Is it possible to make a link in site A to site B.
But you Can't visit site B with an URL. Only go from A to B.
What I want to do is:
You pay on a HTML with a PayPal button, after paying PayPal redirect you to a form page where you fill in the form for ordering.
But to avoid fraud I don't want that people can visit the form page without paying.
I hope that somebody can help me!
You cant do that with HTML only, you'll need javascript.
Assuming that you know Javascript, you can use the jwt token to give the user access when a certain condition is true (in this case, when the user has paid)
You should use paypal braintree integration or any other payment gateway provide built in solution which prevents the case you are refering to, look at adyen integration.
Related
I have a page where a simple script calculates price after the user selects options but the problem is that I don't know how to take the generated price with the forms completed by the user and send that information to PayPal checkout page.
I made inputs that are hidden in the page that change values when user interacts with the page.
This is the page: http://lolo-boosting.ucoz.com/index/boosting/0-8
A working example here: https://boosteria.org/lol-elo-boosting
Would greatly appreciate if someone can share some links or information about this because I failed searching for this.
Take a look at the PayPal cart upload command method. That should allow you to accomplish your goal.
I have this question: is safe use an iframe to load the page where the customer will do the payment. For example paypal or DineroMail or the page that does the credit card payment.
Because My boss wants that the customer feels that never leaves the site so in my site I added an iframe (and inside this I load the url of the payment) but don't know if is correct and safe or no.
Thanks.
From a technical security point of view (Same Origin Policy), it is exactly as safe to open an iframe as it is to open a new tab.
From a UI point of view, opening an iframe in certain locations can deceive the user and you might be accused of trying to clickjack the user into making an inadvertent payment if you are not careful.
I cannot say anything about PayPal's own policy, but you should make sure they are okay with it.
I have been through this several times with many clients. A lot of it has to do with 1)he isnt comfortable with a customer leaving his site in fear the checkout wont occour or 2) its a pride thing that he wants clients to feel all the services can be performed in site.
One of the things that your boss needs to understand is that people like using paypal because they are trusted and its a familiar process to them. He needs to know that not only are people ok with being redirected to paypal, but they expect it. If I where to run into a site where they checked me out in an iFrame on paypal it would be a red flag for me. Why? Because with the redirect I can see the address bar. I know that Im at paypals site and I can see if its a secure connection.
If he is dead set on a customer never leaving a site. He needs to do something like paypal payments pro. This is probably the solution he really wants.
EDIT
I found your answer answer when dealing with the same issue myself last weekend and wanted to come back with something better!
Its called flex and its apart of the adaptive payments classic api. Which will take an additional application process which your boss may fee is well worth it.
https://developer.paypal.com/docs/classic/adaptive-payments/integration-guide/APIntro/
Head about 3/4 of the way down and youll see step by step instructions to do exactly what your loooking for. A secure paypal iframe.
Quick tip: If you have to incorporate it in your own processes simply do the following.
1) obtain your paykey after sending the request to paypal.
2) call in the javascript source as in the tutorial.
3) redirect the window manually as opposed to their created paypal button. aka https://www.paypal.com/webapps/adaptivepayment/flow/pay?paykey=YOURPAYKEY
another good source is : https://www.paypalobjects.com/webstatic/en_US/developer/docs/pdf/pp_adaptivepaymentsmobile.pdf
It is safe if Paypal allow it, but you have to be careful from a UI point of view.
If your site is loaded over http and you load the IFrame within your site, it appears to the user not to be secure even though the IFrame is loaded over https. This approach is also vulnerable to a MiTM attack as an attacker could intercept and change the IFrame URL to something like http://www.evil.com and nobody would be the wiser at the time of entering the card details.
If your site is loaded over https your customer has to trust you with their card details as they cannot be sure that the IFrame is actually pointing to the Paypal domain on https (https://www.paypal.com) and not your site. Yes they could right click and check the source, but this is a step too far for most users and technically an evil site could swap the IFrame for an evil version without the customer noticing.
My recommendation is to actually redirect to https://www.paypal.com because then it is shown in the address bar with a padlock and reassures users that they are giving their details to Paypal and nobody else.
So I hope I don't sound to noob here. I've created all required buttons via the customers paypal account. I signed them up with PayFlow Checkout as they have a gateway that they want to use bc it's with their business bank, it's a First Date Merchant Account.
The payflow checkout is the free version for now. I have also saved and published the integrated checkout page.
How or what am I missing that needs to occur on their product page for the PayFlow process to be used?
I've gone through the PDF for developers but maybe I am not understanding something. I thought it was a simple fix to the buttons or some code snippet I paste in the header area.
EDIT - I do have the sandbox accounts created however maybe I'm not sure of what needs to happen next.
Buttons and current paypal cart located here.
Please be kind and give me any tips on what am I missing.
Keith
I have a feedback page in my website. In my website's homepage, when someone clicks on 'Feedback', it will open a modal window to ask a human verification question. If the response is correct, i want to programatically open the url to my feedback page.
My concerns is:
The feedback page should not be accessible by directly entering the url,i.e., www.mysite\feedback.html. How can i prevent this from opening my feedback page?
I'm also aware that my anti-spamming effort isnt the best option, but for now i dont need a robust mechanism.
Any solution?
Thanks.
Why don't you just put the CAPTCHA on your feedback page?
If that's not an option you need to use sessions to store the "captcha passed" flag and check for it on the contact page (also in your server-side code). After successfully submitting the form you need to clear the flag so someone cannot spam manually after completing just a single captcha.
You should be able to access the Referrer header of the request in your web platform. You can check this value to see if the referrer is from a page you accept. If not, you can return a 403 or whatever response, and if so, you can return the actual page. You will need access to a server-side framework, such as PHP or ASP.NET. Note, however, that it is easy to create HTTP requests and spoof the Referrer header.
im in the middle of creating my website and need some help with stopping people from going to a page in my website manually. Basically, i've set up a contact form and once it's filled in, it sends you to a thankyou page. I want to stop people going to that page manually by typing in the url for it. I want them to only be able to access it by filling out the form and hitting 'send'.
Firstly, is this possible, and if so, HOW?!
Thanks in advance!!
Have the page as the response to the POST and don't redirect to it.
You'll need to use a redirect in combination with some kind of persistent storage (DB, cookie, session).
Essentially on the thank you page, check that they came from the contact form, via persistent storage, otherwise redirect them.
Maybe you can check the http method. If it is post, presumably the user used the form. If it is get, presumably they typed the address themselves.
Good luck!
You can insert a special hidden hash value in your form and check for it on the page you redirect to. It's not foolproof though.