Am trying to create a way to setup the following:
User sends donation to paypal with info from donation site (name, email)
Paypal receives the donation and using the 2 variables it received (name, email) it sends them back to the donation site
Donation site receives variables and donation amount and changes some variables in the website to show that the user has donated some amount.
The site shows a list of users that have donated and how much they have donated which shows as points. How can I do this with paypal and php and mysql.
I'd suggest looking into using PayPal Instant Payment Notifications (IPN).
PayPal IPN allows you to (asynchronously) process order information while not having to depend on the buyer to return to your website to complete the order (which would be the case with PDT).
You can use IPN by setting up a script which receives this (POST) data from PayPal. In addition, you must include the following code in your button and/or API call(s):
For Website Payments Standard (where "xxxxxxxx" is the full URL to your IPN script):
<input type="hidden" name="notify_url" value="xxxxxxxx">
For Express Checkout:
Include NOTIFYURL=xxxxxxxx in your SetExpressCheckout and DoExpressCheckoutPayment API call
For Website Payments Pro
Include NOTIFYURL=xxxxxxxx in your DoDirectPayment API call
Once set up, you will receive POST data from PayPal with every transaction.
Take this data, and send it back to https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate (Live) or https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_notify-validate (Sandbox) to validate the data. If PayPal responds with VERIFIED (in the body of the page), you're sure the data is genuine IPN data coming from PayPal.
You can find sample code, documentation and further information on PayPal IPN at https://www.paypal.com/ipn
See also some IPN security best practices at https://www.x.com/developers/community/blogs/ppmtsrobertg/securing-your-instant-payment-notification-ipn-script
I found this tutorial, looks like what you're after.
http://tutorialzine.com/2010/05/donation-center-php-mysql-paypal-api/
Your first step is to use a paypal payments pro account. If memory serves correctly, you can only callback on pro accounts. Otherwise your paypal donation is pretty much a one way trip.
Please understand your question is very involved and is not likely going to result in a full blown example.
The best suggestion I can give is to read up on the paypal API documentation and see if the PHP API fits your needs...
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_api_overview
The PHP / MySQL end of things is on you at this point. You must store user information that you would use to send and validate the successful transactions based on the paypal API results.
While this answer may not serve your situation exactly, it is at least a small point in the right direction. I would suggest taking care to consider refunds and cancelled payments. If there is anything at all to gain by accumulating these "points" you mention then you need to cover security well. Otherwise you will be gamed and could stand to lose something if this is not done correctly.
If you have anything specific to add to this question to narrow down the possible answers, let me know and I will try to update this answer with a better, more specific response.
Set up Payment Data Transfer with PayPal,
PayPal PDT How To
Then on the page that receives the payment details from PayPal, calculate the number of points the person gets based off of how much money they donated (using whatever multiplier or point scheme you decide on), then log the data in a points field in the user's row of your user table in mysql.
Related
I've been working on a website where people can submit questions to me online and I'll answer them for a small fee. I'm using PayPal to collect this small fee, and I've recently successfully implemented the PayPal IPN in order to collect transaction IDs. What I planned on doing was storing the transaction ID and asking the individual for the transaction ID when they ask a question. Once a transaction ID had a question associated with it, it would be marked as used and could not be used twice. I chose this method over having people create an account and storing variables within each account because I figure people will be deterred from using my service (it's related to academia) so this is kind of perfect.
So.. what's the issue?
I had a friend try it out, and we unfortunately found out that the transaction ID that I got and stored is different from the transaction ID that he got, hence completely breaking the system I had envisioned.
My Question
What is a unique variable passed on through the PayPal IPN that I can use to ask the buyer about and ensure that it doesn't get used twice?
I want the process to be automated, which eliminates the possibility of invoices since you have to do those by hand each time.
Thanks for your thoughts and efforts.
You can pass custom in your PayPal integration, which is subsequently returned in the IPN message.
I.e., for Express Checkout:
METHOD=SetExpressCheckout
PAYMENTREQUEST_0_AMT=1.00
RETURNURL=http://...
CUSTOM=yourUniqueDataHere
Or for Payments Standard:
<input type="hidden" name="custom" value="yourUniqueDataHere">
Once the transaction completes, you can find custom in your IPN message's POST data.
I am integrating PayPal Express Checkout API into a digital goods/services website. I worked out all the technical stuff, but now I have a theoretical question - when the transaction is done and I get a confirmation from PayPal, what is the best way to store that acknowledgement from paypal, and credit my user's account?
The ConfirmPayment() function in the paypal library returns from paypal with an associative array, including a transaction ID, and acknowledgement that I have the user's money in my business account.
So my plan is, store that transaction ID as a unique value in a SQL table, so if the user for example reloads the confirmation page, which would then re-call ConfirmPayment($token), my PHP script won't just credit their account a second time, because the SQL table will return a unique ID error.
How are smart programmers integrating this last payment confirmation into the rest of their application?
THANKS.
I would do it like so:
Keep a full log of all the messages your receive from Paypal. Just the RAW data should be fine. Then beyond that point don't need that much traceability. If anything ever happens you can check the log. This should really never happen, if you need to look at this log a lot to resolve any issues you have a different kind of problem. This is why my suggestion is: don't put too much time into it, but make sure you have traceability (albeit a very crude one).
If the user reloads the confirmation page, Paypal will not send you another message. Keep in mind that you should only accept transactions that Paypal has verified. The user should not be able to validate his own transactions by bypassing Paypal.
I'm doing a project involving Paypal, more specifically with the NVP API in PHP. But I just can't seem to figure what to use the IPN feature for.
I mean, when the user has been redirected to Paypal to confirm the purchase, he is redirected back to my website's "Paypal-succes-page", when the transaction is complete. And just to be sure that he actually payed i could use the "PaymentDetails" operation.
Now where does IPN fit in this process? and what is the benefit of it?
Thanks
The integrate with PayPal's services you will notice there are three main channels (and IMO it's important to know this so you can decide the benefits for your application):
IPN: Instant Payment Notification
PDT: Payment Data Transfer
PayPal's API
To use PayPal's IPN you need to add a 'listener' script (example) and add the address to your PayPal account. Whenever an event occurs PayPal will send a message directly to your server via your listener and you then update your accounts appropriately. This is especially useful for running subscription services as events will occur in the background without user intervention and you can capture successful/failed recurring payments etc.
PayPal's PDT is a system for accepting data when a user is redirected back to your site from PayPal. For example, a user clicks 'Buy', they are directed to PayPal, enter information etc. Then, once the payment has been taken, they are redirected back to your site. PayPal can pass details about the transaction including whether it was successful or not so you can display the appropriate success/failed page from your site.
PayPal's API allows you to integrate more deeply with PayPal's services, and you would use this if you were managing payments directly from your site.
These services aren't mutually exclusive, so you can use any combination with your application.
I hope this helps
The IPN feature is a very useful feature which you should use to update your database in my opinion. Sure the user is redirected to your success-page after the purchase where you can validate the payment details.
But what if he closes (by accident or not) the browser before reaching your success page? You will never know the result of the transaction and you will never update your database or process his order accordingly.
When using the IPN you can be sure that the transaction result will always reach you because PayPal will keep on making an offline request to your IPN page until it has reached your servers.
Instant Payment Notification
The typical usage of the IPN is to validate the purchase and to let your script or management system know that the transaction is complete so your system can update any records you may have for your service.
But the most important part is that the transaction is validated.
IPN send all data about transaction to your server - price, items, contacts ... so you can check, if someone don't pay you only 1$ instead of 100$ and confirm your order. It prevets thiefs, cheaters, ... USE IT! ;)
I am developing a crowd-funding site (similar to Kickstarter) using the CodeIgniter framework.
I "successfully" implemented PayPal's adaptive payments using this library.
But, I'm just not sure how to correctly and securely check for succesfull/failed payments and witch data is important to save to database.
Note: it's a chained delayed payment, I am the primary receiver, and the secondary receiver is the crowd-funding project creator. The money is transferred to the secondary receiver after a predetermined period of time.
The flow I have right now goes like this:
User click to buy a reward.
I use the 'Pay' API operation to request payment (unique TrackingID included) and save the request in the database.
If the request is succesfull, I save some response data in the session (TrackingID, PayKey, amount, ...) and redirect to PayPal..
In this step the user can: accept payment, cancel, or just close the browser, so I dont really know what happens here... (recommendations?)
If the user accepts the payment, he is redirected back to my site and I use data I saved in the session to request a 'PaymentDetails' API operation to obtain information about the payment.
I save the result in database and check to see if the response 'amount' is equal to the request 'amount' (for security).
If everything went OK I update the database and connect the payment TrackingID with the user and the reward he bought.
Later (can be months later), the 'ExecutePayment' API operation is requested by an admin, and the money is transferred from us to the project creator, and we take a small fee (thats how crowd-funding works...)
Now, I'm sure I'm missing lot of things but I have no idea what:
What about the IPN API? I need it? Where it comes to play inside the flow and checks?
What I do if the user closes the browser window when he is in PayPay (out of my site).
I heard that the PayKey is valid for 3 hours, how can I 'ExecutePayment' after months?
How I handle the enormous amount of error types in the PayPal API?
Any tips or examples of others things I need to take care of? Security? Errors? Others?
Thank you very much, I really need your answer!
IPN will automatically POST data to your "listener" (which you'd need to develop) in order to automate post-payment procedures. For example, you could update a database, hit 3rd party web services, generate email receipts, etc. within IPN so that those events happen automatically any time you receive money in your PayPal account. You can also set it up to handle refunds, disputes, and other events. It's not required, but often very useful.
This is one reason IPN can be useful. IPN will be triggered whether the user makes it back to your site or not. If you're doing post-payment processing procedures within your thank you page or something like that, I'd recommend you move it into an IPN solution.
The PayKey is indeed valid for 3 hours when being used as a token. When you call Pay with an ActionType of CREATE, though, it sets up a delayed payment and the PayKey is then valid for up to 90 days.
The error information will always come back in the same format in the response. You can just log or display errors accordingly based on this standard response.
Sounds like you're pretty much on top of everything for the most part.
I'm trying to link my 3rd party shopping cart to PayPal, and in the process I'm finding that my variables are extremely exposed, such that, if someone uses, say, Firebug, to manipulate the values of my variables, they can change the cost of the items in the transaction.
I'm very new to online carts and shopping, so my question is how do I keep this layer of exposure away from users and secure for the website?
The answer is in the Instant Payment Notification service.
Upon completing the transaction, PayPal notifies you, in a separate process, of the payment details for the last transaction.
You can check these details against the data you stored locally. If they match, all is fine. If they do not match, you will need to investigate the issue.
Never understood why PayPal does not allow the data to be signed with some sort of hash + shared secret... but that does not help you any further.
If you POST the variables to PayPal, you can encrypt the data. Unfortunately, this is not possible for a GET request, triggered from a redirect.
There is a way of getting PayPal to host the button variables on their side. Look out for PayPal Hosted Buttons in their documentation:
https://cms.paypal.com/uk/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_ButtonMgrAPIIntro#id093VD0JE0Y4
Otherwise verify with IPN as mentioned bu Jacco.
Use the PayPal NVP or SOAP API to create an encrypted button. Basically you set all the information using PHP and then the API gives you the HTML.
Alternatively if you only have a couple of products you can make custom buttons.
The API's are well documented and easy to use. Personally I used the NVP as it was recommended for less experienced programmers. You can also use both in with the IPN (Instant Payment Notification) system so that for example digital products can be automatically emailed.