I generated a vb.net website to sell some quantity of a book. it's a vb.net site using a SQL server backend. I modeled the book's order form on the paper form the company was using. The form allows customers to specify: name, organization, address, city/state/zip, and quantity.
Once the form is complete, they submit the form to another page which records the form values in a database. I then have them press the add to cart button which is supposed to upload the cart information to paypal for checkout. For some reason the cart opens empty without any errors.
Here is my add to cart info:
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_cart" />
<input type="hidden" name="upload" value="1" />
<input type="hidden" name="business" value="XXXXXX#XXX.XXX" />
<input type="hidden" name="item_number_1" value="2015" />
<input type="hidden" name="item_name_1" value="2015 Catholic Directory" />
<input type="hidden" name="amount_1" value="15.00" />
<input type="hidden" name="quantity_1" value="<%= Request.Form("add")%>" />
<input type="hidden" name="currency_code" value="USD" />
<input type="hidden" name="notify_url" value="http://10.5.0.43/catholicDirectory complete_order.aspx" />
<input type="hidden" name="no_shipping" value="2" />
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_cart_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!" style="width:120px; height:26px;" target="_self"/></center>
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
What I need to know is how do I:
Why is my cart opening empty?
Get PayPal to redirect back to my website so I can mark the transaction as paid by storing maybe a PayPal transaction ID in my database I researched this and was able to direct them back if they click a link to return, but I don't want them to have to click anything. Research directed me to seller settings in my account but can't find them to set auto return url.
You're going to want to use PayPal's IPN listener. There is an IPN simulator which you can use to make sure it's hitting your site correctly.
https://developer.paypal.com/webapps/developer/applications/ipn_simulator
https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNSetup/
You'll need to setup 2 accounts within sandbox. A personal and a business. The business account is where you send transations. You can use the personal account to login and test payments.
As for redirecting back after payment, you can set this in both your return URL and inside PayPal
<input type="hidden" name="return" value="https://yoursite.com/payment-success">
You can set auto return by following the directions here: http://wemakewebsites.com/blog/how-to-get-paypal-to-auto-return-to-your-website-after-a-customer-payment
EDIT:
<form name="_xclick" action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post" >
<input id="element_1" name="amount" type="text" />
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="yourbusiness#email.com">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="item_name" value="Payment">
<input type="hidden" name="return" value="http://yourwebsite.com/payment-success">
<input type="hidden" name="rm" value="1">
<input type="image" src="http://yourwebsite.com/images/btn-donate.png" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<input type="hidden" name="notify_url" value="http://yourwebsite.com/includes/paypal_ipn.aspx" />
</form>
Once payment is made the user will head over to PayPal to complete the payment. As long as you have the notify_url set with a working listener PayPal will hit it. In that file is where you want to put a few more db collections. PayPal can send you back a bunch of information (https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNandPDTVariables/) depending on what data you are looking for. In the following example (https://github.com/paypal/ipn-code-samples/blob/master/paypal_ipn.vb) You'd want to add your db collection after line 35 where the user has completed payment:
If strResponse = "VERIFIED" Then
The idea was not to use an IPN listener (way more than I need), but rather to ask the customer how many books they wanted and add a single item to the PayPal cart: "# - 2015 Catholic Directory" where # is the quantity. The price for the book then becomes Quantity * $15. This way I can sell any quantity I want.
My database gets filled with customer information including quantity as a separate field when they fill out the order form and then that info gets sent on to PayPal to complete payment. Also I setup PayPal to auto return back to my site when the payment is complete and then mark the order as paid. This way I can develop reports for the office selling the books indicating who ordered how many books and if payment has been received.
Problem solved. The only thing I found difficult with the process was the fact that the sandbox environment does not have auto return like the live payment system does. I had to run a dummy sale for a penny and then refund the penny to verify the auto return was working.
Related
When a costumer buys something from a website how does the owner know where to send the items purchased and is there a way to get notification to my phone when a purchase is made from my website
when a user buy something on the website the owner will get the adress that the user had type in the fields -_- the HTML page will send with a POST the content of the fields to a PHP file on the server.
the form :
<form action="post.php">
First name:<br>
<input type="text" name="item" value="the item that you buy"><br>
Last name:<br>
<input type="text" name="adress" value="your adress"><br><br>
<input type="submit" value="Submit">
</form>
an example of the php file:
<?php
$item=$_POST['item'];
$user_adress=$_POST['adress'];
echo $item;
echo $user_adress;
?>
for the notification on your phone, you can create a page who display the information of a buy. but get a push notification on your phone will be more harder to do
I need to get customer first and last names and email address for the server side logic.
As I see it there are 2 options:
Form submit with the data in the body of the request to the proxied URL
GET request to the proxied URL with the customer ID in the URL, then using the shopify API to get all customer's info
I tend to use option #1 as it saves a call to Shopify, I will send the data over https.
How would you suggest doing so?
If you are submitting to a proxy form you should check out Gavin Ballard's post about validating the customer with a hash.
I do something similar where I respond to the app proxy get with application/liquid. See the reqHash field in the sample below. This processed through ejs whose tags don't conflict with liquid for any dynamic values:
e.g.
{% if customer %}
<input name="firstName" id="firstName" type="hidden" value="{{customer.first_name}}">
<input name="lastName" id="lastName" type="hidden" value="{{customer.last_name}}">
<input name="defaultAddr" type="hidden" value="{{ customer.default_address.id }}">
<input type="hidden" name="custid" value="{{customer.id}}">
<input type="hidden" name="reqHash" value="{{customer.id | append: '<%= custSecret %>' | md5}}">
<div class="form-group">
<label for="emailAddress">Email</label>
<input name="emailAddress" id="emailAddress" type="text" value="{{customer.email}}" placeholder="Email">
</div>
{% else %}
<div class="form-group">
<label for="firstName">Name</label>
<input name="firstName" id="firstName" type="text" value="" placeholder="First Name">
<input name="lastName" id="lastName" type="text" value="" placeholder="Last Name">
</div>
<div class="form-group">
<label for="emailAddress">Email</label>
<input name="emailAddress" id="emailAddress" type="text" value="" placeholder="Email">
</div>
<div class="form-group">
<label for="CreatePassword" class="hidden-label">Password</label>
<input type="password" name="customer[password]" id="CreatePassword" class="input-full" placeholder="Password">
</div>
{% endif %}
and then validate the reqHash when the form is posted.
Responding to a comment:
The question is what are you trying to keep secret from who. The customer already knows their info. Shopify maintains the session so they trust the info is associated with the correct id. SSL is a secure transport so the customer info is only clear in the browser. The hash lets the app be sure that the customer info is associated with the correct id. It’s the app’s way to verify the login. Otherwise a bad actor can send arbitrary info to the app. The poster who wrote they’d look up the customer info from the id still needs to verify the id so that they know they have the correct id of a valid logged in customer.
In fact since I wrote this 2016 I’ve started hashing all the info that I’m including in the hidden inputs.
The hash protects your app from hackers and bored script kiddies.
implies you will possibly receive garbage. The incoming data means nothing since a bot could fill in a form and submit.
at least implies you have an actual logged in customer. If you have the ID you also have the email and name, from Liquid. If your Proxy call is from a script tag that has no access like that, you can send the customer ID from the secret customer ID cookie value, and yes, make an API call. That is not a big deal at all.
We are working on behalf of a Big Commerce store owner and are trying to add items to the shopping cart by posting the same data that the regular item page posts, except it is done by an external program on another server. This is because we intercept the post (which is done via a postbackurl on an iframe included in the item page that allows the customer to customize the item)... and then repost the same data to the cart.
This was working in our test store but not in the client store. I'm wondering if the difference is that when the item page posts, the Origin header is of course from that store. WHen I post it from my program, the origin header is different. How can I tell what the real issue is?
Is there a setting in Big Commerce that allows posts from another origin?
Or, how do I add a store product from an external program into the Big Commerce cart?
Thanks,
Cindy
Yes, the product has options... I am not posting them in the form below but it makes sense that I should.
Here is a sample of my code:
<script type="text/javascript">
function submitform() {
document.forms["redirectpost"].submit();
}
</script>
</head>
<body onLoad="submitform();">
<form name="redirectpost" method="post" action="http://eystudios8.mybigcommerce.com/cart.php" enctype="multipart/form-data">
<input type="hidden" name="action" value="add">
<input type="hidden" name="product_id" value="211">
<input type="hidden" name="variation_id" vale="">
<input type="hidden" name="currency_id" value="">
<input type="hidden" name="qty[]" value="1">
<input type="hidden" name="ProductFields[1]" value="<?php echo $docsession; ?>">
<input type="submit" value="" style="display:none;">
</form>
I also have a configurable field I am attempting to post the docsession to.
Cindy
Adding this question:
I see that I need to post the options in my form - how do I know what field name to call each option? There are about 15 options I need to forward to the cart page. Cindy
I can use successfully the PayPal NVP api for SetExpressCheckout. But the problem with this is, I can't pay two merchant on a single payment. So, going through PayPal, I found that I can use the parallel payment. I need to know how can I use the parallel payment. I have request code for the SetExpressCheckout like following,
<form method=post action=https://api-3t.sandbox.paypal.com/nvp>
<input type=hidden name=USER value="xxxxxxxxxxxxx#xxxxx.com">
<input type=hidden name=PWD value="xxxxxxxxx">
<input type=hidden name=SIGNATURE value="xxxxxxxxxxxxxxx">
<input type=hidden name=VERSION value=2.3>
<input type=hidden name=PAYMENTACTION value=Order>
<input name=AMT value=10.0>
<input type=hidden name=RETURNURL value=xxxxxx>
<input type=hidden name=CANCELURL value=xxxxxx>
<input type=submit name=METHOD value=SetExpressCheckout>
</form>
I need something like the above where I can request for parallel payment.
Finally I got the sample codes for parallel payment implementation PapPal SDK link.
im trying out paypals html api where you specify price, item_name, customer information and so on in the html:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" id="payPalForm">
<input type="hidden" name="cmd" value="_cart" />
<input type="hidden" name="upload" value="1" />
<input type="hidden" name="no_note" value="1" />
<input type="hidden" name="business" value="your#paypalaccount.com" />
<input type="hidden" name="currency_code" value="SEK" />
<input type="hidden" name="return" value="http://freelanceswitch.com/payment-complete/" />
<input type="hidden" name="tax_rate" value="25" />
<input type="hidden" name="item_name_1" value="Apple Macpro" />
<input type="hidden" name="item_number_1" value="01 - Product 1" />
<input type="hidden" name="amount_1" value="25000" />
<input type="hidden" name="item_name_2" value="Apple Macbook" />
<input type="hidden" name="item_number_2" value="02 - Product 2" />
<input type="hidden" name="amount_2" value="12500" />
<input type="hidden" name="item_name_3" value="Apple Macbook Air" />
<input type="hidden" name="item_number_3" value="03 - Product 3" />
<input type="hidden" name="amount_3" value="12500" />
<input type="submit" name="Submit" value="Submit" />
</form>
when the user clicks submit it takes him/her to paypals payment page.
but doesn't this mean that a hacker could change the order by manipulating the html code?
i can´t figure out how paypal prevents this security problem.
Of course, it does appear as if someone could just change the HTML and re-submit the form.
I'm not sure about PayPal, but Google Checkout handles this by instead of setting HTML, it gets you to create XML, encrypt it using your merchant key, and use the encrypted string in your HTML to pass across to Google. Google then decrypts it using your merchant key and voila - tamper-free.
Have a look in PayPal's documentation for something along the lines of "cart signing" or "request encryption." They may also do a callback to your server, telling you what was sent and you can compare it to your database to see if the prices are still correct.
If this is anything like other html integrations, there should be a callback directly from Paypal to your server with all the fields that were entered. You can compare these to see if any have changed. There are usually various security mechanisms such as a shared hidden key so that you can validate that the callback is genuine.
It doesn't seem like it is safe by itself. On Paypal's Securing Your Website Payments Standard Buttons page, they talk about being able to create protected payment buttons. However further on they indicate that it doesn't work if Javascript is disabled which makes the protection useless! Then they talk about other manual processes that can be performed including reconciliation and instant notifications which should occur in any sound accounting process anyway.
Encrypted website payments really seems like the only secure option to me.