I'm e-commerce developer and have a problem, at certain part of the purchase my code generate a submit form with the purchase info. And send to payment gateway.
This form is generated on PHP and after its generate he write
document.getElementById('formnid').submit();
I'm having problem because somebody are sending discount value to gateway, and i don't know how.
At certain point my project save a log, after generate this form and submit it. And on my log everything is allright. So i suppous he change the value between my send information and gateway geting the info.
Somebody can give me a light i need discovery how he doing this.
Ty in advance
When the payment confirmation comes back from the gateway you should check that the actual amount paid matches the amount that should have been paid.
Only then has the user paid. It's fine to post prices along with your form but it must always be checked upon completion.
If the pricing / discount information is hidden on the DOM (via hidden inputs, for example), manipulating the DOM using Chrome's "Developer's Toolbar" or Firefox's "Firebug" is trivial, allowing for any end user to make changes to those hidden inputs without reprieve.
Never trust the values that come on the form, the value must be always be set\validated on the server side. From what I gathered you are passing the value as a hidden field on the form, and the user is simply altering that.
Related
OK. I have my connection to my database allowing content to be posted to my website from users.
I'm missing a key function that will allow me to charge users before they post a posting to my website.
I have been searching for a course or solution example for weeks now and have been unsuccessful. Can anyone help me or lead me in the right direction?
Here is an example:
dummydata form image example
This will work to take you to a payment portal but will not submit my form data to database after payment is complete. If I change action to action="" the data will be sent to my database but no payment will be required.
Thank you in advance!
There are three essential steps:
collect and verify payment
collect content to be posted/displayed
enable post for display on website
Steps (1) and (2), the collection steps, can happen in either order. And probably sequentially, one right after the other. But importantly, they CANNOT happen simultaneously. They are separate processes that occur one after the other.
I see many examples of how to display transaction information to a user with PDT. I cannot find a way to associate a Paypal payment with a specified ID so that when the transaction is completed, I can update that ID in the database as paid.
How am I supposed to get an ID that I specify back from Paypal so I know what the payment is for? I cannot use the email address or name or anything else. It must be an ID that I specify.
I see some people using item_number, but I am using a Paypal encrypted button so I cannot add on form variables to post to Paypal when the user clicks the pay now button.
I see this on websites all the time, so I know there must be some way to do this. I just can't find it anywhere...
Thank you
Most often people encrypt their own buttons and use either the custom field which gets sent pack to you, or the item number field. Look into how to encrypt your own buttons with PHP.
PayPal offers a sample in their SDK which can be found here.
I stumbled upon this excellent piece that succinctly lays out how to make dynamic encrypted paypal buttons. It is just what I needed. Thanks for pointing me in the right direction!
http://www.stellarwebsolutions.com/en/articles/paypal_button_encryption_php.php
Context:
I have to add an online payment system, on a quite old PHP 4 website (Yay !).
As usual, an external payment platform/gateway will be used.
After preparing an order on the website, that payment platform expects to be called with POST data, then displays its online payment page if everything is Ok.
Question:
Would it be a bad practice to autosubmit a form with a bunch of hidden fields, in order to switch to the payment platform?
It seems that I don't have the choice but I would like to know if someone sees a better way for that online payment platform integration.
Current workflow:
... last ordering step: order summary
user clicks on "order" (that button is already part of a form which action is an internal page)
results page (generally: order successfully saved, will be quickly processed, etc.)
The new detailed workflow would be:
... last ordering step: order summary
user clicks on "order" (that button is already part of a form which action is an internal page)
after existing internal processing, redirection to the "autosubmitted form" page
the autosubmit form submits itself (its action being the payment platform URL)
online payment...
result page
NB. I would add some "please click to order" button for users having Javascript disabled.
Thanks for any suggestions / thoughts. Or even telling that there should be no problem with this :)
Autosubmit a form with a bunch of hidden fields, in order to switch to the payment platform is ok. But you should pay much attention to security here, because intuder can modify those hidden fields.
I have a custom built shopping cart that is double charging clients credit card when they click the back button. My thought is to make them shopping cart empty when they click the back button. Any ideas will be highly appreciated.
There are multiple ways to solve this problem:
Your form passes a unique GUID as a hidden form field on the submission page. Then your app stores this GUID in the session object on the server. Before you process the payment, you can check to see if this value is already stored in the session.
Your application is not responsible for processing orders... only storing order info in a database. Another application daemon on the server looks for orders waiting to be processed on the server and processes them offline. Advantage here is you won't have HTTP timeout problems, as well as avoiding the refresh problem.
Post/Redirect/Get
I have successfully posted my custom shopping cart to PayPal -- it processes the order just beautifully, and when the payment is received, it posts data back to the URL I specified in the config. The code is based on the library found here: http://www.phpfour.com/blog/2009/02/php-payment-gateway-library-for-paypal-authorizenet-and-2checkout/
So I'm successfully verifying the IPN by posting data back to PayPal -- that is all great. Here's my dilemma -- how do I know what order the IPN is confirming?
I am not making use of PayPals shopping cart, I have my own. It has it's own cart ID in my database, and when I receive an IPN for that cart, I'd like to "close" the cart and save it as an order to be looked up at a later date.
I've tried passing an additional custom field along with the redirect to PayPal that populates the cart, but that value isn't returned back to me in the IPN. The documentation on x.com is just plain lacking so I've found no help there.
Does anyone have any experience with PayPal and IPN? Doesn't necessarily have to be with PHP -- I can interpret code -- but if you have a way to send a value to PayPal with an order and then have that value returned with the IPN, that is AWESOME!
If this isn't possible with PayPal's API (which I would find hard to believe) -- any other suggestions on how to handle this?
I do not know if this is a good idea or not, but here are a couple different options:
A: Use the first set of on1 / os1 for the item 1 and add the order id to that.
B: In the custom field, I am not sure what you have in there, but you can make it something like orderidhere41|otheritems here and then just parse this out by exploding at the | to get them separated.
Paypal does limit this, and I do not know why, but both of those should work. Doing it as an on / os will put it on the paypal receipt for the user, so that is my preferred method.
If someone else has a better solution, I would be interested in it as well!
EDIT:
Clarifying on1 os1. These are "options" generally used for Size / color etc. See IPN PDT Paypal variables under option_name1 option_selection(sp) for more information on them. The name of course is the title which would be "Order ID" the os would be the actual id.
EDIT:
Looking through that documentation $my2CO->addField('cart_order_id', rand(1, 100)); is where I would put my own cart order id. That should be the correct field. Sorry for the confusion :)
EDIT:
In the end there is a custom field for the paypal IPN, called "custom" adding data to this will pass through, this will transfer the orderid for you to and from. It must be called custom on both sides.
(this may be different for the other API's).
My experience has been with the Express checkout via C#, but the process should be the same even in PHP. If you're using the Name-Value Pair (NVP) interface right before you redirect the user to PayPal you hit the PayPal site to retrieve the redirection URL. As part of their response they pass back a token to you. You save this token along with your order. When the IPN postback occurs you get this same token back which lets you look up the original order.
The process flow looks like this ("You" being your site):
User fills cart, clicks button/link to check out
Request is sent to your site
Your site receives request, sends data to PayPal
You get an initial response from PayPal which contains a token
You save this token along with this user's shopping cart.
You redirect the user to the link returned by PayPal
User is redirected to PayPal and enters payment info
Payment info is validated by PayPal
User is redirected back to your site
PayPal sends IPN response back to your site
You grab the token included in the response
You look up the token you previously saved to find the shopping cart (they are the same value)
You close out the initial order/shopping cart.
You might want to try out the PHP SDK - scroll down to the Name-Value Pair Interface.
I very much doubt this will help the original poster, but PayPal have either added, or finally documented the option "invoice" which allows you to post the OrderID, and have it posted back via the IPN.
I am currently using this and it seems to work as expected.
For further info see the Website Payments Standard Integration Guide (PDF): Appendix A, Table A.4
You can create and post a custom pass-through variable that's 255 characters long that could hold any data. More info on page 44 in the official Paypal IPN Guide.