I need to integrate a virtual POS (Point of Sale) with my eCommerce website made in Symfony2.
The system is simple: the client has to perform a POST request to a given URL, with few parameters; then from my website the client will be redirected to the bank POS page where he/she can pay the orders.
The problem is that I don't want to send to the client any of the POST parameters in the HTML (because they are sensitive: passwords and signatures), so I am wondering how to achieve that in my Symfony2 environment.
Have a look at cUrl in PHP: http://ch2.php.net/manual/en/book.curl.php
You can do POST requests with that from PHP.
Maybe this example helps: http://wiki.uniformserver.com/index.php/PHP_cURL:GET%26_POST#Example_11_-_cURL_POST
Related
I want to build a simple Software-as-a-service web application that performs web scraping - the result per execution will be a table of results with several rows and columns. For the front-end, I wanted to build the website using WordPress since I am familiar with making basic websites there and like the plugins available. For the backend I plan on using AWS Lambda to perform the task serverless-ly. The user will log in to the site, then when they want to use the service will enter some keywords via a form, and that will send HTTP request to AWS API Gateway, which is connected to my Lambda function. Currently, the AWS Lambda function writes results into AWS DynamoDB as it goes - perhaps I need to write a second HTTP request method to query the results, or return the results in the same method that scrapes them instead.
Even after hours of googling, there are several areas in which I am unsure how to proceed, or if I have chosen the right path (I have no prior experience in this area.) Two of the biggest puzzles I have currently though are:
How can I use WordPress to send data to AWS API Gateway? Do I need to write some PHP code and if so what does it look like and where should I put it?
How can I present the results on WordPress site for the user? Should I keep the results saved on DynamoDB and query them when I want to present them, or should I store the results on the WordPress database? Ideally they would see a big table and have options to export to CSV, for example.
Thanks for your help and patience.
Cheers,
jack
There are a couple of possible ways this can be accomplished. One way is to just use webhooks. Most form plugins come with the option to use webhooks and doing it this way is pretty straightforward. Here is an article from WPForms on how to configure it WPForms and Webhooks. Below is an example of how I have used it. The example shows a form that sends data to AWS API Gateway which triggers AWS StepFunctions and also puts the customer information in DynamoDB
WPForms Webhook to AWS API Gateway
I am having some trouble thinking this through the right way.
I am running Laravel as the backend for a ReactJS Frontend - separately.
It is going to be a small onlineshop only having PayPal as the Payment Gateway (using PayPal Smart Checkout Buttons) without User Registration.
React will call the Laravel API on payment initiation which will prepare the actual call to PayPal on server-side (get the price from database, in case user tampered with it, i take only the product ID and get the real product data from the database). The response will be returned to React.
As you might know PayPal works this way: create order in first API call, then capture the order in second API call ("create order" and "capture order" calls)
Laravel Endpoints that are called: "/create-paypal-transaction" and "/capture-paypal-transaction".
Currently (old version of this project was a monolithic laravel solution, no separate frontend) I store the response of the "capture order" API call in my DB as the final order / as the completed transaction. The result of the "create order" call is not stored in the DB. I do store the result of the "create order" call, with all its information (product, price, id, paypal_id etc.) in the session. Then, after capturing I load from the session to create the final order as a DB entry.
My trouble is: how do I securely realize this with a separate frontend and pass data from my first API call to my second API call?
I see only two options right now, maybe you guys can enlighten me:
Save the response from PayPal of the "create order"-call to my DB
via laravel and then, after approval & response of the "capture
order"-call, just update the stored order status from something
like "created" to "captured".
Use the response data from the first API call in React and pass it to the second API call to hit the Laravel & store the order if PayPal returns success.
Problems that I don't like with either method:
currently there is no Authentication method implemented (no JWT or Passport or any). I was going to go with Laravel default API Authentication as I have no Users - therefore Passport & JWT don't seem to fit perfectly. People checkout without any registration. Therefore:
if I go with 1. solution people could easily mess with the DB and create loads of orders ("create order" calls)
and the 2. solution is just no real solution. I will not trust client-side data.
So, please, please let me know if you got any idea how to do this the smart way. Maybe I just don't see the obvious right now, but it has been a long day and all the thought about right way to securely communicate have been making me tired...
Thanks in advance!
Both (1) and (2) are overly complex. When the client calls create-paypal-transaction, all it needs in response (in addition to anything of your own you want to provide for your own purposes) is the order id. That's it, that's all the client wants and needs to keep track of.
It will use that id when it calls capture-paypal-transaction, and your webserver can check that it is appropriate and valid (in the session) before attempting to do the capture. No database storage is necessary until you have a successful capture, although you are welcome to store in-progress orderIDs for debug purposes. They have no accounting value, and no security value outside the session.
I sell a (very cheap and dynamically generated through PHP) file of data online. For the payment, I use a basic PayPal button.
This has two advantages I want to keep:
PayPal is known, and people are not afraid to proceed to payment, as they are on PayPal website when they pay (they get redirected to my website at the end of the process, and the file automatically downloads).
I don't need any SSL certificate on my website (quite expensive).
This has several drawbacks, I would like to be fixing:
As the file is dynamically generated in PHP, I would like to be choosing the price and the currency dynamically (according to many parameters; currently the price is fixed).
In my JavaScript, there is POST action, with a hidden "return" parameter (the URL customer get redirected to once payment is successful). If you know this URL, you can get the file without paying. This is a big security flaw here in my implementation (even if most of my users won't know how to inspect client code)
I understand I should be using the PHP PayPal API rather than the basic PayPal button. The workflow I imagine is:
a PayPal button on the page when clicked, triggers a server side PHP script.
this PHP script decides of the price, contacts PayPal with the return URL (not available on client side) and redirects the client to this payment page on PayPal.
the client pays in PayPal secure environment and, once payment is successful, gets redirected to my website with a temporary authenticated token (?) so he cannot transfer this URL to someone else and the file download happens.
I am a little lost with the PayPal documentation. Could you confirm my architecture principles and provides me some sample PHP codes in order to achieve all that?
Other questions: I currently have a basic PayPal account. Do I need I business account? Do I need an SSL certificate? Do you know good alternatives to PayPal to do all that? Google? Visa?
I have a new question. This is my context:
I want to make my own API REST, where I can call this method with information about my product as parameters. My backend method do the typical purchased process but it doesn't show the PayPal screen which show information about my product, just do the process directly and I receive an answer. Is it possible?
I'm using the PayPal SDK for PHP, and looking for at Google I just have gotten that the PayPal page shows, but I'm new in this. Your answer will be so good!
Yes, this is very possible. There are plenty of tutorials online for building your own REST service, and within your service methods you can hit other APIs or do anything you need to do.
Your service can parse the results from the 3rd party service you're hitting (you could hit 10 different services if you wanted to) and then you would generated your own basic response which includes a collection of all that data back to whatever client hits your service.
I want to integrate my application with Authorize and I need to get the transaction ID to save this information in database. The question is, can I do this with SIM? I know you can set a URL to get back to you homepage, but is it possible to send the transaction ID back to homepage?
You have two options:
Relay Response
Relay Response is a feature available to merchants using Server Integration Method (SIM) or Simple Checkout. It instructs the payment gateway to return transaction results to the merchant using an HTML form POST to a specified URL on the merchant's Web server. A script or program at the URL can be used to create a custom receipt page using the transaction information. The custom receipt page is then relayed back to the customer's browser. Relay Response does not redirect the end user back to the merchant’s server, but relays the page content to the end user instead of displaying the Authorize.Net default receipt page.
Silent Post
This feature allows you to specify a URL, or Web address, to which the payment gateway should copy the transaction response that is sent to the configured Relay Response URL. If you are not using Relay Response, the feature allows you to specify an additional URL to which transaction responses can be posted.
If you're looking for sample PHP code I wrote an article that includes that here.
My recommendation is to use Relay Response as it gives you an opportunity to customize the receipt page your user's see. (Although you can use both as they do not conflict with each other).
(I am the author of both Silent Post articles)