Log into your PayPal account and go to Profile → Profile & Settings →
Selling Preferences → Instant Payment Notification preferences:
(alternatively click here to go directly to the page, making sure
you're logged into your PayPal account before you click the link)
Click Turn On IPN on the PayPal site.
You will then be prompted for a Notification URL, which should be
any URL - it will only be replaced by your notify_url parameter
Save your settings
If you've already done this then you need to make sure your Notification URL is accessible via the outside world, you look like you're using an IP so using something like https://www.hidemyass.com/proxy to check your site is definitely available.
If all else fails it may be an issue with PayPal and the way it decodes the notify_url from Android web browsers. I have this issue with them and sometimes the notify_url is cut short - and we suspect it's only on Android browsers.
Check your IPN history on your PayPal account and you'll see the exact URL the IPN was sent to and the status.
I am trying to write a script which marks all my feed items as read within Google Reader. It should be as simple as posting 4 variables to an API link. However, the only way I can successfully make an HTTP POST to Google without getting a 400 error back is a simple HTML FORM POST as follows. I have tried PHP cURL but I get a 400 error from Google stating I have made a bad client request.
<form method="post" action="http://www.google.com/reader/api/0/mark-all-as-read">
<input type="hidden" name="s" value="user/10408189040522127442/state/com.google/reading-list" />
<input type="hidden" name="t" value="Your reading list" />
<input type="hidden" name="ts" value="<?php echo time(); ?>" />
<input type="hidden" name="T" value="<?php session_start(); echo $_SESSION['token']; ?>" />
<input type="button" value="Mark All As Read" /></form>
Submitting the same details using an HTML FORM (as I tried with cURL) works fine, successfully marking all items as read but because the FORM ACTION is set to an external site, you are redirected to it upon submission. To get around this I tried to do an AJAX FORM submission with the following, so there is no redirection but this doesn't work and nothing is submitted.
$(document).ready(function(){
$("input[type=button]").click(function() {
$.post($('form').attr("action"), $('form').formSerialize());
});
});
Can anyone advise?
1) Why does a cURL POST not work but a simple HTML FORM POST does?
2) Why can't I (silently) submit the HTML FORM with an AJAX submission?
Google may require certain headers to be set when doing the post, which is why it may be responding with a 400 error. Check that the same headers that are sent using the basic <form> are also set when submitting it using cURL.
Also, the reason why you can't $.post() to Google is due to the same origin policy.
Google does require an additional header for every post and some gets.
curl_setopt ($ch, CURLOPT_HTTPHEADER, array('Authorization: GoogleLogin auth=' . $auth));
to get the auth you need to hit https://www.google.com/accounts/ClientLogin
Take a look at this answer, Google Reader API?