I have a service I am starting where it's paid. I want to give a PayPal payment a special id. The ID would be passed through IPN and I could read it so I can modify my mysql database with that special ID. If that all makes sense...
I am basically want to upgrade their account without having to do some complicated process which I have already tried where it would send the user the transaction ID and they would have to go to a special URL to change their account information.
See what I mean? How would I go about doing this?
Thanks,
Coulton
If anyone else has a question on how to do it, I've found a way to fix it. When making your button, include this:
<input type='hidden' name='notify_url' value='http://yourdomain.com/paypal/ipn.php?user_id=$user_id'>
So you can pass who has made the payment to the IPN via get. Simply use $_GET['user_id'] to get the data (in my case a user_id). You can pass any variables you wish!
I played around with this for ages before I have realized that you can only send the pre defined paypal variables and not make your own up.
These are listed here
https://www.paypal.com/cgi-bin/webscr?cmd=p/pdn/howto_checkout-outside
One you can use for a custom variable is called 'custom'
<input type="hidden" name="custom" value="<?=$twitId;?>">
You also need to ensure you use this button
<input type="hidden" name="cmd" value="_s-xclick">
You also need to turn on and set a URL for the Instant Payment Notification on PayPal
They call this as a listener but it really just sends the payment data to the paypal page.
Note this is not the URL the customer is returned to after payment completion as set in button preferences.
Retrieve the custom variable in PHP thus
$userID = $_POST[custom];
Full instructions here
http://www.brianmoreau.com/articles/paypal_buy_now_button_sending_custom_variables.php
Hope this saves you the many hours I spent on it.
This method also allows you to obtain the buyer details such as email and address and the transaction reference.
To view the full data paypal sends after payment by clicking on history, IPN history
Related
I've a question about processing a PayPal Transaction & being able to pass a unique piece of information along with the transaction to identify the customer.
Customers have a unique ID that isn't sensitive - say 1000000898.
Situation:
A customer can join this site with any email address and later can decide to upgrade with Paypal which might be registered under a different email address.
I can then have an issue identifying which account make the transaction as i only have the email as a reference. I want to be to pass the Unique ID (above) along with the transaction and be able to see this ID when I look at the transaction in Paypal.
Below is some code I'm using and the last line I added to try to pass the ID along with the transaction. Transaction processed fine but in PayPal (Sandbox) I couldn't find the ID with the transaction - didn't appear anywhere...
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="blahblahblah">
<input type="hidden" name="return" value="https://somewhere.com" />
<input type="hidden" name="item_number" value="1000000898">
Question:
What input name would I add (or line(s) of code would I add) to be able to see the ID in the PayPal transaction. EG along with name, email and address.
thanks heaps..!!
Adam
This code is for a hosted button. You cannot add additional variables directly to a hosted button's code. If you want to add dynamic data into your button you will need to make it non-hosted.
When building the button, Step 2 (or maybe Step 3) asks you if you want to save the button at PayPal. You need to disable this option. Then at the end there will be another option for securing the code, and you'll need to disable that, too, so that it's not encrypted. This will give you the basic, raw HTML form code.
With this raw form code you can add any variables you want from the PayPal Standard Variables reference.
Of course, doing things this way does leave the door open for somebody to potentially copy your HTML code, adjust the variable values, load the HTML form/button on their own page, and submit a payment for your product/service at a cheaper price. You would need procedures in place to catch this sort of thing.
Another option (which I recommend) is to use the Express Checkout API instead. This allows you to customize everything and make it dynamic without the ability for anybody to adjust any of the code/values.
Since you're working with PHP you could take a look at my PayPal PHP SDK. This would allow you to make the API calls for Express Checkout very quick and easy.
I would like to be able to launch a payment success page within my application after a Paypal transaction. As part of this, i would like to display a receipt number on the screen for user's reference (and to store in a database)
Currently, my code looks like this:
Form
<input type="hidden" name="return" value="http://myurl/success.php">
Inside Success.php
<script>
alert(/*receipt no*/);
</script>
At the moment, its purpose is to simply alert a receipt no. I am hoping i can change it to something like this:
"alert(<?php echo $_GET['receipt_no'] ?>)"
Is there a way i can tell Paypal that i would like it to send back a receipt number to me? And can it be accessible via URL variable?
you can use custom field
<input type='hidden' name='custom' value='your receiptnumber'>
and it will posted back to your return url..as well as to your notify url you can access $_POST['custom']
you can also use
<input type='hidden' name='item_name' value='receipt number'>
<input type='hidden' name='item_number' value='receipt number'>
but that will be displayed to the user in paypal site..
you can use txn_id for tracking records, it is returned by paypal. store it in your database
What I do
I store everything to the database.. as well as write it to a file.
PDT vs IPN
PDT
1)Variables are returned to return url. For this to work the user has to click on return to merchant(or something) to return to your website. or you have to set it in paypal to automatically to return to your website after paying.If you have not set paypal to return automatically or the user doesn't click on return to merchant or if there is any problem in your return url code than you have no way of knowing that the user paid.
2)And there is no way that the variables are coming from paypal, because anybody can create a form with method post with all the required variables and send it to your return url.
IPN
1) Variables are returned to notify url. Works in the background, after sending the variables paypal will wait for 200 ok message( that is it will check whether you have successfully received the variables) if not it will resend the message(as per the document).
2) For security-- you should send all the variables return to you by ipn back to paypal. paypal will check whether it sends it. If the variables are sent by paypal than paypal will send the message verified. so you can be sure that the variables are actually sent by paypal..
for more info https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNPDTAnAlternativetoIPN/
and most important even if you use ipn you need to use https, otherwise somebody can perform man-middle-attack.( hackers can sit in the middle and respond istead of paypal for verification and etc)
for more info https://developer.paypal.com/docs/classic/products/instant-payment-notification/
As v Sugumar as pointed out, you can do it. The question is should you did it. You might be better off generating your receipt number at your own end, either before or after you send the user to PayPal, and storing it in a database or session variable.
Using a Javascript alert to show a receipt number (and moreover using PHP to write Javascript variables) is also a bit 'ewww yuck' from a code standards perspective. Why not generate a proper receipt in PHP and just display it at the success.php page?
As Naval Dabral mentions, it's trivial to store data in $_SESSION. However you'd need to do something more like (because you wouldn't be using PayPal's GET variables):
<?php
//Before user is sent to PayPal.
session_start();
$_SESSION['receipt'] = "receipt number"
?>
User pays and is returned to success.php
<?php
session_start();
echo "Thank you for your order. Your Receipt number is " . $_SESSION['receipt'];
?>
It would also mitigate against someone guessing a receipt number and gaining access to your user's sales details, as the receipt would be stored in a secure PHP session, rather than an insecure and guessable GET variable.
store receipt no in session like this
<?php
session_start();
$receipt_no=$_GET['receipt_no'];
$_SESSION["receipt_session"]=$receipt_no
?>
and you can use this value when payment
I have a payment button that uses the custom variable to identify in my database who bought what when the ipn message comes. my custom field looks like this :
<input type="hidden" name="custom" value="userName">
My problem is that anybody can change this value to what ever they want, allowing people to buy stuff for other users. Is there any possible way to send this custom value from php to paypal, so that the user cannot change the value to something else?
You can use the Express Checkout APIs instead of standard payment buttons.
You'd make a call to SetExpressCheckout to start the process and obtain a token, then redirect the user to PayPal.
When they're returned from PayPal you can call GetExpressCheckoutDetails to obtain the buyer information as returned by PayPal, and then you call DoExpressCheckoutPayment to finalize the order and actually move the money.
You would include the CUSTOM parameter in that final DECP request the same way you are now, but it would all be hidden in the PHP code, of course. Nothing people would see in HTML.
This PayPal PHP SDK will make those API calls very quick and easy for you.
I have a the following form at the end of a booking process (simplified):
<form action="https://www.paypal.com/cgi-bin/webscr" name="paypalForm" method="post">
<input type="hidden" name="amount" value="<?=$price;?>">
<input type="hidden" name="business" value="business#email.co.uk">
<input type="hidden" name="notify_url" value="http://website.co.uk/ipn">
</form>
I have only left out things like address name etc. So when they pay via Paypal, I am using paypal IPN to mark them in the database as paid. However..
I have gone to the end of my booking system and viewed source of the webpage, modified the business email address and amount. I haven't tried a full transaction yet, but surely with the 'notify_url' in there Paypal with send an IPN message to my server and will mark the person off as paid? Isn't this terrible security? Surely this not how all paypal payments work, I must be missing something.
There are two things I can think of that might prevent this:
If I remove the "notify_url", will the IPN URL that I have set in paypal work instead? What value does paypal place on the hidden var notify_url, does it override the settings in the back end of paypal?
In my IPN code I could check for business and Amount. I don't currently, as I didn't read any where in the documentation that I should. But now, I am thinking that maybe it would be a terribly good idea.
There isn't any check that can be done by PayPal to know what the correct amount, or email address should be that was used, or that the IPN URL should only be used with a particular PayPal account. Your options would to be write in the additional checks like you have already mentioned. In additional to what you already stated about your 2 workarounds, a 3rd option would be to create a hosted or encrypted button on the fly using PayPal's BMCreateButton API. Then the buyer would only see the encrypted button code, they would not be able to view your HTML button code. Therefore they would not be able to modify any of the variables, or see what they are currently set to.
I have a paypal button on my site in a form. The form has an additional input called ID, where the user must enter a specific value.
After the sale is complete, Paypal returns the user to domain.com/credits?done
How can i receive the original ID value entered by the user in /credits?done ? need it to modify his database record automatically.
Thanks.
You can create a simple cart system that will have a unique invoice to distinguish each transaction. Pass this invoice as parameter when sending payment data to paypal. Any other data can be just stored in your database, no need to sent it to paypal, since you can determine each transaction with the invoice as the unique identifier.
You also need to create a ipn handler page to receive data from paypal when user making the payment there, so you can update the payment status in your database. With this way, the user do not have to click return to your site link after making the payment, but you can still update the related data.
To make integration easier, you can consider using Micah Carrick's Paypal IPN Class. Basically it's the same code with the one provided by paypal, but it's wrapped into a class, so you can just use it in your page.
If the ID you refer to is a unique reference that you use, then pass this back and forth between Paypal and your site using the item_number element.
Set the ID in the HTML form you show to your customer and note you can also specify 3 URLs:
<input type="hidden" name="item_name" value="Box of stuff"></input>
<input type="hidden" name="item_number" value="12345"></input>
<input type="hidden" name="return" value="http://www.blah.com/paypal_thanks.asp"></input>
<input type="hidden" name="notify_url" value="http://www.blah.com/paypal_callback.asp"></input>
<input type="hidden" name="cancel_return" value="http://www.blah.com/paypal_cancel.asp"></input>
Where I have used "paypal_callback.asp" above, this overrides the IPN link which you can set up when you log into Paypal and edit your settings. So this value is optional.
The scrpt paypal_callback.asp (assuming written in ASP) can then just say:
iAdvertId = Request.Form("item_number")
Note that this page is not the one shown to the user! It is hit by Paypals servers behind the scenes. The annoying thing is that paypal_callback.asp will not get called by Paypal immediately. It might be 3 days later...or they might hit it a month later to retract a payment.
The customer will get redirected to either paypal_thanks.asp or paypal_cancel.asp in my example. These pages will not be passed a form or querystring, so the only way to get hold of the number you places in item_number is to also store it in a cookie BEFORE the user submits the form to purchase.
When you get the email from Paypal, the item_number will be mentioned in the subject line, and within the mail body too (on the end of the Description line).
It is also possible to set additional information in custom fields. The Paypal documentation details how to do this, and you can test it with their IPN simulator in the sandbox.
See the documentation for PayPal's Instant Payment Notification and the IPN PHP code sample on the PayPal Integration Center site.