Is safe to give to client payment id and transaction id from Paypal?
For example:
Payment ID : PAY-4AB012345C901234DEFABCDE
Transaction ID: 12A34567BC8901234
Transaction ID is definitely safe. The user will even receive an email with the transaction ID as a reference.
Also, I'm pretty sure Payment ID is added to the redirect URL when the payment has been made. So they are both available for the user.
Both the Transaction ID and Payment ID are simply identifiers our system uses as part of the payment process. This information cannot really be used in any way that could cause harm.
Particularly the Payment ID is used to identify a session and has no meaning to your customers so there is no harm in displaying it, though there is also no point in displaying it at the same time.
Related
I have been able to create an order, get it approved and capture payment using PayPal sandbox. I would now like to test linking to the receipt for that order.
So, given that the order id assigned by PayPal is 1VC7586169694032B, based on the docs I tried to point my browser to the following locations:
https://www.paypal.com/receipt/?id=1VC7586169694032B
https://api.sandbox.paypal.com/receipt/?id=1VC7586169694032B
https://api.sandbox.paypal.com/v2/receipt/?id=1VC7586169694032B
https://www.api.sandbox.paypal.com/receipt/?id=1VC7586169694032B
https://www.api.sandbox.paypal.com/v2/receipt/?id=1VC7586169694032B
https://sandbox.paypal.com/v2/receipt/?id=1VC7586169694032B
None of these worked.
So, are receipts for sandbox transactions stored? If so, what is the correct link? If not, how can I test the feature of linking to the order receipt without creating a real live transaction?
An order id is not a PayPal transaction id. And neither one is a receipt id, much less a PayPal Here invoice id which are the docs and links in your question.
When you capture an order id, the merchant account's transaction id will be in the response at purchase_units[0].payments.captures[0].id.
That id can be looked up in PayPal.com . Perhaps you could dynamically link to the resulting details page, I haven't tested it.
Note that the merchant account and the payer account each have their own different transaction id, but it's possible to search for the "other account's" transaction id in paypal.com and still reach the details page.
A listener on my website 'listens' for successful purchases made via Paypal. Data retrieved by the listener includes a post variable that I can set before initiating the purchase. This is possible with Paypal's IPN(Instant Payment Notification). I am trying to get the IPN to recognize the users account on my website upon purchase. Every account on my website has a unique user ID number.
I have tried passing the accounts unique ID through Paypal's "Custom" variable so the IPN can listen for that. Though I think this is a bad idea because then people can purchase things for another account if they passed their unique ID. Though this is a guaranteed purchase handler, hackers can take advantage of this with social engineering.
I see that some people instead pass the session_id with php, but this isn't safe because the listener would have no way of recognizing the user's website account if the session_id were to disappear. I also see that people will pass a cookie tied to the user's unique account. I don't think this is a good idea because the cookie could be cleared.
It is to my impression that I can not send a refund or cancel a purchase if the user's account could not be identified(Without doing it manually). What checkout flow should I do?
I would create a local invoice record in your system, and this invoice would get a customer ID associated with it.
Then you can use the INVOICE parameter to pass the invoice ID to PayPal, and that would come back in IPN where you can then lookup the customer ID based on that invoice ID.
My application uses PayPal java library to make payments. Everything works fine but I can't understand one thing. What exactly is transaction code? Let's say I make a payment and then approve it. As a result I receive the JSON object which has an ID (PAY-*) and transactions->related resources->sale->ID. Both of them I store in the DB in order to show later to user (in case he wants to refund the money). But if I see these payments from PayPal customer portal, in the descriptions of payment I see non of these ID's.. Transaction code is totally different! So which one of them should I store?
Thank you in advance
PayPal generally uses a transaction ID. It's a 16 character alphanumeric string. This will appear in both your API response and the PayPal site. Assuming REST is like Classic, the Transaction ID is how you will reference the payment for any future operations (capture, refund, etc).
Please note that if you're using Express Checkout (where the customer pays via PayPal account) they will have their own transaction ID for the exact same transaction.
I'm using PayPal Express checkout and I'm trying to display to the customer their transaction id at the end of the checkout process on the thank you page.
I'm currently pulling back:
PAYMENTREQUEST_0_TRANSACTIONID
Which is the transaction id that is logged in my business account. However the transaction id on the email sent to the customer is different to this id that is being returned.
I'm using this API: https://developer.paypal.com/docs/classic/api/merchant/SetExpressCheckout_API_Operation_NVP/
The documentation states
"(Optional) Transaction identification number of the transaction that was created. You can specify up to 10 payments, where n is a digit between 0 and 9, inclusive.
Note This field is only returned after a successful transaction for DoExpressCheckout has occurred.
TRANSACTIONID is deprecated since version 63.0. Use PAYMENTREQUEST_0_TRANSACTIONID instead. "
I'm also using
PAYMENTREQUEST_0_INVNUM
Which is very helpful and lets me put my order reference number into the main body of the email that the customer receives, but I'd also like their transaction id, so that if they send a query through this can be logged in a field in the database and cross referenced against the order with just the transaction id.
Any help would be appreciated!
Thanks
PayPal assigns different transactions to the buyer and the seller. I'm not exactly sure why, but I know they do.
If a customer gives you their transaction ID, though, you CAN find it in your PayPal account by doing a search through paypal.com or via the TransactionSearch API.
I wanted to use Paypal's IPN service to verify payments for a recurring subscription charge for my website. How do you tie the IPN confirmations to a user in your site?
The IPN confirmation message has a name, email, paypal ID, recurring payment ID, but it seems to not give a unique identifier since I don't know where the paypal ID or recurring payment id comes from and it may not be trivial to uniquely match up the name/email that a user has on their paypal account (or entered there) with the name/email I have for them on my site (there may be many John Smith's and the person may choose to use a different email.)
1) When I send the initial payment request to Paypal, I can attach a unique UUID in the URL I ask them to send back to me, so if I save that unique ID for that user I can match that payment confirmation to the user who initiated it. Am I making that harder than it is? Is there an easier way?
2) Also, for a recurring/subscription charge, does paypal always use the URL I specified with the initial payment initiation? Does anyone have practical experience using the recurring Paypal payments with IPN's, does it reuse that unique URL? Or do I have to associate the Paypal ID's with the user after the first recurring payment is received?
Attaching unique data to the payment request is pretty much the accepted way to do it.
I don't have any experience with recurring charges.
I recently also set up some reoccurring payments with Paypal.
I actually wanted people to register as members after paying for the subscription, if they wanted to. As having to sign up as a member could add some friction to the sale process. So I don't send any user info along with the Subscribe button.
What my IPN script does is generate a unique activation code tied to the Paypal subscriptionID in the Activations table, then it sends this code to whoever paid for the subscription, with instructions on how to activate.
At the point of activation, you need to register or login. At this point the userID is added to the relevant row in the Activations table.
When the EndOfTerm IPN notification comes in the IPN script looks up the userID from the Activations table based on the SubscriberID given in the IPN. Then I can do whatever I need to do to that user to disable their subscription.
At all time the URL of the IPN script remains the same.
1) You can send an 'item_number' parameter with the initial subscription setup, which will get passed back to you. I'd suggest embedding an identification token in it.
2) If you mean the 'return' parameter, no, that's for sending the user to at the conclusion of the subscription setup. The renewal is automatic and doesn't 'ping' that page.
1) You want to be using the item_number parameter. Set this in your HTML form shown to the customer, and it will be returned to you by the paypal IPN, so you can put a database row ID in here, and use it to match up to the right person later.