I'm using paypal website standard and passing my order id that is generated on my site via item_number field. I was wondering, how does paypal know that the content in the form has not been altered by user? For example, someone could just change the amount of $10 to $5 and paypal would not not have any way of knowing. I've doe this before with other payment processor, and they make me send them md5 hash of amount and some other data + secret key, but I am not sure if paypal has this?
Based on this article, I believe it depends on whether or not you are using "Payment Data Transfer". If you're just using a button, then you'll need to manually verify the payment amount before shipping. If you're using PDT, you should be able to verify the payment_gross amount sent back in the response from PayPal.
Your right -- in general you can't keep someone from altering your data. If you must use PayPal (yeah, I know, no monthly fee) so far as I know you have three options:
Let PayPal host your button data. But this gives you little control over the process.
Manually verify each transaction, checking price etc before shipping item.
Using their API to receive completed transaction to automatically check data.
Another thing to watch out for is calculation of sales tax. PayPal's approach was too simplistic for our needs, which forced me to take control of the checkout process.
See this link.
you should try to implement it using ipn, pdt is prone to not passing the variables from paypal to your website if the user does not press the "go to store" button. as what others had answered hosting your button would make it secure at the cost of flexibility. Here is a link on the variables that could be altered on hosted buttons https://www.x.com/people/PP_MTS_Haack/blog/2009/11/11/override-variables-for-hosted-and-encrypted-buttons , as you would look into the variables, you cant really change the important ones.
Related
I have browsed this forum and been through the PayPal documentation but I am confused. I know what I need but cannot work-out how to specify it for my coder.
We have a .Net application that runs on our internal network. We use this application to create customer quotations. These quotations are emailed to our customers. I simply want the application to be create a link that I can send to the customer such then when it is opened it takes them straight into Paypal and allows then to make a payment for the quotation. Or maybe the link is embedded into the body of the quotation that I send. Either would be fine.
I know of programs that do this (Sage Line50 does it with Sagepay rather than PayPal) but I cannot get my head around the process. Most of my research is talking about taking payments from an external website but trawling through the PayPal documentation it looks like it should be possible. But I cannot figure out whether I need Smart Buttons or PayPal Me. The key thing is that I don't want to force customers to have a PayPal account so guest access must be an option.
Smart Payment Buttons would be ideal, and offer the best payment experience to your customers. However, they require your own server on which to host some HTML/JS for them. They do not offer a link that can take the customer directly from an email to a PayPal checkout.
I recommend using Smart Payment Buttons, if you are able to host one. The flow is:
Email -> page on your server with Smart Button -> PayPal payment.
The key thing is that I dont want to force customers to have a PayPal account so guest access must be an option.
PayPal.me does not meet that requirement
If your requirement is truly a link that proceeds directly:
Email -> PayPal.com checkout for payment (no webserver of yours) ... well, there two solutions for this.
One is to use PayPal invoicing, which can be emailed directly by PayPal, or can be a link which you share yourself (via your own email). A PayPal invoice can be created manually via: https://www.paypal.com/invoice/create . Or programmatically via the invoicing API (see developer.paypal.com)
The second way, which may work fine but is a very old web 1.0 way of doing things, is to start by going to http://www.paypal.com/buttons and create a Buy Now button for an item named "Placeholder", amount "777.88". Expand the section "Step 2", and uncheck the option to Save the button at PayPal. Do not change any of the customization options, particularly ones that add menus or input fields.
Once you have generated the code, click the option above it to remove code protection, and then switch to the E-mail tab.
This will give you a plain HTML link with a description and amount that can be set dynamically by your developer when sending your own email. Additional useful variables, such as invoice (for an invoice number that is unique for what is being paid for, and can't be accidentally paid twice) are documented here.
Again, Smart Payment Buttons should be preferred if you have a web server to act as an intermediary. Here is a skeleton demo of the experience.
Due to our workflow, we'd benefit from showing the Guest user form (the one where you have to fill in the credit card, address, name, etc) as the first step, and then let the user log in with Paypal, but only as a secondary action.
The absolute standard is the other way around (show the Paypal login and offer to continue without logging in). One of my colleagues said he has paid like that in other stores, but I guess it's already "something of the past".
Is there a way to reverse the steps and show the guest form first?
I contacted the Paypal Tech support and they pointed me to the right place. You have to add the parameter:
LANDINGPAGE=BILLING
To your calls. They also told me to add SOLUTIONTYPE=Sole, but it didn't make a change in my case.
I have looked around SO for this but I can't seem to find anything like it.
On my service, I wish to charge on a per-month basis depending on how many users my clients have.
So this question is split up into two parts.
What I want to know is it possible for a client to use their own paypal account (without entering any CC details) with conjunction with CreateRecurringPaymentsProfile via the NVP, I have looked through the documentation and can not discern anything. So clearly it is not possible to do it via NPV - From what I've seen so far.
i. If I do an Express-Checkout Subscription, I can do 20% change on total amount every 180 days (I DO NOT want to do this) - I want to be able to get the Profile via the IPN and then modify the monthly amount on as-need basis
ii. There was some mention of Referenced Transactions, but the Documentation is very confusing.
So say there is a way to create a recurring payment subscription via a PayPal Account on the PayPal website, next step is to be able to update the Subscription via UpdateRecurringPaymentsProfile NVP command.
While I am happy to pass on CC details (which already works great), I am just wondering if it is indeed possible create a button, which would create a Subscription - once on success an IPN request is sent back with the ProfileID which I can modify the Billing Amount by NVP.
So TL;DR;
The current flow I have
Register on our website
Enter CC Details
Backend submits the data to PayPal and if passed - continues on.
On any Account modifications, update Profile Monthly Amount Automatically.
The flow I want
Register on website
Click on an Authorize Button Redirected to PayPal
Login to their PayPal Account Create Recurring Profile.
On any Account modifications, update that Profile Monthly Amount Automatically.
edit to add - this is all working now, had to contact and harass PayPal directly for a lonngg time.
I'm a little confused because it sounds like you answered your own question, but then said that's not what you want..??
Express Checkout does exactly what you outlined at the end of your post, and it triggers an IPN just like any other PayPal transaction. You are indeed limited on how much you can adjust the amounts of profiles created with EC, though, just like you mentioned with the 20% every 180 days. If you create profiles with Payments Pro (DoDirectPayment or PayFlow) then you're not limited and you can adjust the amounts however much you need to whenever you need to.
Reference Transactions and Preapprovals may be something to look into as well. I actually wrote an article about what they are and how they differ from each other awhile back that you might be interested in.
The payments we gather on our website are for online subscriptions and registrations for conferences. In both cases, we want to gather absolutely all information other than the payment information ourselves, and ideally pass some of it on to PayPal (so users don't have to fill in name, address, etc. twice).
I know there are solutions where the information is gathered by the server itself and then redirected to PayPal via a web services call but that's not an option, unfortunately. All secure payment information gathered has to happen off-server due to network policy.
In addition, not every form will need to be processed using PayPal. Some people will be paying via check, etc. so they shouldn't be sent to a payment page at all. Most solutions I've looked at have a "Pay with Paypal" button, so I assume a form post is necessary to go to the PayPal site, but ideally we'd want to get there via a 302 redirect. Is that at all possible? (I'm aware we could do something like a form that was auto-submitted by JavaScript but I'd prefer to not go down that route).
Whichever system we implemented would need to handle recurring (periodic) payments also.
Paypal has something called Payflow Pro. They bought it from VeriSign a few years ago.
You can use it to do a full integration with the paypal api. So that the user enters their payment details on your site, and your backend code submits the transaction to paypal's servers. Paypal will then give you a transaction id back. Keep the transaction ID, chuck everything else (like the card number) out the window.
We have several clients that use Payflow Pro. It's very good and easy to use api.
I'm not entirely sure I understand the full scope of your question, but I think I do. I've coded a number these conf. registrations (though I have not interfaced with PayPal...rather iTransact and Plug'NPay) and in my applications, I had to read through the API documentation for the system being used (PayPal in this case). Then I logged into the payment gateway and usually they have an html form generator. All this does, of course, is returns an html form with the fields labeled appropriate to their API (so the billing name and address carry over from your system to PayPal's and the user doesn't have to re-enter their information), shows you what hidden fields you'll need(like cutomer_id, etc) and the form POST path.
Then what I do is I have the user register, preview their order details on another page (where you can choose to drop their info into a DB or wait until AFTER their credit card is processed) and then upon confirmation, they go to PayPal, pay with either credit card OR check (the options always exist) and when they hit confirm, the passback URL you put into a hidden var somewhere, takes you to a custom Thank You page (and hopefully processing script to capture successful transactions) which can be hosted anywhere on your servers.
It's pretty simple, just a bit labor intensive at first as you try and figure out the new form variables specific to a payment gateway API.
Hope this helped!
I am working an e-commerce site which will allow pdfs to be downloaded once payment is done.
So, user will put them in a cart, click buy using paypal and from there will come back to see download link on a success page.
I have implemented PDT.
Not sure which is the best option ?
Please help. I want to take care of any connection lost scenario too, like user completes payment at PAYPAL and while returning back to our site's success page, connection is lost and for some n days, user couldnt access internet as well.
I would just use the IPN.
Keep a record in your database that has all of the order items.
e.g. Order and Order Items (in 2 tables)
Then send that primary key across as the "custom" variable.
Then your ipn handler page will validate the payment and then email the customer their digital goods.