I'd like to send a custom variable to PayPal when users make a purchase. The variable contains information the user has supplied and is being stored in the $message variable. The $product variable is just used to identify the product being purchased and create the appropriate PayPal button for that product (by referring to an array included in 'products.php'. PayPal allows you to pass it information through an input with the name "custom" as I've done below.
<?php
include('products.php');
$currentProduct = $_GET['product'];
$message = $_GET['message'];
?>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post"><input type="hidden" name="cmd" value="_s-xclick"/>
<input type="hidden" name="hosted_button_id" value="<?php echo $products[$currentProduct]["paypal"]; ?>"/>
<input type="hidden" name="custom" value="<?php echo $message?>"/>
<input type="submit" class="button paypal" value="Pay with PayPal"/>
</form>
However, I've looked around a fair bit and can't find an explanation for how to actually retrieve this information from PayPal once an order is completed. Could anyone please provide a simple explanation for how to go about retrieving the information found in $message once an order is completed (with or without the use of the custom PayPal variable). Thanks.
When you're using a hosted button you can't include the custom variable like this. You'd have to include it in the advanced section of the hosted button creation wizard. Unfortunately, it's pretty much useless there because you can't use dynamic values that way.
What you're going to have to do is go back into your button editor on PayPal and disable the "save button at PayPal" option. This will make more fields available to your button code and custom would then work.
This isn't as secure as a hosted button, though. As such, I would recommend you use the Express Checkout API instead of Payments Standard. Of course, that will require you to have experience working with web service API's in general.
Related
First of all, I am a complete beginner when it comes to backend development.
I'm currently creating a webshop and have the whole thing hosted using Netlify.
The HTML code I am using for the webshop is (currently) static.
I am looking for a way to do payment processing for products.
I came across the following code on the internet (Source):
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="upload" value="1″ />
<input type="hidden" name="business" value="your-paypal#adress.com" />
<input type="hidden" name="currency_code" value="EUR"
<input type="hidden" name="item_name_1″ value="Desktop PC" />
<input type="hidden" name="amount_1″ value="79.00″ />
<input type="submit" value="PayPal" />
</form>
When clicking on the submit button, the buyer will be redirected to a page of Paypal and pay there the specified amount (the 79.00€). But since the sum can be changed on client side, the user can adjust it to any sum.
How can I specify the amount of money without the client being able to change it?
I have already tried something with PHP, however it seems that PHP does not work on Netlify.
I have also already added readonly to the responsible input tag. However, I can still change the sum.
So is there any way to set the money amount so that the client can't change it?
Or are there already completely different ways to set up payment forwarding for PayPal these days?
For the client not to be able to change the amount you need a server-side integration, plain and simple.
Create two routes, one for 'Create Order' and one for 'Capture Order', documented here. These routes should return JSON data.
Pair your two routes with the following approval flow: https://developer.paypal.com/demo/checkout/#/pattern/server
Edit: There is also a much older and simpler solution, though it doesn't give a modern checkout experience: you could create hosted 'Buy Now' or 'Add to Cart' button via https://www.paypal.com/buttons . The generated <form> code will have a "hosted_button_id", and its amount is stored at PayPal. This way the buyer can't change it.
I have payments set up (using php) so that when a customer returns to the success.php file (after payment process on Paypal using an IPN listener) they are added to the db with a new membership number, which is also generated in the success.php file. The process works fine if the customer pays as a guest, they are returned to the success.php page as they should be. However, if the customer logs in to paypal rather than paying as a guest they are redirected to the Paypal user account page instead of back to the success.php page on my site. This means the payment has been taken but their membership number is not created or added to the db.
Is there a way to force ALL customers back to my success page or should the code to create the new member be added to the ipn listener (ipn.php) file so it wouldn't matter if they didn't come back to the success page?
This is the code I use in the checkout page to set the return url.
<form action="<?php echo $paypalURL; ?>" method="post">
<!-- Identify your business so that you can collect the payments. -->
<input type="hidden" name="business" value="<?php echo $paypalID; ?>">
<!-- Specify a Buy Now button. -->
<input type="hidden" name="cmd" value="_xclick">
<!-- Specify details about the item that buyers will purchase. -->
<input type="hidden" name="item_name" value="<?php echo $item_name; ?>">
<input type="hidden" name="item_number" value="<?php echo $item_number; ?>">
<input type="hidden" name="amount" value="<?php echo $price; ?>">
<input type="hidden" name="currency_code" value="GBP">
<!-- Specify URLs -->
<input type='hidden' name='cancel_return' value='http://example.com/payment-cancelled'>
<input type='hidden' name='return' value='http://example.com/thanks-for-joining/'>
<!-- Display the payment button. -->
<input type="submit" name="submit" class="button" value="Pay Now">
</form>
I should add that I have only tested this in sandbox mode so far, so if anyone knows if this is a sandbox only issue, please let me know.
UPDATE: Further testing shows that the return url no longer works with a guest check out either. This has only started happening since sandbox payments are going through the new payment pages (screenshot attached).
Has paypal changed the method of requesting a return url?
I fought with a few ways of integrating paypal's payments into my site. From what I've read here on stackoverflow, on paypal's site, and all over the web, it is probably best to put all of that backend work into your listener. You could set up something on the front-end to prep your DB for the customer, but the major problem with using the success page for this information is that:
1) your customers could just enter the URL of your success page if known
2) A customer can choose not to be redirected after paypal and may not return to your site at all (this is the best reason as I can see it).
3) Sometimes paypal redirects, but the listener may not have received paypals response of completed, pending, .etc (this is why they wait 10sec before redirection), so you do not want the user to go elsewhere or have been verified prematurely.
Honestly, placing all the code in your listener is quite simple as well and reduces miscommunication between your success page and paypal. As for testing, I just used the IPN simulator to test my code and it was fine.
As for the redirect URL, there are a few redudancies in paypal, if you use buttons, the option 3 (I believe) will provide a return URL that overrides the others. I'm not sure about using sandbox, but make sure you have .sandbox.paypal in your code to ensure it works (https://gist.github.com/xcommerce-gists/3440401#file-completelistener-php).
I hope this helps.
I am using joomla and have brought a component which allows users to post listings on my site. The plugin uses a credit system to pay for the listing but the credit system is quite complex and confusing so i have disabled it.
I found that PayPal provides some code which inserts a Buy Now button on any webpage :) perfect, just what i wanted!
The only problem I am having is at the moment the button is displayed on my Add Listing form (which is again part of the component) but it can easily be bypassed by just clicking on the form's submit button, meaning the listing can be published without having to pay.
So my questions are:
Once the user clicks on the Buy It Now button is it possible to
redirect them back to the 'Add Listing' form they were just filling
out?
Can I disable the submit button on the form until the payment has been
confirmed?
Does the PayPal 'Buy Now' button return any information
confirming the process was successful?
i am using html + php :)
the code i used to produce the buy now button is
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="smyacc#hotmail.com">
<input type="hidden" name="lc" value="GB">
<input type="hidden" name="item_name" value="listing-purchase">
<input type="hidden" name="amount" value="2.99">
<input type="hidden" name="currency_code" value="GBP">
<input type="hidden" name="button_subtype" value="services">
<input type="hidden" name="no_note" value="0">
<input type="hidden" name="shipping" value="0.00">
<input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynowCC_LG.gif:NonHostedGuest">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="1" height="1">
</form>
would really appreciate any help with this!!!
Luke
Good news - the answer to your questions is essentially yes. Your end goal is definitely doable, but in order to really solve your problem in its entirety, we may need a little bit more information.
How you go about it can vary from case to case, however, and unfortunately it's been a while since I configured these buttons, so bear with me ;-)
once the user clicks on the buy it now button is it possible to redirect them back the the add listing form they were just filling out?
Yes, this is a very standard functionality that PayPal has built into their buttons and their process. What you are looking for here is what PayPal calls "Return URLs" or "Auto Return". Here's the page with more of the documentation I quoted below so you can decide whether the Return URL or the Auto Return or the Payment Data Transfer option is best suited for you.
Returning buyers to your website after they check out
The basic checkout experience leaves buyers on the PayPal website
after they check out. Use one of the following techniques to enhance
the checkout experience so that buyers return to your website,
instead.
Return URL: Allow buyers return to a page on your website if they
click a return link or button on the PayPal payment confirmation page.
To learn more, see item #5 under Step 3: Adding advanced features to
your Buy Now button or HTML variables for displaying PayPal checkout
pages.
Auto Return: Have PayPal return customers automatically to a page on
your website.
Important: PayPal recommends that you turn Payment Data Transfer on
when you turn Auto Return on. With Auto Return on, PayPal redirects
buyers to your website from an alternative PayPal payment confirmation
page, which does not allow them to print PayPal receipts. Payment Data
Transfer provides the transaction information that you need to allow
buyers to print receipts from your website.
To learn more, see Auto Return.
Payment Data Transfer: PayPal includes information about the completed
transaction when you use a return URL or Auto Return to send customers
back to your website. Use the information that Payment Data Transfer
provides to display a "thank you, print your receipt" page on your
website. To learn more, see the Payment Data Transfer.
Question Can I disable the submit button on the form until the payment has been confirmed?
Certainly. To disable the submit button on the form until the payment has been confirmed, simply do one of two things until you can detect that the payment has been confirmed:
Add the 'disabled' attribute to the Submit button. This will grey out and disable the Submit button, rendering it unusable. However, since the button would still be visible and all, a web-savvy end user might just go into the HTML and remove the disabled attribute and be on his merry way.
<button type="submit" disabled>Submit Listing</button>
Hide the Submit button. In this case, the web-savvy end user could technically still go into the HTML and remove the styling so that the button is visible, but without seeing it...well, you know, 'out of sight, out of mind'
<button type="submit" style="display:none">Submit Listing</button>
Question Does the PayPal 'Buy Now' button return any information confirming the process was successful?
Again, there's a few ways of attacking this.
Method 1 The simplest way might be to use the PayPal Return URLs and some GET parameters to tell you whether or not things were completed or cancelled. There is something like a Return URL for Cancellations and a Return URL for Completions. From that same page that I linked, PayPal documents the creation of a button with respect to this feature:
Take buyers to a specific webpage (URL) after checkout cancellation
(optional)?
Select the checkbox and enter a URL in the text box if you have a
special page on your website where you want buyers to return to if
they cancel their checkouts before completing their transactions.
Take buyers to a specific webpage (URL) after successful checkout
(optional)?
Select the checkbox and enter a URL in the text box if you have a
special page on your website where you want buyers to return to after
they complete checkout successfully.
Method 2 The more advanced way (which is also more foolproof, given that in the first Method a hacker could try and guess your Successful Return URL) is using PayPal's Instant Payment Notification feature. With this feature, PayPal sends a POST request to a private (behind the scenes) URL which allows you to capture the data it sends you pertaining to the payment completion.
So your backend receives the information on the completion of the payment, and there are countless ways (AJAX requests, require the user refresh the browser or send the user an email telling them to come back and finish it, etc) that you can go about updating the frontend for the user so that they can use the now visible/enabled Submit button.
For details and documentation on PayPal's notify_url through their IPN system.
Best of luck!
I think you will find PayPal supply merchant scripts which will do something like that. Instant Payment Notification under PayPal settings - only available in a business account.
The php scripts you can download can be customised to do pretty much whatever you want once they return from payment. On a successful purchase you can echo the submit button so that it is physically not present unless they are returning after payment echo '<input type="submit" name="submit">';
Under "Tools and Settings" "Process My Orders"
You then need to make adjustments in the PayPal merchant interface to return the user to your IPN script.
I have this code on my Website:
<form method="post" action="process.php">
<input type="hidden" name="itemname" value="1" />
<input type="hidden" name="itemnumber" value="2" />
<input type="hidden" name="itemQty" value="1" />
<input type="hidden" name="itemprice" value="17">
</form>
This code, sends a POST to process.php, which opens a paypal class to make the payment.
All works great, but I have a very big trouble. The point is, if I edit any value with FireBug, let's say for example, "itemprice", anyone can change the default value, and replace the itemprice with any other quantity at the moment of process the payment.
How could I fix this? Any ideas?
Thanks.
Encryption is the only way to thwart this, there's nothing you can do client side. You could try to add some verification server side or use the _SESSION, but those are your only options.
You could use the PayPal Instant Payment Notification System (IPN). You supply the URL to a script on your website which can handle the payment. It is there somewhere when you login to your PayPal account.
Every time a new payment is made PayPal will send a request to your IPN script with all the details of the payment (item ID,name, price, whatever you want and you can then verify in the script using your database if the prices match for the supplied item ID's.
It is very easy to implement in my opinion and very flexible. It is very well documented too on the PayPal website. It does not take too long to understand it.
You should never rely on the price from the web form. Because the item has its ID, it's perfectly valid to send only the ID and required quantity to the process.php. This, in turn, should fetch the prices straight from the source (database, config...), not from the (possibly tampered) web form data.
I'm building a simple shopping cart using PHP and I want to be able to use paypal with it. I want to use the tools described here:
https://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/howto_checkout-outside
This seems to be the easiest way to go about doing this. I looked over at their development page, and was really confused, but this made sense. My only problem is with this I have been told that it's fairly easy to change the prices. Now I could run a script to check the return from paypal to check to see if their order price matches their cart total, but I want to stop this before it happens. The one thing I did take from the development site was their token call. Would I be able to build a function that creates the buy now button by providing all the items through the method above, and then making a token call to link the id of those items and prices to the button? I'm just a bit confused, a lot of people have said to look at the documentation, but I'm having a difficult time understanding all of it so any help is really appreciated.
You just pass the variable that has the total to paypal
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="you#youremail.com">
<input type="hidden" name="item_name" value="Item Name">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="amount" value="$TOTAL">
<input type="image" src="http://www.paypal.com/en_US/i/btn/x-click-but01.gif" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>
If you want to stick with Payments Standard you can u se the cart upload method to send all of the info over to the PayPal checkout.
If you're comfortable with PHP, though, I'd recommend using the Express Checkout API. This will free you up to a lot more with your checkout experience.
You might want to check out this PHP class library for PayPal. It makes this very simple for you. With that library it's just a matter of knowing which API calls to make and then using the included files to pass in your own data accordingly.
For Express Checkout you would be using SetExpressCheckout, GetExpressCheckoutDetails, and DoExpressCheckoutPayment.