Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm using the standard php paypal form for payments on my e-commerce app.
I noticed that people with just firebug can change the paypal form data before sending the request for paying by the "PAY NOW" button.
So I'm wondering, is it a "standard" to have a payment's form that can be "edited" by a newbie :/ ?
What we can do to prevent this?
I disagree; I do think it's something you should prevent in the first place. The amount a buyer should pay shouldn't be publicly sent over the internet. The time where we could get away with that is long past.
Additionally, a check will not prevent the transaction from going through for a different amount. It'll only prevent any post-transaction drama.
And yes, you should definitely run checks after the transaction has completed, but that should happen even if someone weren't able to manipulate the amount theoretically.
There are several options, you can choose what suits you best depending on your requirements,
Do nothing and only implement a post-transaction check (e.g. with IPN).
The easiest. Your PayPal integration will look shabby from a code point of view, and you'll still get all those $0.01 fraudulent transactions.
Tick the 'Host button with PayPal' option in the button generator, and use PayPal's BMUpdateButton API to dynamically alter the amount of the button.
An example request for BMUpdateButton would look as follows:
USER=Your API username
PWD=Your API password
SIGNATURE=Your API signature
METHOD=BMUpdateButton
VERSION=82.0
HOSTEDUBTTONID=The value of
BUTTONTYPE=The type of button. E.g. BUYNOW
BUTTONCODE=The type of code you want to get back. E.g. HOSTED
L_BUTTONVAR0=amount=The new amount with a period as separator
L_BUTTONVAR1=item_name=Optional: a new item name if you wish
Use both the BMCreateButton and BMUpdateButton API's to both create and update your buttons with PayPal.
You could also use the BMCreateButton API to create a new button, or use the BMButtonSearch API to search through a list of all your stored hosted buttons (to find the hosted_button_id of your button automatically, for example).
Implement PayPal Express Checkout instead
It may be the 'hardest' to implement as it consists of 2-3 API calls for a single transaction, it's also the most flexible. Where with Website Payments Standard (the 'buttons') the transaction is finalized as soon as the buyer clicks on 'Pay now', Express Checkout lets the buyer 'agree' to the transaction on the PayPal website, and you can finalize it at any time 0 - 3 hours after the buyer initially agreed to the payment by calling the DoExpressCheckoutPayment API call.
For a quick rundown on integrating Express Checkout, see my answer on Checkout my order basket with PayPal
This isn't a huge security risk, as you should be checking what was actually paid anyway! Anyone can post data to anything. It has little to do with your form, or even Firebug.
You can store that button information on PayPal's server, but then it cannot be dynamically generated. There is an option for this when you use their wizard to create the button code for you.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
I have a shareware site where the user pays $25 for an annual membership. The shareware is free, the membership entitles users to support and an enhanced version of the shareware.
I would like to create a page on my site where the user can make a Paypal payment without leaving the site. Then, I want the user to land on a specific thank you page.
I'm not able to find documentation on how to do this, other than this intimidating, 256 page guide: Gateway Developer Guide and Reference.
My needs are humble. I'm hoping there is a quick-start guide I missed.
Please advise.
PS: I do have the Paypal Advanced ($5/month).
If you absolutely do not want to leave the page you will need to use PayPal Payments Advanced Or PayPal Payments Pro
Advanced comes with a $5 monthly fee and you will see PayPal branding, (I believe this is almost like an iFrame), however I have never used this service so cannot comment on what is required.
Pro is $30/month however you will not see PayPal branding and user will have no idea PayPal is being used in the backend
This uses an API that you are going to have to do progamming for since it is all done in the backend, and you are also most likely going to want an SSL Certificate.
There is PayPal Payments standard, but that puts a button on your page which redirects you to PayPal. Your customers will not need a PayPal account to pay. This option is free (aside from regular PayPal fees)
There is also PayPal Express Checkout, I am not 100% sure what the difference between this and Payments Standard is.. perhaps a PayPal account is required?
PayPal have prohibited the page from being included in an iframe, by setting the X-FRAME-OPTIONS header.
There is no way around this security measure.
You could provide a link to go back to your site if you want payment running through PayPal.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Closed 9 years ago.
Improve this question
I have a shopping cart and want to send an email confirming the order before forwarding the data to the payment system, for example PayPal.
Client put items in shopping cart and when ready I show a confirmation page with all details of the order. There is a button, Go to pay, that make a post to the selected payment system.
But before the post is executed, I would like to update the order data in my MySql table and also send a "Thank-you-for-the-order" email.
My first idea was to post to my server, update the table, send the email and do a curl to the payment system. But then they don't get transferred to the payment system in their browser to complete the payment.
Any suggestions how to solve this?
How you should probably do things
EDIT: Although I'm leaving this section here for now, I did make a false assumption about your process, so perhaps the next section is more beneficial
I have not used online payment systems in any of my own projects, but I just took a look at the PayPal docs to confirm something. The payment process seems to go like this:
Get user order and payment details
Pass payment details to Paypal
Direct the user to the approval URL so that the user can approve the payment
They are redirected to your site by PayPal, with a payment ID
You then confirm the payment by querying PayPal with the payment ID
Most payment systems I've encountered online have had a similar process (from what I can see as an enduser). From what you're saying, it seems like you want to email the user and update your database at step 2, when you have not confirmed that a payment actually took place. I would suggest that instead, you perform the table update and email during step 5.
So wait until whatever payment system you are using has confirmed the order, and update at that point, as part of the same process in which you query PayPal to confirm the order (And you can make sure your actions depend on them having actually paid you!)
How you can do what you're asking to do
Going back to the guts of your question though. If you do want to execute your own server side code while directing them to the external system, I'd suggest you send an Ajax request when they submit the form. This will call the script where you do your work in the background, and the user will still be redirected to the payment provider.
Edit: I should mention the snippet here is using jQuery
$("#myForm").submit(function(e) {
// Do your ajax stuff here
});
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
How does Etsy (a website collective for sellers of creative products) know the payment was made through Paypal? Is it possible with PayPal Express Checkout to use my accounts API, but send the payment to another account, purely by specifying the accounts email?
When you buy something from Etsy, the payment goes straight to the seller. It appears Etsy use PayPal Express Checkout to achieve this, using its own API details (i am assuming). As soon as the payment is made, Etsy is aware of this. It removes the item from sale and sends you a confirmation email. How does Etsy do this when the payment goes directly to another account?
As far as i can tell, PayPal will only send the payment to the account for which the API is linked to. When you make the first call to setup the Express Checkout with Paypal, is there a way to pass through the email address of the account you actually want the payment to go to during this process? I cannot seem to find this field anywhere. Or maybe it is done in an entirely different way. Anyone have any ideas how this process actually works in Etsy ?
Notes: I know that when you setup a seller account in Etsy, you only have to give your paypal email address that you want the payments to go to, not give them any API access of any kind. I have tested this.
This is all in the context of setting up a website that essentially does the same thing, allowing a sellers to have their own mini shops on our site. The payment needs to go directly to the seller, and we need to confirm payment has been made by the buyer. I dont want the sellers to have to setup anything in the PayPal account or anything like that. So if you have any other ideas/suggestions how i can achieve this, I would love to hear them.
it knows this because of the success callback url.
On how to get confirmation of a transaction between two other parties, look at this question
So I guess not with express checkout, but certainly with Instant Payment Notification.
The only way I can think of doing this with Express Checkout is if each receiving party has a separate merchant account. As one answer by netom in this question
I don't believe Etsy uses Express Checkout, but rather, uses PayPal Adaptive Payments.
Using Adaptive Payments, you can change the receiver of the funds simply by specifying a different email address for the primary or secondary receiver.
See also my answer at Online payments for a middleman
As for the Etsy confirmation; since Etsy is the one making the API calls the PayPal - and only changing the receiver on a per-transaction basis - they can just specify an ipnNotificationUrl in order to be notified via PayPal IPN whenever a transaction completes.
I want to achieve something like this
http://depositfiles.com/en/gold/payment.php
I have normal users signed up. I want them to upgrade to premium user. Once a person pays, how do I know which user he was signed in ? How do i force the user to login first before being able to click the paypal button and make payment ? Otherwise, I would receive money, but wouldn't know which user to mark as "PAID" in my database.
when you click on the paypal button, it redirects you to the paypal page where you can login and pay.
I also want to accept Visa and Mastercards, is it doable through paypal using the same method ?
Paypal's information can be found here:
Part 1
You can create a subscribe button for each type of subscription you want and use the HTML variables in Part 2 to enable you to know what type of product and what user is included in the invoice.
This needs a lot more details than you currently provide. What language have you written your website in? Static HTML? Ruby? PHP? How does PayPal's payment system work?
normally the way it will work is that your site will pass information to paypal (http://paypal.sourceforge.net/ is one toolkit that seems to be made for php, thought I've never used it so I can't really promise its not abandonware).
once the paypal transaction is completed successfully, control is passed back to your site. you can then set the user's flag in your database as a premium user.
as far as I can tell, you tell paypal to handle payments for you, and the user picks a funding source in paypal. if you want to have visa/mastercard separately handled from paypal you'll need another payment gateway to handle it, like mirapay or something else.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
ok heres my problem, im creating a site where people sign up first then pay straight after, my problem is what if the customer who signs up uses a different card to pay so for example, his wife. im trying to work out how to match the sign up info and the payment info without having to store the card details and get an ssl cert.. i need this so i can tell if they paid.. im writing it in php, it currently sends me an email when they sign up rather than straight into a database, any help?
Simplest thing that comes to mind would be to have options on the payment screen that let you:
(1) Use the billing info you supplied during registration
(2) Specify the name as it appears on the card (as most sites I've ordered from include)
Does this answer your question?
If you are concerned about matching the account to being paid if they use a different name, you most likely have some kind of $Session going on I would think. Use the user's login information from the Session() and then you can tell.
We use Authorize.Net for our payment processor. They have two different APIs which give you different levels of control (AIM - Advanced, SIM - Simple). From your description of not desiring a SSL Cert, SIM would be the best way to proceed.
We have designed our system to collect as much information as possible from the customer and then pass (via POST) to AuthNet's SIM method where they only need to enter in their card-specific information (number, expiration date, and CID). If the transaction is successful (and also in some failure cases), they notify us by a pre-defined 'silent-post' transaction and also redirect the user to a 'relay url'. We provide AuthNet with an order/invoice number as part of our original post data, so we can use it in their silent post to match up their payment with the appropriate order.
The SIM interface has worked well for us over the years and we now have it tweaked via CSS so that it closely resembles our site despite being hosted elsewhere, saving use far larger PCI-DSS compliance issues by doing everything locally.
im trying to work out how to match the sign up info and the payment info without having to store the card details and get an ssl cert
In that case the best advice is to use something like PayPal, Amazon Payments, or Google Checkout. Other than that, your question was a bit hard to decipher.
i need this so i can tell if they paid.. im writing it in php, it currently sends me an email when they sign up rather than straight into a database, any help?
Most 3rd party payment processors (PayPal, Google, Amazon), provide a way of checking payment status. Most also offer pinging a callback when the payment status changes.
PayPal IPN
Amazon IPN
Google Notifications
Many credit-card processing options will send a response to your server containing crucial information about the user that you can use to verify that they have successfully paid. For example, PayPal has an IPN (Instant Payment Notification). You can use the data returned in this to automate a process on your server that states the user has paid.
My advice is to contact whoever is processing your credit-card transactions and ask what options they provide for relaying information back to your server to verify which users have suffessfully paid for the products/services.