I'm using a PayPal generated button that is hosted on their servers but it seems that if I take the code and pass into it a new item name it will also change the item name on the PayPal page:
<input type="hidden" name="item_name" value="testname">
I've also tried this for price and it remains the same as before, so that's ok. But for some reason it seems you can change the item name by adding this line.
How do I prevent this?
I don't want users hacking buttons because I use the item name with IPN to send the file to the user after he purchased.
I suggest to register the order in your database before you send them to the payment page. After the payment you can compare the payment information with the information you stored in the database.
On this way you will be able to detect it when they edit input fields.
Ok, I guess I figured it out. For some odd reason, even though the button is hosted to PayPal, you can change the item name. I found that's the only thing you can change though.
To make sure the purchase goes well, even though the name can be changed, you can assign a code to each button when you create it (in PayPal). Then in your database group that code with the real item name. This way you can use the code to get the item name later when the IPN validation happens.
Related
We use PDT's cmd=_notify-synch API to validate transactions when the customer is redirect back to our website after a payment.
We pass a "custom" value in our Paypal buttons with a customer id, and we expect to get this value back. This worked fine for the past 5 years.
Starting on or around 2018/10/19, the PDT API stopped returning the "custom" value that was passed in. This broke our payment flow.
Not sure if anybody else ran into this issue, and/or if there's a workaround or a configuration to change.
That button URL is for a hosted button, which means all of the parameters are set within PayPal when you create the button. You cannot pass a return value directly to a hosted button. You would need to adjust that in the hosted button itself within the PayPal account.
The only way to set it there would be with the Advanced Variables section, but of course you won't be able to make that dynamic. If this is a problem you're going to need to switch to using a non-hosted button so that you can then pass parameters directly the way you are trying to do.
Beyond that you could switch to using the Express Checkout API, and then you have more freedom and flexibility to do whatever you need during checkout.
Alright, I got my Paypal shopping cart set up and working, now I'd like to be able to add discount coupons.
I know I can simply implement the 'discount_amount_cart' variable in my form, but I'm still a little lost when it comes to handling the deactivation of a coupon code.
Let's say A activates the code. Now in my database it will be marked as 'reserved', meaning no one else can use it. Once A completes his transaction, the IPN will mark the code as 'used' and it becomes useless.
But what if A decides to activate the code, but never actually buys anything on my website?
I'm using the $_SESSION variable to save my shopping cart, so once the user returns to my website, the code might still be shown as activated for him. When exactly would I mark it back as 'not reserved & not used' in my database?
I could do this based on time, but this doesn't really feel safe either. Let's say the user puts everything into his basket, goes to Paypal, waits for an hour and then decides to finish his checkout. The discount would still be activated, but in the meantime, it could've already been 'unreserved' in the database and used by another person!?
How would I go about this?
Thanks in advance!
IMHO, this has little to do with PayPal and more about your business rules. If your coupon is single use (globally), then you will be faced with the same issue regardless of any payment flow.
Simply putting it in "cart" and/or any event where a user "activates" said coupon, then just navigating elsewhere in your site, doesn't do anything, [whatever], creates that lag
it could be Paypal, Amazon, your own gateway - it really doesn't matter...but there will be a lag between activation and payment (beyond your control)
I think it's just best to be explicit with your customers and handle it appropriately technically (based on what that explicit messaging is).
You'll see some implementation of "timed purchase" at ticketing sites (e.g. buying a ticket to a game, movie, etc.) - they will have a "timer" for the user to do something (otherwise, the "reservation" is lost).
Hth...
Put an expiry date on coupon use - such as must be used within 10 days of activation. It gives the user urgency to use the coupon and gives you a timeframe to invalidate it.
Paypal has recently changed integration method. Now instead of providing public/private key option paypal has selected javascript button. My question is how much secure is this? Say for example i have used following code to create button.
<script src="js_path/paypal-button.min.js?merchant=XXXXXXXXXX"
data-button="buynow"
data-name="SiteName"
data-amount="10"
data-env="sandbox"
data-callback="payment_success.php"
data-cancel_return="payment_cancel.php"
data-currency="EUR"
></script>
Now if you are familier with firefox addon of firebug then you can see all this values and easily edit them and pass them to paypal page. It will easily change amount of 10 to 1 and customer can pay 1 and leave site. This is loss to merchant.
Previusly i was using method of http://www.stellarwebsolutions.com/en/articles/paypal_button_encryption_php.php to create encrypted buttons. It was working properly and no customer had complaint any problem like i had mentioned before.
My question is that can this new system paypal has created has this facility of encryption? If not then what is solution?
Thank you
Tejas Mehta
If you are wanting to use encrypted buttons so they can't be modified, you would want to use PayPal's BMCreateButton API so that you can dynamically create buttons on the fly. You could create hosted buttons, or encrypted buttons. Both buttons would prevent someone from modifying the amounts and etc.
I'm using VM 2.0.6 and Joomla 2.5 and the Multisafepay payment gateway.
Whenever a user puts a product in his cart, and clicks on checkout, the user is send to another page completely (Multisafepay's website, so not VM anymore) where he can select his desired payment option - same thing as paypal for example. But, at that time, Virtuemart is already sending an e-mail to the user confirming his order. That e-mail is saying: Thank you for your order blabla, the status of your order is blank..
So, VM is already sending an e-mail before the user payed.
Does anybode relate to this or knows an answer?
VM 2.0.6 is working like this :
when the order is placed that means any one of the shipping and payment method is selected.
and cart have valid data it will create the order and send an email to the user that mentioned
an order has been placed.
You can change
the sending mail section if you need.
One function name with notifyemail (iam not sure the name but it start with notify) in the path:
administrator/components/com_virtuemart/models/orders.php
you can check all your required things like shipping /payment methods are selected before calling this function.
the function should be initiate from cart.php controller in front end.
You can change the point where an invoice copy is sent to the customer in the Store Configuration. Look for Configuration > check out > Default Order Status to send an invoice and make sure you have the Confirmed status chosen.
My notification script is launched twice first is VERIFIED and second INVALID.
I've tried different ipn validation scripts and always get it twice.
I'm using sandbox maybe seller account settings are not right? I've set IPN on with notify url and auto return. Also in form there is return and notify_url set
I remember in the documentation it states that duplicates are possible -- that's just the nature of the internet. That's why it gives you a unique transaction ID. You're supposed to use that to prevent bad things from happening if you get notified twice.
A better question might be: why does it say Verified and then Invalid? Or is that ok?
EDIT
The docs say "PayPal sends a single word back, which is either VERIFIED if the message originated with PayPal or INVALID if there is any discrepancy with what was originally sent". I'm going to guess that YOUR code accidentally sends the "echo" back to PayPak twice and one of them is malformed. Maybe they're both identical but PayPal responds with INVALID if it gets it twice. But no matter, for a particular transaction Id, once you get VERIFIED, you're good. Simply ignore all subsequent responses.
EDIT 2
The return url is simply used by PayPal to redirect the user back to your site. Use this page to thank them for their purchase and inform them they will be notified once processing is complete. You can even set this to an empty string if you don't want this feature. When Payment is actually complete (or some problem was identified), PayPal will invoke the script referenced by the notify url. This is where you make sure everything looks right, handle duplicate notifications, update your database, send an email to the user saying their payment was processed, etc.
before inserting or updating your mysql query Check if the returned Transaction id '$_POST['txn_id']' already exists in your db table, if it doesnt exists so insert it with other $_POST data, because paypal calls the notify url many times.