Uploading custom cart to Paypal from PHP page using POST
https://stackoverflow.com/questions/5991534
-
13-11-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
I'm using Website Payments Standard on PayPal. So I have a custom purchase page which is essentially a list of my licences (pulled from the database):
licence type A: $100
licence type B: $200
licence type C: $300
They choose one of those (radio button) then click the purchase button. This POSTs the page to my processing PHP page which gets the selected licence_id from the previous page, then uses that to select the correct licence information from the database (price, licence duration) etc. Then it stores a new licence for the user (but marks as unpaid as Paypal payment hasn't occurred yet).
Then my PHP code redirects to the Paypal site for payment using the following code:
// Set the transaction details to be sent to PayPal
$urlParams = array(
'cmd' => '_cart',
'upload' => 1,
'charset' => 'utf-8',
'business' => my_business_email@domain.com,
'return' => 'http://mysite.com/paymentprocessed.php',
'currency_code' => 'NZD',
'amount_1' => $licencePrice,
'item_name_1' => $licenceName,
'quantity_1' => 1
);
// Build the URL
$urlParams = http_build_query($urlParams, '', '&');
$url = 'https://www.sandbox.paypal.com/cgi-bin/webscr';
header('location:' .$url. '?' . $urlParams);
exit();
This essentially redirects the user and sends the parameters via GET to PayPal. Suprisingly it works! However the obvious security problem is the user can just edit the variables in the address bar and change the price to get a cheap/free licence.
So is it possible to get my PHP page to POST the information instead and also redirect the browser to that page so the user can complete the paypal transaction? Therefore the critical data is being posted from my webserver directly to PayPal, the user would have no way to edit the payment information.
I suppose you could use the IPN to make sure they paid the right amount, which I'll still do anyway. But I'd like to still not be sending everything via GET.
Thanks!
解决方案
The best solution would be using Express Checkout. This allows you a great deal more flexibility than standard buttons can ever offer you.
If you're thinking if doing IPN, you're capable enough to integrate Express Checkout. All it really is, is 1 API call, followed by a redirect to PayPal, and a minimum of 1 more API call to finalize the payment.
A typical flow would look as follows:
1. Call the SetExpressCheckout API. If you're new to this, it's made dead-easy with PayPal's NVP API interface. You can just send the data as a GET NVP string to https://api-3t.paypal.com/nvp and get a response back in the same format.
2. Take the token from the response, and redirect to https://www.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=XXXXXXX (https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=XXXXXXX for Sandbox testing)
3. As soon as the buyer is returned, PayPal will append a PAYERID to your RETURNURL. If you can't find it, call the GetExpressCheckoutDetails API and supply your token to retrieve it.
4. With the PAYERID and TOKEN, call DoExpressCheckoutPayment to finalize the payment.
To get started with this, I'd suggest taking a looking at the PHP NVP SDK they offer at https://www.x.com/community/ppx/sdks#NVP
其他提示
How can I send post data along with a redirection? Short answer: You can't.
Long answer: A post request happens between the client and the target server. The data isn't included in the headers or even the URL (as it would be with a GET request), but as a seperate payload. This means that your only client based choice really is an auto-submitting form sent to the browser.
The other question would be why it is that important to you to squeeze your data into a redirect. Before trying to force existing protocols into things they weren't designed to do, you might want to reevaluate your design. Take a few steps back and try to figure out a way to reach your general goal by simpler means. The result will likely save you and your visitors many headaches down the road.
One of the possible alternatives would be to store your data server side, as ergophobe seems to suggest. You can retreive it again based on a cookie or a plain CGI variable in a GET request.
CMIIW :)
You can use PayPal IPN to post a callback to see if the price of the licence is matching the licence that the customer just bought.
And you could also store the order inside a DB and then check the order details when the payment is proceeded. If the order does not match, it will display a a message of your choise.
I am not sure about how to handle paypal requests but simply changing GET to POST is not a protection. Advanced users can still access the POST vars and edit them. There should be a mechanism provided by paypal which secure your data integrity!
