We Keep Coding

Paypal return url not working with php and html form

I have payments set up (using php) so that when a customer returns to the success.php file (after payment process on Paypal using an IPN listener) they are added to the db with a new membership number, which is also generated in the success.php file. The process works fine if the customer pays as a guest, they are returned to the success.php page as they should be. However, if the customer logs in to paypal rather than paying as a guest they are redirected to the Paypal user account page instead of back to the success.php page on my site. This means the payment has been taken but their membership number is not created or added to the db.
Is there a way to force ALL customers back to my success page or should the code to create the new member be added to the ipn listener (ipn.php) file so it wouldn't matter if they didn't come back to the success page?
This is the code I use in the checkout page to set the return url.
<form action="<?php echo $paypalURL; ?>" method="post">
<!-- Identify your business so that you can collect the payments. -->
<input type="hidden" name="business" value="<?php echo $paypalID; ?>">
<!-- Specify a Buy Now button. -->
<input type="hidden" name="cmd" value="_xclick">
<!-- Specify details about the item that buyers will purchase. -->
<input type="hidden" name="item_name" value="<?php echo $item_name; ?>">
<input type="hidden" name="item_number" value="<?php echo $item_number; ?>">
<input type="hidden" name="amount" value="<?php echo $price; ?>">
<input type="hidden" name="currency_code" value="GBP">
<!-- Specify URLs -->
<input type='hidden' name='cancel_return' value='http://example.com/payment-cancelled'>
<input type='hidden' name='return' value='http://example.com/thanks-for-joining/'>
<!-- Display the payment button. -->
<input type="submit" name="submit" class="button" value="Pay Now">
</form>
I should add that I have only tested this in sandbox mode so far, so if anyone knows if this is a sandbox only issue, please let me know.
UPDATE: Further testing shows that the return url no longer works with a guest check out either. This has only started happening since sandbox payments are going through the new payment pages (screenshot attached).
Has paypal changed the method of requesting a return url?

I fought with a few ways of integrating paypal's payments into my site. From what I've read here on stackoverflow, on paypal's site, and all over the web, it is probably best to put all of that backend work into your listener. You could set up something on the front-end to prep your DB for the customer, but the major problem with using the success page for this information is that:
1) your customers could just enter the URL of your success page if known
2) A customer can choose not to be redirected after paypal and may not return to your site at all (this is the best reason as I can see it).
3) Sometimes paypal redirects, but the listener may not have received paypals response of completed, pending, .etc (this is why they wait 10sec before redirection), so you do not want the user to go elsewhere or have been verified prematurely.
Honestly, placing all the code in your listener is quite simple as well and reduces miscommunication between your success page and paypal. As for testing, I just used the IPN simulator to test my code and it was fine.
As for the redirect URL, there are a few redudancies in paypal, if you use buttons, the option 3 (I believe) will provide a return URL that overrides the others. I'm not sure about using sandbox, but make sure you have .sandbox.paypal in your code to ensure it works (https://gist.github.com/xcommerce-gists/3440401#file-completelistener-php).
I hope this helps.

PayPal Payment Integration with Dynamic Paypal Account

I have a website (built in Laravel) that allow merchants with a PayPal account to sell their items, which is similar to eBay with no cart function. However, I have issue on integrating PayPal into my website as I do not know what is the best way to ensure the data are correct. I have think of the follow method to implement, but it seems none of the are looking good for me.
Using JavaScript button
<script src="/js/paypal-button.min.js?merchant=MERCHANT_EMAIL"
data-button="buynow"
data-name="My product"
data-amount="1.00"
async
></script>
This is not secure as any user can tamper with the detail of the order such as price and there is no way to prevent this.
Using HTML form
<form method="post" action="https://www.paypal.com/cgi-bin/webscr" class="paypal-button" target="_top">
<div class="hide" id="errorBox"></div>
<input type="hidden" name="button" value="buynow">
<input type="hidden" name="item_name" value="My product">
<input type="hidden" name="amount" value="1.00">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="MERCHANT_EMAIL">
<input type="hidden" name="env" value="www">
<button type="submit" class="paypal-button large">Buy Now</button>
</form>
This method also have the same issue as method 1 as user can change the value in the form before submitting the order.
Using PayPal Hosted Button
By far, I think this is one of the secure way to integrate a PayPal Pay button into my website. But I cannot dynamically change the item details and price on my website as the button is hosted in PayPal.
Using PayPal IPN
The PayPal IPN is used to validate the payment detail after the payment is done by the user. As each of the merchant has different PayPal account, I could not configure the IPN url for each of their account. So passing notify_url variable while submitting the payment form are necessary to make sure all the payment detail are sent and returned to my dedicated IPN url.
I searched online and found most of the people are using this method to validate the fraud payment, but I think this is only suitable for payment to only one PayPal account instead of dynamic merchant's PayPal account. If I passed the notify_url variable in HTML form, the user can still tamper with the value which lead to the failure of validating the payment detail as the IPN url is not valid or tampered, and in the end the result would be either Payment Pending or Payment not received as I couldn't validate the payment details.
Is there a good solution or suggestion to my problem?

using paypal button - can my webpage tell if paypal transaction was successful or not?

I am using joomla and have brought a component which allows users to post listings on my site. The plugin uses a credit system to pay for the listing but the credit system is quite complex and confusing so i have disabled it.
I found that PayPal provides some code which inserts a Buy Now button on any webpage :) perfect, just what i wanted!
The only problem I am having is at the moment the button is displayed on my Add Listing form (which is again part of the component) but it can easily be bypassed by just clicking on the form's submit button, meaning the listing can be published without having to pay.
So my questions are:
Once the user clicks on the Buy It Now button is it possible to
redirect them back to the 'Add Listing' form they were just filling
out?
Can I disable the submit button on the form until the payment has been
confirmed?
Does the PayPal 'Buy Now' button return any information
confirming the process was successful?
i am using html + php :)
the code i used to produce the buy now button is
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="smyacc#hotmail.com">
<input type="hidden" name="lc" value="GB">
<input type="hidden" name="item_name" value="listing-purchase">
<input type="hidden" name="amount" value="2.99">
<input type="hidden" name="currency_code" value="GBP">
<input type="hidden" name="button_subtype" value="services">
<input type="hidden" name="no_note" value="0">
<input type="hidden" name="shipping" value="0.00">
<input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynowCC_LG.gif:NonHostedGuest">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="1" height="1">
</form>
would really appreciate any help with this!!!
Luke

Good news - the answer to your questions is essentially yes. Your end goal is definitely doable, but in order to really solve your problem in its entirety, we may need a little bit more information.
How you go about it can vary from case to case, however, and unfortunately it's been a while since I configured these buttons, so bear with me ;-)
once the user clicks on the buy it now button is it possible to redirect them back the the add listing form they were just filling out?
Yes, this is a very standard functionality that PayPal has built into their buttons and their process. What you are looking for here is what PayPal calls "Return URLs" or "Auto Return". Here's the page with more of the documentation I quoted below so you can decide whether the Return URL or the Auto Return or the Payment Data Transfer option is best suited for you.
Returning buyers to your website after they check out
The basic checkout experience leaves buyers on the PayPal website
after they check out. Use one of the following techniques to enhance
the checkout experience so that buyers return to your website,
instead.
Return URL: Allow buyers return to a page on your website if they
click a return link or button on the PayPal payment confirmation page.
To learn more, see item #5 under Step 3: Adding advanced features to
your Buy Now button or HTML variables for displaying PayPal checkout
pages.
Auto Return: Have PayPal return customers automatically to a page on
your website.
Important: PayPal recommends that you turn Payment Data Transfer on
when you turn Auto Return on. With Auto Return on, PayPal redirects
buyers to your website from an alternative PayPal payment confirmation
page, which does not allow them to print PayPal receipts. Payment Data
Transfer provides the transaction information that you need to allow
buyers to print receipts from your website.
To learn more, see Auto Return.
Payment Data Transfer: PayPal includes information about the completed
transaction when you use a return URL or Auto Return to send customers
back to your website. Use the information that Payment Data Transfer
provides to display a "thank you, print your receipt" page on your
website. To learn more, see the Payment Data Transfer.
Question Can I disable the submit button on the form until the payment has been confirmed?
Certainly. To disable the submit button on the form until the payment has been confirmed, simply do one of two things until you can detect that the payment has been confirmed:
Add the 'disabled' attribute to the Submit button. This will grey out and disable the Submit button, rendering it unusable. However, since the button would still be visible and all, a web-savvy end user might just go into the HTML and remove the disabled attribute and be on his merry way.
<button type="submit" disabled>Submit Listing</button>
Hide the Submit button. In this case, the web-savvy end user could technically still go into the HTML and remove the styling so that the button is visible, but without seeing it...well, you know, 'out of sight, out of mind'
<button type="submit" style="display:none">Submit Listing</button>
Question Does the PayPal 'Buy Now' button return any information confirming the process was successful?
Again, there's a few ways of attacking this.
Method 1 The simplest way might be to use the PayPal Return URLs and some GET parameters to tell you whether or not things were completed or cancelled. There is something like a Return URL for Cancellations and a Return URL for Completions. From that same page that I linked, PayPal documents the creation of a button with respect to this feature:
Take buyers to a specific webpage (URL) after checkout cancellation
(optional)?
Select the checkbox and enter a URL in the text box if you have a
special page on your website where you want buyers to return to if
they cancel their checkouts before completing their transactions.
Take buyers to a specific webpage (URL) after successful checkout
(optional)?
Select the checkbox and enter a URL in the text box if you have a
special page on your website where you want buyers to return to after
they complete checkout successfully.
Method 2 The more advanced way (which is also more foolproof, given that in the first Method a hacker could try and guess your Successful Return URL) is using PayPal's Instant Payment Notification feature. With this feature, PayPal sends a POST request to a private (behind the scenes) URL which allows you to capture the data it sends you pertaining to the payment completion.
So your backend receives the information on the completion of the payment, and there are countless ways (AJAX requests, require the user refresh the browser or send the user an email telling them to come back and finish it, etc) that you can go about updating the frontend for the user so that they can use the now visible/enabled Submit button.
For details and documentation on PayPal's notify_url through their IPN system.
Best of luck!

I think you will find PayPal supply merchant scripts which will do something like that. Instant Payment Notification under PayPal settings - only available in a business account.
The php scripts you can download can be customised to do pretty much whatever you want once they return from payment. On a successful purchase you can echo the submit button so that it is physically not present unless they are returning after payment echo '<input type="submit" name="submit">';
Under "Tools and Settings" "Process My Orders"
You then need to make adjustments in the PayPal merchant interface to return the user to your IPN script.

How to validate PayPal return data?

I'm integrating paypal and I have done it correctly. I have set the return URL, so it give me below result set in url $_GET.
Array ( [tx] => 7XV08083GT683520Y [st] => Completed [amt] => 22.16 [cc] => USD [cm] => [item_number] => item_number )
My concern is there is no way to validate the data that has returned from Paypal. I have experienced with other payment gateways. Other payment gateways allow you to do hashMatch which allows to make sure that submitted data by the form has been not edited.
My form is as below.
<form method="post" action="https://www.sandbox.paypal.com/cgi-bin/webscr">
<!-- Identify your business so that you can collect the payments. -->
<input type="hidden" value="dasun_1358759028_biz#archmage.lk" name="business">
<!-- Specify a Buy Now button. -->
<input type="hidden" value="_xclick" name="cmd">
<!-- Specify details about the item that buyers will purchase. -->
<input type="hidden" value="AM Test Item" name="item_name">
<input type="hidden" value="22.16" name="amount">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" value="item_number" name="item_number">
<!-- Display the payment button. -->
<input type="image" name="submit" border="0" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynow_LG.gif" alt="PayPal - The safer, easier way to pay online">
<img alt="" border="0" width="1" height="1" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" >
</form>
My php code output
<input type="hidden" value="50.16" name="amount">
But I used firebug and edited it to below & did the payment.
<input type="hidden" value="22.16" name="amount">
Still I get the result as it's a Completed payment but It should not be since I have made changes manually. Anyone who has a knowledge can edit them. How can I make sure that this is a valid payment ? How can I make sure that form data is not edited like I did ?

Anything that is critical and requires DB interaction should use Paypals IPN for data that MUST be verified. Essentially Paypal will Post the URL on your website with data and your script will have to post the exact data back plus a command to verify that the data is indeed correct. After Paypal gives an "verified" response, then you update your data.
Another alternative is using Paypal's express checkout, essentially you are getting an "ok" to charge a customer for "x" amount, once the customer agrees to pay the amount, you post the data to Paypal with the customers "agreement" and you will get a response if the transaction was complete or not.
https://www.paypal.com/ipn
https://www.x.com/developers/paypal/documentation-tools/express-checkout/integration-guide/ECGettingStarted

Before redirecing to paypal store your data in database (product_id, amount, quantity, etc)
After returning from payapl check the return values with your database.
This is the proper way of doing it.

If you want to notify whether you are returned from paypal than You should use Paypal API instead of "Buy now" button API provide more flexibility and power to control your payment process

You may try some of these:
1) Creating an Encrypted Button on the PayPal Website
2) Encrypting Buttons Dynamically With Encrypted Website Payments (EWP)
available at: http://www.paypalobjects.com/en_US/ebook/PP_WebsitePaymentsStandard_IntegrationGuide/encryptedwebpayments.html
Also, this SO link has some details:
Dynamic PayPal button generation - isn't it very insecure?

Which user subscribed to my site via PayPal?

I have been developing a website with PHP in which users will subscribe and pay their subscription fees monthly to resume their memberships. To do this, I created a Subscribe button from PayPal and tested it with sandbox, I can receive the payment. However, I couldn't find a way to determine which user have subscribed.
Here is the HTML code for the PayPal button:
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="BUTTONID">
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
As you can guess all users have unique IDs, I want to pass this unique ID to the PayPal page where payment is done then PayPal will pass this ID to me again, therefore the users account will be activated.
I have been searching for this for a very long time. There are many tutorials to do it with IPN but I can't see where to send the user id as an IPN parameter. I haven't managed to use PayPal APIs since their documentation is totally crap.
Maybe someone can give a link with a complete tutorial for this, or tell me what I understood wrongly?
Thanks

As far as I know, you can add up to 255 bytes of data to field labeled CUSTOM in just about every request to PayPal. PayPal returns this field in its responses and IPN's.
For something like subscriptions, I would recommend you to checkout the recurring payment mechanism offered by PayPal via NVP and SOAP. It is not that easy as just generating a button and placing it on your website but since you already wrote an entire website in PHP, you will not have any problems coding it. Recurring payments should provide everything you need to let your users subscribe and pay a monthly fee, including the ability to track who is who.