I have a the following form at the end of a booking process (simplified):
<form action="https://www.paypal.com/cgi-bin/webscr" name="paypalForm" method="post">
<input type="hidden" name="amount" value="<?=$price;?>">
<input type="hidden" name="business" value="business#email.co.uk">
<input type="hidden" name="notify_url" value="http://website.co.uk/ipn">
</form>
I have only left out things like address name etc. So when they pay via Paypal, I am using paypal IPN to mark them in the database as paid. However..
I have gone to the end of my booking system and viewed source of the webpage, modified the business email address and amount. I haven't tried a full transaction yet, but surely with the 'notify_url' in there Paypal with send an IPN message to my server and will mark the person off as paid? Isn't this terrible security? Surely this not how all paypal payments work, I must be missing something.
There are two things I can think of that might prevent this:
If I remove the "notify_url", will the IPN URL that I have set in paypal work instead? What value does paypal place on the hidden var notify_url, does it override the settings in the back end of paypal?
In my IPN code I could check for business and Amount. I don't currently, as I didn't read any where in the documentation that I should. But now, I am thinking that maybe it would be a terribly good idea.
There isn't any check that can be done by PayPal to know what the correct amount, or email address should be that was used, or that the IPN URL should only be used with a particular PayPal account. Your options would to be write in the additional checks like you have already mentioned. In additional to what you already stated about your 2 workarounds, a 3rd option would be to create a hosted or encrypted button on the fly using PayPal's BMCreateButton API. Then the buyer would only see the encrypted button code, they would not be able to view your HTML button code. Therefore they would not be able to modify any of the variables, or see what they are currently set to.
Related
I've a question about processing a PayPal Transaction & being able to pass a unique piece of information along with the transaction to identify the customer.
Customers have a unique ID that isn't sensitive - say 1000000898.
Situation:
A customer can join this site with any email address and later can decide to upgrade with Paypal which might be registered under a different email address.
I can then have an issue identifying which account make the transaction as i only have the email as a reference. I want to be to pass the Unique ID (above) along with the transaction and be able to see this ID when I look at the transaction in Paypal.
Below is some code I'm using and the last line I added to try to pass the ID along with the transaction. Transaction processed fine but in PayPal (Sandbox) I couldn't find the ID with the transaction - didn't appear anywhere...
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="blahblahblah">
<input type="hidden" name="return" value="https://somewhere.com" />
<input type="hidden" name="item_number" value="1000000898">
Question:
What input name would I add (or line(s) of code would I add) to be able to see the ID in the PayPal transaction. EG along with name, email and address.
thanks heaps..!!
Adam
This code is for a hosted button. You cannot add additional variables directly to a hosted button's code. If you want to add dynamic data into your button you will need to make it non-hosted.
When building the button, Step 2 (or maybe Step 3) asks you if you want to save the button at PayPal. You need to disable this option. Then at the end there will be another option for securing the code, and you'll need to disable that, too, so that it's not encrypted. This will give you the basic, raw HTML form code.
With this raw form code you can add any variables you want from the PayPal Standard Variables reference.
Of course, doing things this way does leave the door open for somebody to potentially copy your HTML code, adjust the variable values, load the HTML form/button on their own page, and submit a payment for your product/service at a cheaper price. You would need procedures in place to catch this sort of thing.
Another option (which I recommend) is to use the Express Checkout API instead. This allows you to customize everything and make it dynamic without the ability for anybody to adjust any of the code/values.
Since you're working with PHP you could take a look at my PayPal PHP SDK. This would allow you to make the API calls for Express Checkout very quick and easy.
I have read and read through the links and documentation about the PayPal API, but to be honest, I am pretty confused as to what it is I need to do.
I am trying to set up a simple API where a user on my website clicks a button which takes him to PayPal to make a payment. After he makes the payment, all I want is for the PayPal API to update a record on my database with the confirmation.
So far the process works perfectly one way. I am using this code to get the users to make their payments:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="username#mywebsite.com">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="item_name" value="Gift Certificate">
<input type="hidden" name="item_number" value="RI001CI3481">
<input type="hidden" name="amount" value="313">
<input type="hidden" name="return" value="http://mywebsite.com/paypal/thankyou">
<input type="submit" value="PayPal">
</form>
After the user finishes the transaction, they are returned to my 'return' page.
I get an email when the transaction is complete. That's how I now a payment has been made. I then go to PayPal, confirm the payment, and update my database record to mark the transaction complete.
Now, what do I have to do to have PayPal automatically update my database when that payment has been made? If you could point me to a simple to follow document or sample, that would be great. As I said, I have read through some of the available documentation online but for someone like me it's a bit confusing.
Thanks,
Manny
What you're showing here is not using the API. PayPal Standard is just basic HTML form method for setting up payments with PayPal. It sounds like that part is already working for you how you need, so that's fine.
To update the database, you want to use Instant Payment Notification (IPN). It's still not technically an API, but it is a push service that will POST transaction data about any transaction that hits your PayPal account to a listener script that you have setup on your server.
Within this script you can process the data however you need to. Update your database, generate custom email notifications, hit 3rd party web services, etc.
There are some good IPN templates available for PHP on GitHub / Packagist. PayPal also provides a very basic starter template for IPN.
I think that IPN is one answer, but it is prone to issues and can fail if your servers or PayPal's servers are having issues. Many people who use IPN have only one server, and perform maintenance late at night, and IPN may attempt a notification but fails because the server is down for maintenance. IPN will just fail silently. A better alternative is to use an API like Express Checkout where you set up the look and feel of the page, set txn details, etc. with SetExpressCheckout and take the customer to the PayPal page to check out, and afterwards they are returned to your site. At this point you run DoExpressCheckoutPayment to complete the transaction and then when your response contains "ACK=Success" you can call GetExpressCheckoutDetails to get more detail than you would see with IPN and not have to worry if you didn't receive a response from PayPal as with IPN. You would have a request / response as with any API call and you can log your responses to be able to see when things go wrong, as well as to get details of the transaction. Often it seems that people explaining EC and even PayPal docs show to call setEC, then getEc, then doEC but I usually call set, do and then get once the txn is successful. I'm sure there are scenarios when someone would need / want to call set, get, do, but for IPN we only care once the txn is successful. ALSO, IPN will not send unless there is a txn. You can set your code to allow for situations when you receive an error and act accordingly, like when you get an error for declined card or similar. You can log the error, send email / SMS, log to DB table, etc.
Here is the documentation to integrate Express Checkout:
https://developer.paypal.com/docs/classic/products/express-checkout/
Tons of links here since EC can be used for order / auth / capture or simple sales or subscriptions, etc.
Here is the list of parameters for SetExpressCheckout:
https://developer.paypal.com/docs/classic/api/merchant/SetExpressCheckout_API_Operation_NVP/
Here is the list of parameters for DoExpressCheckoutPayment:
https://developer.paypal.com/docs/classic/api/merchant/DoExpressCheckoutPayment_API_Operation_NVP/
Here is the list of parameters for GetExpressCheckoutDetails:
https://developer.paypal.com/docs/classic/api/merchant/GetExpressCheckoutDetails_API_Operation_NVP/
While the overall coverage isn't yet at the same level of IPN, PayPal also now has Webhooks: https://developer.paypal.com/docs/integration/direct/rest-webhooks-overview/
Webhooks are a much more modern form factor than IPN, and is supported in the REST SDKs, hopefully that helps.
I am trying to set up a simple payment option to paypal, but am having some trouble/confusion with the return and notify URLS. I am fairly new to php and have accomplished this previously in asp, but I have now become lost.
SO my basic paypal form:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" id="PayPalForm" name="PayPalForm" target="_top">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="email#hotmail.com">
<input type="hidden" name="amount" value="0.01">
<input type="hidden" name="item_name" value="Composite Door">
<input type="hidden" name="item_number" value="<?php echo $orderID ?>">
<input type="hidden" name="currency_code" value="GBP">
<input type="hidden" name="cancel_return" value="http://www.mydomain.co.uk/paypal-notcompleted.php">
<input type="hidden" name="return" value="http://www.mydomain.co.uk/paypal-completed.php">
<input type="hidden" name="notify_url" value="http://www.mydomain.co.uk/paypal-completed.php">
</form>
<script>
document.PayPalForm.submit();
</script>
As you can see the form posts to paypal, and then returns depending on the outcome, if failed/cancelled it goes to paypal-notcompleted.php.
If its successful it goes to paypal-completed.php. And this is where I am unable to understand, I haven't set up an IPN, all I want to do is grab some of the variables paypal posts back to me, to run a simple insert query and display some details in a confirmation message to the customer.
Am I allowed to have the notify_url and return_url as the same page?
Why does paypal not post the full expected (as seen here: Notify url of Paypal ) back to the page?
I understand there is something to do with XML and such, but I just figured that I would be able to $_GET the variables that paypal sent back. Has anyone done it this way, can they tell me where I am going wrong?
To return details back to the your return URL you'll need to use PDT. It's very similar to IPN except it's intended for use with your return URL, while IPN is intended for use with a 3rd party IPN listener script on your server.
PDT is fine for simply displaying transaction to the user on the return URL page, but it's not recommended to do any any post-payment processing with PDT (ie. database updates, sending out email receipts, etc.) because there is no guarantee the user will make it back to this page, even with Auto-Return enabled in your PayPal account.
IPN will be triggered every time a transaction occurs regardless of whether or not the user makes it back to your site after completing payment.
The notify URL is used for IPN only, and it would override any setting you have in your PayPal profile for IPN. PDT needs to be configured in your PayPal account profile in order to get data returned to your return URL.
You're going to want to use different URL's for return and notify, otherwise that same code would run twice: once when the user returns to your site, and again from the PayPal IPN POST.
Payment Data Transfer (PDT)
The return and cancel_return urls are one-off Payment Data Transfer (PDT) calls primarily so the user completes the transaction on your site. It is only passing information to reasonably help your site fulfil that task. There is no guarantee that a buyer will not quit before returning, so you cannot rely upon being able to do any post-transaction processing using only these.
Instant Payment Notification (IPN)
notify_url is used by the Instant Payment Notification (IPN) process, and called with each change in the transaction status. It is meant to be a complete record of all actions taken during the transaction lifecycle, upon which you can rely to drive backend process, like accounting, order fulfilment or cancellation. The IPN process takes measures to ensure the integrity of the process.
Their purposes are different and thus the information and security involved is different. For pros and cons.
IPN messages can be severely delayed, so use all three variables
Note that while most IPN messages are sent within a few seconds of the PayPal transaction being completed, I have experienced delays of up to several hours, so they are reliable, but not necessarily timely.
I would suggest using all of return, return_cancel and notify_url, as the former two will return immediately, so that you can provide immediate feedback to the user, and update backend data/instigate fulfilment processes, but use the latter as a backup if the user quits PayPal before the being returned. Indicate to your buyers to return to your site to ensure timely processing of their order.
Just have to manage order status so that the IPN doesn't trigger fulfilment if the PDT has already done so, which is basically what you have to do to ensure that repeated Completed IPN messages don't retrigger fulfilment after the first.
Notify_url continues to be used for subsequent messages for the same transaction
IPN messages for the same transaction continue to go to the same notify_url address. I viewed our IPN history, and a Refund IPN message went to the original notify_url.
That continues, even if you change IPN preferences, as per https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNSetup/:
The IPN message is always sent to your notification URL unless you have disabled the preference to receive IPN messages. Even though you have not enabled receiving IPN messages in your Profile or you have reset your preference by turning off IPN messages, PayPal still sends IPN messages to the notification URL you specify for a specific payment. IPN messages not sent because you disabled the preference in your Profile will appear in the IPN history when you enable receiving IPNs. After they appear in the history, you can choose whether to resend them.
I am unsure of whether related transactions, like disputes, or subsequent subscription payments, will still use the original notify_url. Perhaps someone who actually knows can provide an answer.
your notify-url and return url both are different . your return url direct your customer after the successful payment with some return information. by the way notify url is to get the complete transaction details of your customers purchase and which can't be accessed by your customer and this is for your database or storage purpose.
I have a service I am starting where it's paid. I want to give a PayPal payment a special id. The ID would be passed through IPN and I could read it so I can modify my mysql database with that special ID. If that all makes sense...
I am basically want to upgrade their account without having to do some complicated process which I have already tried where it would send the user the transaction ID and they would have to go to a special URL to change their account information.
See what I mean? How would I go about doing this?
Thanks,
Coulton
If anyone else has a question on how to do it, I've found a way to fix it. When making your button, include this:
<input type='hidden' name='notify_url' value='http://yourdomain.com/paypal/ipn.php?user_id=$user_id'>
So you can pass who has made the payment to the IPN via get. Simply use $_GET['user_id'] to get the data (in my case a user_id). You can pass any variables you wish!
I played around with this for ages before I have realized that you can only send the pre defined paypal variables and not make your own up.
These are listed here
https://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/howto_checkout-outside
One you can use for a custom variable is called 'custom'
<input type="hidden" name="custom" value="<?=$twitId;?>">
You also need to ensure you use this button
<input type="hidden" name="cmd" value="_s-xclick">
You also need to turn on and set a URL for the Instant Payment Notification on PayPal
They call this as a listener but it really just sends the payment data to the paypal page.
Note this is not the URL the customer is returned to after payment completion as set in button preferences.
Retrieve the custom variable in PHP thus
$userID = $_POST[custom];
Full instructions here
http://www.brianmoreau.com/articles/paypal_buy_now_button_sending_custom_variables.php
Hope this saves you the many hours I spent on it.
This method also allows you to obtain the buyer details such as email and address and the transaction reference.
To view the full data paypal sends after payment by clicking on history, IPN history
I have a paypal button on my site in a form. The form has an additional input called ID, where the user must enter a specific value.
After the sale is complete, Paypal returns the user to domain.com/credits?done
How can i receive the original ID value entered by the user in /credits?done ? need it to modify his database record automatically.
Thanks.
You can create a simple cart system that will have a unique invoice to distinguish each transaction. Pass this invoice as parameter when sending payment data to paypal. Any other data can be just stored in your database, no need to sent it to paypal, since you can determine each transaction with the invoice as the unique identifier.
You also need to create a ipn handler page to receive data from paypal when user making the payment there, so you can update the payment status in your database. With this way, the user do not have to click return to your site link after making the payment, but you can still update the related data.
To make integration easier, you can consider using Micah Carrick's Paypal IPN Class. Basically it's the same code with the one provided by paypal, but it's wrapped into a class, so you can just use it in your page.
If the ID you refer to is a unique reference that you use, then pass this back and forth between Paypal and your site using the item_number element.
Set the ID in the HTML form you show to your customer and note you can also specify 3 URLs:
<input type="hidden" name="item_name" value="Box of stuff"></input>
<input type="hidden" name="item_number" value="12345"></input>
<input type="hidden" name="return" value="http://www.blah.com/paypal_thanks.asp"></input>
<input type="hidden" name="notify_url" value="http://www.blah.com/paypal_callback.asp"></input>
<input type="hidden" name="cancel_return" value="http://www.blah.com/paypal_cancel.asp"></input>
Where I have used "paypal_callback.asp" above, this overrides the IPN link which you can set up when you log into Paypal and edit your settings. So this value is optional.
The scrpt paypal_callback.asp (assuming written in ASP) can then just say:
iAdvertId = Request.Form("item_number")
Note that this page is not the one shown to the user! It is hit by Paypals servers behind the scenes. The annoying thing is that paypal_callback.asp will not get called by Paypal immediately. It might be 3 days later...or they might hit it a month later to retract a payment.
The customer will get redirected to either paypal_thanks.asp or paypal_cancel.asp in my example. These pages will not be passed a form or querystring, so the only way to get hold of the number you places in item_number is to also store it in a cookie BEFORE the user submits the form to purchase.
When you get the email from Paypal, the item_number will be mentioned in the subject line, and within the mail body too (on the end of the Description line).
It is also possible to set additional information in custom fields. The Paypal documentation details how to do this, and you can test it with their IPN simulator in the sandbox.
See the documentation for PayPal's Instant Payment Notification and the IPN PHP code sample on the PayPal Integration Center site.