im trying out paypals html api where you specify price, item_name, customer information and so on in the html:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" id="payPalForm">
<input type="hidden" name="cmd" value="_cart" />
<input type="hidden" name="upload" value="1" />
<input type="hidden" name="no_note" value="1" />
<input type="hidden" name="business" value="your#paypalaccount.com" />
<input type="hidden" name="currency_code" value="SEK" />
<input type="hidden" name="return" value="http://freelanceswitch.com/payment-complete/" />
<input type="hidden" name="tax_rate" value="25" />
<input type="hidden" name="item_name_1" value="Apple Macpro" />
<input type="hidden" name="item_number_1" value="01 - Product 1" />
<input type="hidden" name="amount_1" value="25000" />
<input type="hidden" name="item_name_2" value="Apple Macbook" />
<input type="hidden" name="item_number_2" value="02 - Product 2" />
<input type="hidden" name="amount_2" value="12500" />
<input type="hidden" name="item_name_3" value="Apple Macbook Air" />
<input type="hidden" name="item_number_3" value="03 - Product 3" />
<input type="hidden" name="amount_3" value="12500" />
<input type="submit" name="Submit" value="Submit" />
</form>
when the user clicks submit it takes him/her to paypals payment page.
but doesn't this mean that a hacker could change the order by manipulating the html code?
i can´t figure out how paypal prevents this security problem.
Of course, it does appear as if someone could just change the HTML and re-submit the form.
I'm not sure about PayPal, but Google Checkout handles this by instead of setting HTML, it gets you to create XML, encrypt it using your merchant key, and use the encrypted string in your HTML to pass across to Google. Google then decrypts it using your merchant key and voila - tamper-free.
Have a look in PayPal's documentation for something along the lines of "cart signing" or "request encryption." They may also do a callback to your server, telling you what was sent and you can compare it to your database to see if the prices are still correct.
If this is anything like other html integrations, there should be a callback directly from Paypal to your server with all the fields that were entered. You can compare these to see if any have changed. There are usually various security mechanisms such as a shared hidden key so that you can validate that the callback is genuine.
It doesn't seem like it is safe by itself. On Paypal's Securing Your Website Payments Standard Buttons page, they talk about being able to create protected payment buttons. However further on they indicate that it doesn't work if Javascript is disabled which makes the protection useless! Then they talk about other manual processes that can be performed including reconciliation and instant notifications which should occur in any sound accounting process anyway.
Encrypted website payments really seems like the only secure option to me.
Related
i am working with angular5 , i need to integrate PayUMoney payment gateway in my application , for that i added following form and test with "https://test.payu.in/_payment" domain.
Error :
Error Reason Transaction failed due to incorrectly calculated hash
parameter.
Corrective Action Please ensure that the hash used in transaction
request is calculated using the correct formula. Please note the
correct formula for calculating the value of hash:
sha512(key|txnid|amount|productinfo|firstname|email|udf1|udf2|udf3|udf4|udf5||||||SALT)
Based on above formula and applying for this transaction, hash should
be calculated as mentioned below : hash =
sha512(gtKFFx|ba7816bf8f01cfea414140de5da|500|merit application
fees|bhagvat lande|landebm#gmail.com|||||||||||eCwWELxi) = Array
As seen above, correct hash value should have been - Array
But the hash posted in the transaction request from your end was -
e95bd46ce3cf4b3c32a63ba5f51934ef8506e0e47027512f41bff125be02cd14
My Component with Form
<form #f method="post" id="payu-payment-form" action="https://test.payu.in/_payment">
<input type="hidden" name="hash" value="e95bd46ce3cf4b3c32a63ba5f51934ef8506e0e47027512f41bff125be02cd14"/>
<input type="hidden" name="key" value="gtKFFx" />
<input type="hidden" name="txnid" value="ba7816bf8f01cfea414140de5da" />
<input type="hidden" name="amount" value="500" />
<input type="hidden" name="productinfo" value="merit application fees" />
<input type="hidden" name="firstname" value="bhagvat lande" />
<input type="hidden" name="email" value="******#gmail.com" />
<input type="hidden" name="phone" value="+91**********" />
<input type="hidden" name="surl" value="http://localhost:4200/#/payment/payment-success" />
<input type="hidden" name="furl" value="http://localhost:4200/#/payment/payment-error" />
<input type="hidden" name="service_provider" value="" />
<button class="btn btn-info" type="submit" (click)="f.submit()" value="submit" formtarget="_blank"> <i class="fa fa-money"></i> Proceed To Pay</button>
</form>
in above form i just generate one dummy hash key(SHA-256) and put their.
Questions :
how to integrate PayUmoney payment gateway in ANgular2/4/5 ?
they provided formula on their documentation for generation hash key , it tooks all other forms fields and generate hash key (SHA-256) , is their any way to create hash key at client side and how to use that ?
thanks
I generated a vb.net website to sell some quantity of a book. it's a vb.net site using a SQL server backend. I modeled the book's order form on the paper form the company was using. The form allows customers to specify: name, organization, address, city/state/zip, and quantity.
Once the form is complete, they submit the form to another page which records the form values in a database. I then have them press the add to cart button which is supposed to upload the cart information to paypal for checkout. For some reason the cart opens empty without any errors.
Here is my add to cart info:
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_cart" />
<input type="hidden" name="upload" value="1" />
<input type="hidden" name="business" value="XXXXXX#XXX.XXX" />
<input type="hidden" name="item_number_1" value="2015" />
<input type="hidden" name="item_name_1" value="2015 Catholic Directory" />
<input type="hidden" name="amount_1" value="15.00" />
<input type="hidden" name="quantity_1" value="<%= Request.Form("add")%>" />
<input type="hidden" name="currency_code" value="USD" />
<input type="hidden" name="notify_url" value="http://10.5.0.43/catholicDirectory complete_order.aspx" />
<input type="hidden" name="no_shipping" value="2" />
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_cart_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!" style="width:120px; height:26px;" target="_self"/></center>
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
What I need to know is how do I:
Why is my cart opening empty?
Get PayPal to redirect back to my website so I can mark the transaction as paid by storing maybe a PayPal transaction ID in my database I researched this and was able to direct them back if they click a link to return, but I don't want them to have to click anything. Research directed me to seller settings in my account but can't find them to set auto return url.
You're going to want to use PayPal's IPN listener. There is an IPN simulator which you can use to make sure it's hitting your site correctly.
https://developer.paypal.com/webapps/developer/applications/ipn_simulator
https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNSetup/
You'll need to setup 2 accounts within sandbox. A personal and a business. The business account is where you send transations. You can use the personal account to login and test payments.
As for redirecting back after payment, you can set this in both your return URL and inside PayPal
<input type="hidden" name="return" value="https://yoursite.com/payment-success">
You can set auto return by following the directions here: http://wemakewebsites.com/blog/how-to-get-paypal-to-auto-return-to-your-website-after-a-customer-payment
EDIT:
<form name="_xclick" action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post" >
<input id="element_1" name="amount" type="text" />
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="yourbusiness#email.com">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="item_name" value="Payment">
<input type="hidden" name="return" value="http://yourwebsite.com/payment-success">
<input type="hidden" name="rm" value="1">
<input type="image" src="http://yourwebsite.com/images/btn-donate.png" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<input type="hidden" name="notify_url" value="http://yourwebsite.com/includes/paypal_ipn.aspx" />
</form>
Once payment is made the user will head over to PayPal to complete the payment. As long as you have the notify_url set with a working listener PayPal will hit it. In that file is where you want to put a few more db collections. PayPal can send you back a bunch of information (https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNandPDTVariables/) depending on what data you are looking for. In the following example (https://github.com/paypal/ipn-code-samples/blob/master/paypal_ipn.vb) You'd want to add your db collection after line 35 where the user has completed payment:
If strResponse = "VERIFIED" Then
The idea was not to use an IPN listener (way more than I need), but rather to ask the customer how many books they wanted and add a single item to the PayPal cart: "# - 2015 Catholic Directory" where # is the quantity. The price for the book then becomes Quantity * $15. This way I can sell any quantity I want.
My database gets filled with customer information including quantity as a separate field when they fill out the order form and then that info gets sent on to PayPal to complete payment. Also I setup PayPal to auto return back to my site when the payment is complete and then mark the order as paid. This way I can develop reports for the office selling the books indicating who ordered how many books and if payment has been received.
Problem solved. The only thing I found difficult with the process was the fact that the sandbox environment does not have auto return like the live payment system does. I had to run a dummy sale for a penny and then refund the penny to verify the auto return was working.
I set up in backoffice the default sort type to : in stock. this works for all pages except SearchController template file : search.tpl.
What can be the causes behind such dysfunctionning? I really don't know what part of code to deal with. Thanks everyone who already met such issue for advices.
Edit:
I discovered that the link in the adress bar after click on search button is:
website/index.phpcontroller=search&orderby=position&orderway=desc&search_query=design+40&submit_search=Rechercher
When I remove orderby=position&orderway=desc, the default behaviour works. I just need to remove this action from controller but still don't know how.
In template file, I found:
<form method="get" action="{$link->getPageLink('search')|escape:'html'}" id="searchbox">
<p>
<label for="search_query_top"><!-- image on background --></label>
<input type="hidden" name="controller" value="search" />
<input type="hidden" name="orderby" value="quantity" />
<input type="hidden" name="orderway" value="desc" />
<input class="search_query" type="text" id="search_query_top" name="search_query" value="{$search_query|escape:'html':'UTF-8'|stripslashes}" />
<input type="submit" name="submit_search" value="{l s='Search' mod='blocksearch'}" class="button" />
</p>
</form>
As you see, I have already changed the value of the hidden input to quantity. Hope it helps.
Well i have this search engine into my site
<form action="/apps/search/" name="g_search" id="cse-search-box" method="post">
<input type="hidden" name="cof" value="FORID:11;NB:1" />
<input type="hidden" name="ie" value="utf-8" />
<input type="text" autocomplete="off" name="google_seach" class="search-text" onfocus="searchtext('focus')" onblur="searchtext('blur')" />
<label style="color:#796b6b;float:left;padding:0;">|</label>
<input type="submit" style="float:right;margin-top:3px;cursor:pointer;width:16px;height:16px;background:url(/template/img/main/search-icon.jpg);border:none;" value="" alt="Αναζήτηση" title="Αναζήτηση" />
</form>
Now i want some code to results page.Somehow the post request readed from a file called search.php
This file have access to $_POST[] array..
The file initializes $selector variable (for template use).
What we want to echo into contentarea div must put into $body variable..
Any help?
<?php
$selector="search";
$body="<div id=\"cse-search-form\" style=\"width: 100%;\">Loading</div>";
?>
I have a similar issue, just use GCS code provide by Google as it easy, make sure in the option in GSE you select to visualize the search result on your page and not an Iframe
HI im trying to integrate zoho into my website and open a document in browser
Im using Wamp server.
This the code im trying to work with:
<html>
<head>
</head>
<body>
<form method="POST" action="http(s)://export.writer.zoho.com/remotedoc.im" target="_self"
accept-charset="UTF-8">
<input type="hidden" name="url" value="http://localhost/paper.doc">
<input type="hidden" name="apikey" value="here goes api key">
<input type="hidden" name="output" value="url">
<input type="hidden" name="mode" value="normaledit">
<input type="hidden" name="filename" value="paper.doc">
<input type="hidden" name="lang" value="en">
<input type="hidden" name="skey" value="here goes secret value">
<input type="hidden" name="id" value="12345678">
<input type="hidden" name="format" value="doc">
<input type="hidden" name="saveurl" value="http://localhost/save.php">
<input type="submit" name="submit" value="Open/Edit">
</form>
</body>
</html>
I dont know i get this error:
Forbidden
You don't have permission to access /http(s)://export.writer.zoho.com/remotedoc.im on this server.
I have entered the api key correctly and the secret key
Im just confused and stuck here.Im blocked
Here is the documentation : http://apihelp.wiki.zoho.com/Open-Document.html
You have taken the (s) out of the url right? I know it might seem like a silly question but I thought I should check in case you had overlooked it. The url resolves for me and gives an 'api key is invalid' warning.
The error given would seem to indicate the browser thinks its a relative instead of absolute url.
I dont know much more about ZOHO but i also want to implement this in my project in future. As i read in https://apihelp.wiki.zoho.com/Open-Document.html#mfs it says that saveurl must be publicly accessible and if it not accessible publicly it gives an error and localhost is not publicly accessible so it gives an error.