I've been working on a website where people can submit questions to me online and I'll answer them for a small fee. I'm using PayPal to collect this small fee, and I've recently successfully implemented the PayPal IPN in order to collect transaction IDs. What I planned on doing was storing the transaction ID and asking the individual for the transaction ID when they ask a question. Once a transaction ID had a question associated with it, it would be marked as used and could not be used twice. I chose this method over having people create an account and storing variables within each account because I figure people will be deterred from using my service (it's related to academia) so this is kind of perfect.
So.. what's the issue?
I had a friend try it out, and we unfortunately found out that the transaction ID that I got and stored is different from the transaction ID that he got, hence completely breaking the system I had envisioned.
My Question
What is a unique variable passed on through the PayPal IPN that I can use to ask the buyer about and ensure that it doesn't get used twice?
I want the process to be automated, which eliminates the possibility of invoices since you have to do those by hand each time.
Thanks for your thoughts and efforts.
You can pass custom in your PayPal integration, which is subsequently returned in the IPN message.
I.e., for Express Checkout:
METHOD=SetExpressCheckout
PAYMENTREQUEST_0_AMT=1.00
RETURNURL=http://...
CUSTOM=yourUniqueDataHere
Or for Payments Standard:
<input type="hidden" name="custom" value="yourUniqueDataHere">
Once the transaction completes, you can find custom in your IPN message's POST data.
Related
I am implementing PayPal payment to my application.
I am using Laravel Framework and merchant-sdk-php package to handle NVP/SOAP API. I would accually prefer REST API, but i need customers to make Reference Transactions with various amount, in non regular time periods and as far as i know it's possible only with NVP/SOAP API.
The payment flow in shortcut:
1. Payer clicks "connect" button, which is to create billing agreement using "SetExpressCheckout" method. Amount is set to 0 and adding a Billing Agreement field to request. Customer is redirected to PayPal, log in to his account, agreeing to direct debit and finally redirected to my return url.
2. After response is come, return action is fired (the one, which is passed in returnurl field). Next using token from paypal resposne i use CreateBillingAgreement method to get "BillingAgreementID" which i store in database.
3. Using "BillingAgreementID" i make "DoReferenceTransaction" request. No prompt to login is occurring, everything is happening behind the scene. Finally i get response after transaction.
The thinks i want to know are:
1. Is there a way, to get an email address, which consumer used to log in when creating billing agreemenet? I want to show in application which PayPal account (related to mentioned email) is direct debit set to?
2. I want to make some action in databse both after "BillingAgreementID" and "DoReferenceTransaction". Is the response status "Success" and additionally in "DoReferenceTransaction" field "PaymentStatus" set to "Completed" enought to conclude, that transaction is fully completed, and i cant i.e. share some digital goods or should i wait for IPN from this request?
Thanks for all contributions!
Found solution to question 1.
After betting billing agreement id i had to make "GetBillingAgreementCustomerDetails" action. In response i got customer details including email.
Still watching for hint to second question
I am integrating PayPal Express Checkout API into a digital goods/services website. I worked out all the technical stuff, but now I have a theoretical question - when the transaction is done and I get a confirmation from PayPal, what is the best way to store that acknowledgement from paypal, and credit my user's account?
The ConfirmPayment() function in the paypal library returns from paypal with an associative array, including a transaction ID, and acknowledgement that I have the user's money in my business account.
So my plan is, store that transaction ID as a unique value in a SQL table, so if the user for example reloads the confirmation page, which would then re-call ConfirmPayment($token), my PHP script won't just credit their account a second time, because the SQL table will return a unique ID error.
How are smart programmers integrating this last payment confirmation into the rest of their application?
THANKS.
I would do it like so:
Keep a full log of all the messages your receive from Paypal. Just the RAW data should be fine. Then beyond that point don't need that much traceability. If anything ever happens you can check the log. This should really never happen, if you need to look at this log a lot to resolve any issues you have a different kind of problem. This is why my suggestion is: don't put too much time into it, but make sure you have traceability (albeit a very crude one).
If the user reloads the confirmation page, Paypal will not send you another message. Keep in mind that you should only accept transactions that Paypal has verified. The user should not be able to validate his own transactions by bypassing Paypal.
Am trying to create a way to setup the following:
User sends donation to paypal with info from donation site (name, email)
Paypal receives the donation and using the 2 variables it received (name, email) it sends them back to the donation site
Donation site receives variables and donation amount and changes some variables in the website to show that the user has donated some amount.
The site shows a list of users that have donated and how much they have donated which shows as points. How can I do this with paypal and php and mysql.
I'd suggest looking into using PayPal Instant Payment Notifications (IPN).
PayPal IPN allows you to (asynchronously) process order information while not having to depend on the buyer to return to your website to complete the order (which would be the case with PDT).
You can use IPN by setting up a script which receives this (POST) data from PayPal. In addition, you must include the following code in your button and/or API call(s):
For Website Payments Standard (where "xxxxxxxx" is the full URL to your IPN script):
<input type="hidden" name="notify_url" value="xxxxxxxx">
For Express Checkout:
Include NOTIFYURL=xxxxxxxx in your SetExpressCheckout and DoExpressCheckoutPayment API call
For Website Payments Pro
Include NOTIFYURL=xxxxxxxx in your DoDirectPayment API call
Once set up, you will receive POST data from PayPal with every transaction.
Take this data, and send it back to https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate (Live) or https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_notify-validate (Sandbox) to validate the data. If PayPal responds with VERIFIED (in the body of the page), you're sure the data is genuine IPN data coming from PayPal.
You can find sample code, documentation and further information on PayPal IPN at https://www.paypal.com/ipn
See also some IPN security best practices at https://www.x.com/developers/community/blogs/ppmtsrobertg/securing-your-instant-payment-notification-ipn-script
I found this tutorial, looks like what you're after.
http://tutorialzine.com/2010/05/donation-center-php-mysql-paypal-api/
Your first step is to use a paypal payments pro account. If memory serves correctly, you can only callback on pro accounts. Otherwise your paypal donation is pretty much a one way trip.
Please understand your question is very involved and is not likely going to result in a full blown example.
The best suggestion I can give is to read up on the paypal API documentation and see if the PHP API fits your needs...
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_api_overview
The PHP / MySQL end of things is on you at this point. You must store user information that you would use to send and validate the successful transactions based on the paypal API results.
While this answer may not serve your situation exactly, it is at least a small point in the right direction. I would suggest taking care to consider refunds and cancelled payments. If there is anything at all to gain by accumulating these "points" you mention then you need to cover security well. Otherwise you will be gamed and could stand to lose something if this is not done correctly.
If you have anything specific to add to this question to narrow down the possible answers, let me know and I will try to update this answer with a better, more specific response.
Set up Payment Data Transfer with PayPal,
PayPal PDT How To
Then on the page that receives the payment details from PayPal, calculate the number of points the person gets based off of how much money they donated (using whatever multiplier or point scheme you decide on), then log the data in a points field in the user's row of your user table in mysql.
I'm using PayPal on a website that I'm currently working on and everything works correctly: user is sent to paypal, pays, and comes back and IPN validation is working perfectly.
The only thing is that I noticed, using the sandbox, that the transaction number given to the buyer is not the same as the one I get in the IPN data (txn_id). I'm wondering how am I supposed to help a customer on my website if he gives me the confirmation number he got on his invoice and it's not the same as in PayPal's system? Is there something that I missed in my IPN scripting that would allow me to get that same information? I didn't see anything about that in the documentation and I'm probably not the first developer who notices that...
Thanks for any kind of help you can give me.
A seller's transaction ID is different from a buyer's transction ID, since they're two different actions (one debit, one credit).
See from
PayPal IPN unique identifier
I'm trying to link my 3rd party shopping cart to PayPal, and in the process I'm finding that my variables are extremely exposed, such that, if someone uses, say, Firebug, to manipulate the values of my variables, they can change the cost of the items in the transaction.
I'm very new to online carts and shopping, so my question is how do I keep this layer of exposure away from users and secure for the website?
The answer is in the Instant Payment Notification service.
Upon completing the transaction, PayPal notifies you, in a separate process, of the payment details for the last transaction.
You can check these details against the data you stored locally. If they match, all is fine. If they do not match, you will need to investigate the issue.
Never understood why PayPal does not allow the data to be signed with some sort of hash + shared secret... but that does not help you any further.
If you POST the variables to PayPal, you can encrypt the data. Unfortunately, this is not possible for a GET request, triggered from a redirect.
There is a way of getting PayPal to host the button variables on their side. Look out for PayPal Hosted Buttons in their documentation:
https://cms.paypal.com/uk/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_ButtonMgrAPIIntro#id093VD0JE0Y4
Otherwise verify with IPN as mentioned bu Jacco.
Use the PayPal NVP or SOAP API to create an encrypted button. Basically you set all the information using PHP and then the API gives you the HTML.
Alternatively if you only have a couple of products you can make custom buttons.
The API's are well documented and easy to use. Personally I used the NVP as it was recommended for less experienced programmers. You can also use both in with the IPN (Instant Payment Notification) system so that for example digital products can be automatically emailed.