I'm trying to link my 3rd party shopping cart to PayPal, and in the process I'm finding that my variables are extremely exposed, such that, if someone uses, say, Firebug, to manipulate the values of my variables, they can change the cost of the items in the transaction.
I'm very new to online carts and shopping, so my question is how do I keep this layer of exposure away from users and secure for the website?
The answer is in the Instant Payment Notification service.
Upon completing the transaction, PayPal notifies you, in a separate process, of the payment details for the last transaction.
You can check these details against the data you stored locally. If they match, all is fine. If they do not match, you will need to investigate the issue.
Never understood why PayPal does not allow the data to be signed with some sort of hash + shared secret... but that does not help you any further.
If you POST the variables to PayPal, you can encrypt the data. Unfortunately, this is not possible for a GET request, triggered from a redirect.
There is a way of getting PayPal to host the button variables on their side. Look out for PayPal Hosted Buttons in their documentation:
https://cms.paypal.com/uk/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_ButtonMgrAPIIntro#id093VD0JE0Y4
Otherwise verify with IPN as mentioned bu Jacco.
Use the PayPal NVP or SOAP API to create an encrypted button. Basically you set all the information using PHP and then the API gives you the HTML.
Alternatively if you only have a couple of products you can make custom buttons.
The API's are well documented and easy to use. Personally I used the NVP as it was recommended for less experienced programmers. You can also use both in with the IPN (Instant Payment Notification) system so that for example digital products can be automatically emailed.
Related
I'm just now trying to get up to speed with PayPal Express Checkout (i.e. checkout.js), using the client-side REST integration described here. I see that when payment is complete, my onAuthorize function is invoked with a "payment" object.
I can't find any documentation on this object, but some poking at it reveals the following properties (at least today):
paymentToken
payerID
paymentID
intent
returnUrl
Now I need to redirect the user to the next step on my website, where I show a receipt confirming they've paid, etc. I guess I send the above data to the server, but since that step could be easily spoofed by a malicious user, I will need to verify those details in the PHP code, server side.
How do I do that?
You can make a GET call on your server side to /v1/payments/payment/PAY-XXXXXX with the paymentID and the payerID to get the payment details, and verify those details there.
https://developer.paypal.com/docs/integration/direct/express-checkout/integration-jsv4/advanced-payments-api/show-payment-details/
See https://developer.paypal.com/docs/api/overview/#make-your-first-call for some basics on calling the REST api from your server
Assuming you are using PayPal Encrypted Buttons, you don't actually need to verify the amounts sent through server-side. Although a user could indeed manipulate the $_POST data, PayPal's got you covered, and won't allow the transaction to go through. This is because PayPal Encrypted Buttons are generated with your variables such as price built-in to the ID. If the variables don't align with those used to create the button, the transaction is denied.
Alternatively, if you are simply using your own code to make the request, you can secure the payments with PayPal's Instant Payment Notification. Again, this allows any $_POST data to be sent through for the payment. Afterwards, PayPal makes a call to your IPN page in order to validate that the parameters are correct. This is demonstrated in the following workflow:
When communicating with your IPN, if PayPal finds that the values don't match up, the order is cancelled. Assuming that the values match up, you can safely redirect them to your confirmation page.
Hope this helps! :)
I use payment via paypal and I need the customer to enter secure payment information on my webpage.
After reading tutorials, I need to set action to paypal => "https://www.paypal.com/cgi-bin/webscr" and the customer to complete their data on paypal website.
Is it possible to have customers enter card data on my own website? Can you offer any advice or manuals on how to implement this?
Thanks. Sorry for my English
Is it possible to have customers enter card data on my own website?
Yes it's possible. Is it advisable? Not if you don't have to.
If you are passing the user to PayPal to complete payment, there is absolutely no reason for you to collect the CC data on your own website. All you do is add to the customer's risk as well as your own (since there are certain legal ramifications if you screw something up).
If what you are asking is how can you do the entire process on your own site, then that's a different answer and a pretty involved one. PayPal has options for this with different plans and each of those options has plenty of documentation on how to setup and configure the process.
As #butlerblog mentioned, there are different levels of integration for ecommerce. If you truly want to stay away from paypal but are considering your other options for third party integration, you can check this site to start getting an idea of how involved with ecommerce you want to get.
I am integrating PayPal Express Checkout API into a digital goods/services website. I worked out all the technical stuff, but now I have a theoretical question - when the transaction is done and I get a confirmation from PayPal, what is the best way to store that acknowledgement from paypal, and credit my user's account?
The ConfirmPayment() function in the paypal library returns from paypal with an associative array, including a transaction ID, and acknowledgement that I have the user's money in my business account.
So my plan is, store that transaction ID as a unique value in a SQL table, so if the user for example reloads the confirmation page, which would then re-call ConfirmPayment($token), my PHP script won't just credit their account a second time, because the SQL table will return a unique ID error.
How are smart programmers integrating this last payment confirmation into the rest of their application?
THANKS.
I would do it like so:
Keep a full log of all the messages your receive from Paypal. Just the RAW data should be fine. Then beyond that point don't need that much traceability. If anything ever happens you can check the log. This should really never happen, if you need to look at this log a lot to resolve any issues you have a different kind of problem. This is why my suggestion is: don't put too much time into it, but make sure you have traceability (albeit a very crude one).
If the user reloads the confirmation page, Paypal will not send you another message. Keep in mind that you should only accept transactions that Paypal has verified. The user should not be able to validate his own transactions by bypassing Paypal.
Am trying to create a way to setup the following:
User sends donation to paypal with info from donation site (name, email)
Paypal receives the donation and using the 2 variables it received (name, email) it sends them back to the donation site
Donation site receives variables and donation amount and changes some variables in the website to show that the user has donated some amount.
The site shows a list of users that have donated and how much they have donated which shows as points. How can I do this with paypal and php and mysql.
I'd suggest looking into using PayPal Instant Payment Notifications (IPN).
PayPal IPN allows you to (asynchronously) process order information while not having to depend on the buyer to return to your website to complete the order (which would be the case with PDT).
You can use IPN by setting up a script which receives this (POST) data from PayPal. In addition, you must include the following code in your button and/or API call(s):
For Website Payments Standard (where "xxxxxxxx" is the full URL to your IPN script):
<input type="hidden" name="notify_url" value="xxxxxxxx">
For Express Checkout:
Include NOTIFYURL=xxxxxxxx in your SetExpressCheckout and DoExpressCheckoutPayment API call
For Website Payments Pro
Include NOTIFYURL=xxxxxxxx in your DoDirectPayment API call
Once set up, you will receive POST data from PayPal with every transaction.
Take this data, and send it back to https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate (Live) or https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_notify-validate (Sandbox) to validate the data. If PayPal responds with VERIFIED (in the body of the page), you're sure the data is genuine IPN data coming from PayPal.
You can find sample code, documentation and further information on PayPal IPN at https://www.paypal.com/ipn
See also some IPN security best practices at https://www.x.com/developers/community/blogs/ppmtsrobertg/securing-your-instant-payment-notification-ipn-script
I found this tutorial, looks like what you're after.
http://tutorialzine.com/2010/05/donation-center-php-mysql-paypal-api/
Your first step is to use a paypal payments pro account. If memory serves correctly, you can only callback on pro accounts. Otherwise your paypal donation is pretty much a one way trip.
Please understand your question is very involved and is not likely going to result in a full blown example.
The best suggestion I can give is to read up on the paypal API documentation and see if the PHP API fits your needs...
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_api_overview
The PHP / MySQL end of things is on you at this point. You must store user information that you would use to send and validate the successful transactions based on the paypal API results.
While this answer may not serve your situation exactly, it is at least a small point in the right direction. I would suggest taking care to consider refunds and cancelled payments. If there is anything at all to gain by accumulating these "points" you mention then you need to cover security well. Otherwise you will be gamed and could stand to lose something if this is not done correctly.
If you have anything specific to add to this question to narrow down the possible answers, let me know and I will try to update this answer with a better, more specific response.
Set up Payment Data Transfer with PayPal,
PayPal PDT How To
Then on the page that receives the payment details from PayPal, calculate the number of points the person gets based off of how much money they donated (using whatever multiplier or point scheme you decide on), then log the data in a points field in the user's row of your user table in mysql.
I'm looking for a way to build a web application using paypal payments standard. I'd like the user to get redirected to paypal, then fill out their information, and upon completion, add a value in our database saying that they successfully paid. I haven't found a solution or answer to this.
I found this thread for RoR, but didn't find anything for PHP
Paypal Website Payments Standard with a Ruby/Rails application
You can see instructions for a Payment Data Transfer at PayPal's site. Basically, you post the transaction amount and an ID token to their site, the customer pays on paypal.com, and then they're sent back to a pre-defined URL on your site with the transaction details.
I used the NVP API to do that.