I'm trying to help someone with a problem, where you can donate for some points, but you the source code will allow you to edit the values of the paypal button.
For instance, i choose 5 points which should cost 5 dollar, but when I edit source code I can see the whole paypal form with values, and edit the values.
So how can I secure the form so that it cannot be edited?
Here's the code:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="at" value="nBWAy2wwJn1O1LdoLcMn8AOdPxBBUxhnZfqFvAlGQq1oDm0czxn5FBcpgIW">
<input type="hidden" name="business" value="admin#worldofthegods.com">
<input type="hidden" name="item_name" value="DP|1|452160">
<input type="hidden" name="amount" value="1">
<input type="hidden" name="no_shipping" value="1">
<input type="hidden" name="return" value="http://www.worldofthegods.com/donate.php?action=done">
<input type="hidden" name="cancel_return" value="http://www.worldofthegods.com/donate.php?action=cancel">
<input type="hidden" name="notify_url" value="http://www.worldofthegods.com/ipn_donator.php">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="tax" value="0">
<input type="image" src="http://worldofthegods.com/images/PaypalButton.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>
In this way, it's impossible. I guess what you want to do, and this is not the correct way you are following.
You need to verify each payment and make sure they are valid and payed in correct amount.
Paypal IPN is the solution and you need some Server-side programming.
Read more:
Paypal API Question - Can I use Return Url to verify payment
How to verify successful payment of paypal
I'd suggest using something like Express Checkout, which allows you to send the transaction details in an API call instead of showing them in HTML code to the buyer.
However, barring that, your next best option is to use Encrypted Website Payments. https://developer.paypal.com/webapps/developer/docs/classic/paypal-payments-standard/integration-guide/encryptedwebpayments/#id08A3I0P017Q
Related
I am using Joomla for my website which has some items for sale. I have hard coded the paypal buttons and costs for this and it works well:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="paypal">
<input alt="Add this item to your order" name="submit" src="/add-to-order.gif" type="image" />
<input name="add" type="hidden" value="1" />
<input name="cmd" type="hidden" value="_cart" />
<input name="business" type="hidden" value="name#name.co.uk" />
<input name="item_name" type="hidden" value="Item name" />
<input name="amount" type="hidden" value="500.00" />
<input name="no_shipping" type="hidden" value="2" />
<input name="currency_code" type="hidden" value="GBP" />
<input name="bn" type="hidden" value="PP-ShopCartBF" />
</form>
However, I wanted to add shipping values per item. These will be different depending on region of delivery and item. Is this all handled in the back end paypal set up? Or do I need to pass in these values? Any advice would be great thanks as im unsure of how to proceed.
For that PayPal integration, which is very old (about 20 years), the variables available for shipping and everything else are all documented here. The cart upload command specifically is explained here.
A current PayPal Checkout is much different.
is it still possible to use the PayPal HTML form Basics with unencrypted values in hidden fields? I know that people can change easily the value in the form, but can I use it or there is a problem with PayPal? Can PayPal block or limit my account if in my site I use this kind of form to pass the payment value? Thanks
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_cart">
<input type="hidden" name="business" value="seller#site.com">
<input type="hidden" name="item_name" value="hat">
<input type="hidden" name="item_number" value="123">
<input type="hidden" name="amount" value="15.00">
<input type="hidden" name="first_name" value="John">
<input type="hidden" name="last_name" value="Doe">
<input type="hidden" name="address1" value="9 Elm Street">
<input type="hidden" name="address2" value="Apt 5">
<input type="hidden" name="city" value="Berwyn">
<input type="hidden" name="state" value="PA">
<input type="hidden" name="zip" value="19312">
<input type="hidden" name="night_phone_a" value="610">
<input type="hidden" name="night_phone_b" value="555">
<input type="hidden" name="night_phone_c" value="1234">
<input type="hidden" name="email" value="jdoe#test.com">
<input type="image" name="submit"
src="https://www.paypalobjects.com/en_US/i/btn/btn_buynow_LG.gif"
alt="PayPal - The safer, easier way to pay online">
</form>
For backwards compatibility with old websites, legacy HTML forms like this will still work. They redirect to the PayPal site, and the PayPal site securely collects the payment information.
However, there is absolutely no reason to use an HTML form. The current HTML/JS Checkout integration supports all the same features of the above and more. It presents a modern, in-context experience and does not redirect away from your site.
I'm using a recurring payment feature on my website. Below is the code for the payment page.
<form id = "ofnForm" action="https://www.paypal.com/cgi-bin/webscr" method="post">
<!-- Identify your business so that you can collect the payments. -->
<input type="hidden" name="business" value="XXXXXXX#gmail.com">
<!-- Specify a Buy Now button. -->
<input type="hidden" name="cmd" value="_xclick-subscriptions">
<input type="hidden" name="a3" value="5">
<input type="hidden" name="p3" value="1">
<input type="hidden" name="t3" value="Y">
<input type="hidden" name="src" value="1">
<!-- Specify details about the item that buyers will purchase. -->
<input type="hidden" name="currency_code" value="GBP">
<input type="hidden" class="payData" name="custom" value="1286">
<!-- Specify URLs -->
<input type='hidden' name='cancel_return' value='XXX.com/users/paymentAccountstatus/1286'>
<input type='hidden' name='return' value='XXX.com/users/paymentAccountstatus/1286'>
<input type="hidden" name="notify_url" value='XXX.com/users/paymentAccountstatus/1286'>
<input type='hidden' name='rm' value='2'>
<!-- Display the payment button. -->
<img style="margin-top: 10px;" src="xx.com/image/paypal.png" id="paypal_img" class="paypal_img"/>
</form>
Onclick of the payment button system is redirecting to paypal website where the user is able to pay the amount. After payment succes paypal redirecting to the receipt page to show the payment detail. Below the payment detail there is a button called "return to marchant website". Onclicking to that button user is redirecting to my website but, I am not able to retrive any data from the return response.
Could anyone tell me why I am not able to receive any response from PayPal?
Any help is appriciable.
Do you have "Payment data transfer" enabled in https://www.paypal.com/businessmanage/preferences/website ?
It might not work with subscriptions
In any case, it's not very useful. The user may never return, either because they didn't click to return or because they were interrupted somehow.
If you need a reliable notification of the transaction information from subscriptions, set up a separate asynchronous listener for either webhook events, or the older Instant Payment Notification (IPN) message service
I run a gold intangible electric goods which I am selling business.
Recently I came across some difficulties with PayPal where customers started doing chargebacks, I have now switched over to Google Checkout and now am making the website more secure against this type of fraud.
So I am collecting the user's IP address / hostname / user-agent / proxy information which I will send to credit card companies and FBI to resolve chargebacks from now on, I can't really start a database since my webiste doesn't use any databases just session based.
So I am sending for now the information as a secondary item.. with a price of 0.00$ (free). In base64 encoded format.
So how do I get the customer's information, but make it so the customer doesn't see this information, as first of all it may scare some customers.
The HTML Code my shopping website generates is like this.
<form method="POST" action="https://checkout.google.com/api/checkout/v2/checkoutForm/Merchant/*Snipped*" accept-charset="utf-8">
<!-- Sell digital goods with email delivery of download instructions (with tax, no shipping) -->
<input type="hidden" name="hl" value="pt_BR">
<input type="hidden" name="item_description_1" value="Character: [5464564]: Tiberica">
<input type="hidden" name="item_name_1" value="10,000 Gold [Nation]"><input type="hidden" name="item_price_1" value="0.01">
<input type="hidden" name="item_currency_1" value="USD">
<input type="hidden" name="item_quantity_1" value="1">
<input type="hidden" name="shopping-cart.items.item-1.digital-content.display-disposition" value="PESSIMISTIC">
<input type="hidden" name="shopping-cart.items.item-1.digital-content.email-delivery" value="true">
<!-- Customer information -->
<input type="hidden" name="item_name_2" value="Customer Information [Não é importante para o cliente]">
<input type="hidden" name="item_description_2" value="SVAgYWRkcmVzczogNzEuMTkwLjE3Ni40OQpSZW1vdGUgSG9zdDogcG9vbC03MS0xOTAtMTc2LTQ5Lm55Y21ueS5maW9zLnZlcml6b24ubmV0IC0gClVzZXIgQWdlbnQ6IE1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDUuMSkgQXBwbGVXZWJLaXQvNTM1LjIgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTUuMC44NzQuMTIxIFNhZmFyaS81MzUuMgpQcm94eT86IApQcm94eSBIb3N0PzogClByb3h5IFNlcnZlcj86IAo=">
<input type="hidden" name="item_price_2" value="0.00">
<input type="hidden" name="item_currency_2" value="USD">
<input type="hidden" name="item_quantity_2" value="1">
<input type="hidden" name="shopping-cart.items.item-2.digital-content.display-disposition" value="PESSIMISTIC">
<input type="hidden" name="shopping-cart.items.item-2.digital-content.email-delivery" value="true">
<!-- No tax code -->
<!-- No shipping code -->
<input type="hidden" name="_charset_" value="utf-8">
<input type="image" name="Google Checkout" alt="Fast checkout through Google" src="index_files/checkout_br.png" style="position: relative; top: -38px;left: 486px;">
</form>
Thanks.
Why not use PHP (or ASP) and save the details to a database before forwarding to Google Checkout, then update the order with the transaction ID using callbacks?
Basically I want a functionality to download code mywebsite.
I checked following link for google checkout digital products.
https://checkout.google.com/support/sell/bin/answer.py?answer=39011
I created buy now button for digital product from sandbox using this link.HTML code redirects me to google checkouts as usual.
But it does not give me any download link anywhere after payment. ??
<form action="https://sandbox.google.com/checkout/api/checkout/v2/checkoutForm/Merchant/859574590497884" id="BB_BuyButtonForm" method="post" name="BB_BuyButtonForm" target="_top">
<input name="item_name_1" type="hidden" value="mycode"/>
<input name="item_description_1" type="hidden" value="this item is all about my code"/>
<input name="item_quantity_1" type="hidden" value="1"/>
<input name="item_price_1" type="hidden" value="1251.0"/>
<input name="item_currency_1" type="hidden" value="USD"/>
<input name="shopping-cart.items.item-1.digital-content.description" type="hidden" value="Please read this instructions.."/>
<input name="shopping-cart.items.item-1.digital-content.url" type="hidden" value="http://www.xxxxxxxx.in/xxxxxxxx/xxxxxx/20110929034224791156.pdf"/>
<input name="_charset_" type="hidden" value="utf-8"/>
<input alt="" src="https://sandbox.google.com/checkout/buttons/buy.gif?merchant_id=859574590497884&w=117&h=48&style=white&variant=text&loc=en_US" type="image"/>
You need to use continue_url
<input type="hidden" name="continue_url" value="http://www.example.com/download"/>
Google Checkout offer a digital delivery solution, with various options for providing access to the digital content.
Please be aware that credit card transactions are authorized and charged AFTER the user places the order. Depending on how valuable the content is, you may want to hold off providing the URL to the download content until payment is guaranteed.
More details in this doc:
http://code.google.com/apis/checkout/developer/Google_Checkout_Digital_Delivery.html