Paypal PhP api security issue - paypal

I was trying to use the express checkout php api. Everything is working well in the sandbox environment. My question is regarding security.
After payment the sample code redirects to GetExpressCheckout.php?token=...$PayerID=.....; But after clicking "confirm payment" in my site and logging in to paypal account (did not confirm payment in paypal); I directly opened the same page in another tab, and it showed payment successful (which is not the case). Is there a way to prevent this or am I missing some thing.

I'm not following exactly what you're trying to say here.
The process needs to be...
1) Call SetExpressCheckout to retrieve your token and redirect to PayPal accordingly.
2) PayPal will return the user back to your ReturnURL if they confirm payment, at which point you can call GetExpressCheckoutDetails (optionally) and DoExpressCheckoutPayment to finalize the payment.
Not until DECP is completed does any transaction actually take place. The success message you're seeing probably came from GetExpressCheckoutDetails, which does nothing more than retrieve the buyer/order info so that you can finalize the payment on your site.

Related

paypal express checkout notify url without api

I have a situation I am unable to fine the answer. I am using Paypal Express checkout method by simple form method not api . when user/buyer reaches the paypal payment page and after successful payment it give user/buyer two button option ( your paypal account ) - ( return to site) If user returns to site good enough get all the transaction details but incase he does not there is no way to capture the transaction result. Is there a return url that can be specified in the html express checkout method also does it require the seller to enable Ipin in his account or is it enable by default .
My issue is its a thirdparty application where seller adds his paypal account to accept payment but one successful payment it needs to return the website . issue cant ask seller to enable any specific things to his paypal account as if he does or does not there is no way for me to verify while he sets up the account to my service or platform .
You need to be using Instant Payment Notification (IPN) to handle that instead of Payment Data Transfer (PDT). They're essentially the same thing except that PDT only works on the return URL (which isn't guaranteed to get hit as you're finding out) and IPN will be triggered in the background regardless of whether or not the buyer makes it back to your return URL.
You can include the "notify_url" parameter in your HTML form code to pass the URL you'd like the IPN's to get sent to. This will override any setting the merchant might have setup in their own PayPal account.

Use paypal Express checkout in minimum steps using nvp in asp.net

I want to use paypal express checkout in my application in minimum steps
like:
click on paypal button-> verify account on paypal-> back with token to my application ->
confirm the payment->successful msg ->credited into my account(user not redirect to paypal) only get success message on application
currently paypal confirm the payment of user in paypal site but i want it to my application
and user only once redirect to paypal site for account verification rest all process done in to my backhand side of asp.net application
I guess that's the way Paypal works.And where is a call to getExpressCheckoutDetails.
If you want paypal shipping details on your webpage you need to make call to this method.
It will return you shipping detail and then create a button for say "Pay" and call doExpressCheckout method of PaypalAPI to complete your transaction :D
You can try this as a starting point: https://paypal-labs.com/integrationwizard/ecpaypal/main.php (SSL is expired or invalid so you'll have to add security exception, but it works)

Getting notification from PayPal on new subscriptions

While playing in sandbox and setting up recurring payments via SetExpressCheckout (as suggested in docs) I can successfully create BillingAgreement and recieve a token. Now after user follows a link like https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=[token goes here] , agrees to all terms and conditions etc., he is automatically redirected to returnUrl provided in SetExpressCheckout method, and additionally this token value is appended to the returnUrl.
So far so good. Now the question is - can I rely on the fact that returnUrl will be called at all times? F. e., what happens when for some reason user's browser refuses or fails to be redirected to the specified url?
As far as I can understand from PayPal documentation, you cannot use IPN to notify you of new subscriptions, initiated by user, though clearly IPNs would be an ideal option. I have tried to provide notifyUrl when I compose SetExpressCheckout request, but it is not being hit. Same IPN works fine for "pay" method which I use for one-time purchases.
I think you're missing a step in there. The recurring payments profile doesn't get created while the buyer is on the PayPal website -- you have to wait for the buyer to come back to your return URL, then call CreateRecurringPaymentsProfile to actually create the recurring payment. If you never call CreateRecurringPaymentsProfile, then no recurring payment gets created -- which is probably why you're not getting any IPNs.

What if the user doesn't get redirected after PayPal payment?

After adding stuff in shopping cart, clicking some Pay Now with PayPal button, and successful PayPal payment (PP or CC), it is logically possible that a user stays on PayPal website, if for example the Auto Return option isn't activated (or it is but it doesn't work because the user is a guest user without PP account)
The user can return to the site by clicking a link, but doesn't have to. My question is: if he doesn't, how will the site owner be aware that the user paid so that he can now send the items by post? That the site owner gets informed of being paid seems elemental to me, so I find incomprehensible that such elemental thing be left to some obscure Auto-Return option.
Please can somebody explain this to me?
This is a common challenge with any redirected payment gateway, and it's the reason most (if not all) of them implement some sort of asynchronous notification that a payment has been completed. In PayPal, this is the Instant Payment Notification (IPN). You must setup on your site either a generic IPN listener that you link to from your PayPal account profile settings or you can create a more targeted IPN listener specifically for your transactions and use the NOTIFYURL (or related) parameter in the form or API request you use to redirect to PayPal to send IPNs to that listener.
In my integrations, I never perform any order update or transaction logging when the customer returns from the site, preferring instead to wait for the IPN that I can validate and ensure came from PayPal as opposed to a spoofed return from someone trying to hack my checkout process.
For more information, see the IPN documentation: https://www.x.com/developers/paypal/documentation-tools/ipn/integration-guide/IPNIntro
Paypal provide IPN for this purpose through which we paypal send request asynchronous to your site and you can perform whichever action you want
I think the point may have been missed here. Or a problem does exist. If the purchaser uses CC, even if you have IPN set up and it works, but if the purchaser uses CC and does not click a button on the last page, which is not presented when using PP account, it is possible for the funds to go through, but no IPN, and so your website is unaware of the purchase. This last page, is an extra page that CC user gets after the page with the Pay button on it.
In this state, you can even go into IPN history, and the IPN is there, says it is sent, but it hasn't been. It does not get sent until after the purchaser clicks the button on the extra page and then they are taken to the auto return page.

Not receiving money through Paypal Express Checkout API

I developed a small payment process that uses the Express Checkout API. I'm testing the code with my friend's account with $1. My payment process is redirecting to the live paypal site, he enters his information and pays, he is redirected to my confirmation thank you page, but I never receive funds. I've checked my API credentials in the code, and they are OK. I'm receiving a token and paypal payerid info on my confirmation screen. What could be the problem?
Thank you in advance.
See my answer in Why is DoExpressCheckoutPayment required for Paypal?
In order to use Express Checkout, you must call at least the following API calls:
1. SetExpressCheckout -- to set up the transaction.
2. DoExpressCheckoutPayment -- to finalize the transaction.
If you don't call DoExpressCheckoutPayment on the 'Thank you' page, the transaction is not completed. This is by design to allow for greater flexibility
Express Checkout is intended as a drop-in solution in your own checkout process. After Express Checkout redirects you back to your site, you're supposed to show an order confirmation where the buyer can review his/her final order details before initiating a button / link which initiates the final DoExpressCheckoutPayment API call. This is why DoExpressCheckoutPayment is required.