Scenario
MVC application with custom shopping cart. Shopping cart integrates with a PayPal, passing sale data like client information, product items and prices (for each item and total price) but not credit card or paypal information. This would be set on paypal.
Problem
Paypal describes how to use the cart upload to integrate with custom shopping carts here:
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_cart_upload#id09BLDK0007Q
But there is very little detail on how to do it.
After a while i found an example of how to do the MVC-Paypal interaction (even though is not cart upload but it is a mater of configuration) here:
http://www.arunrana.net/2012/01/paypal-integration-in-mvc3-and-razor.html
The problem in this solution is that it appears to have some security problems. Sensitive data is set to a view and sent to the client in hidden fields and post is set by javascript, making this unacceptable right? Or am i seeing this wrong?
Intended Solution
User sees shopping car and clicks checkout button, causing a post to myserver.com/Controller/Action passing client data like name, address, etc.
The controller action myserver.com/Controller/Action builds a post server side, adding the client post data information more sensitive information like prices and paypal merchant specific information and posts request to paypal OR invoques paypal webservice.
Paypal returns a token, or some other information and myserver.com/Controller/Action redirects client to Paypal to make the payment.
Question
Is my intended solution possible? How can i, in response of a post from the client, make some processing in the controller, post/invoke Paypal with the result of that processing and ultimately pass paypals response to the client for him to interact directly with Paypal?
Otherwise i can't see how it could be "secure".
If not, surely someone have done something similar and can point me into the right direction :-)
I sort of understand what your trying to do here, and I think I can answer that question. Let me know if this doesnt quite make sense...
So your customer hits your resource, mysite.com/Cart/Checkout. The controller instantiates the model and then passes the object into the view, where the view binds values appropriately.
Customer clicks 'Pay with PayPal' and is redirected to mysite.com/Cart/ExpressCheckout. The controller instantiates the model, and the model will handle the SetExpressCheckout call utilizing the cart session data (item, amounts, etc), then the model (or controller, this part is a bit vague) would redirect the customer to pp.com/cgi-bin/webscr?cmd=_express-checkout&token=EC-12345566788
The customer would fill everything out and once done, they would be redirected to mtsite.com/Cart/ConfirmOrder. In this resource, the Model would handle the GetExpressCheckoutDetails call, setting properties for all the data returned, etc. The controller would pass the object into the view and the view would bind appropriately.
Is there a reason why this is insecure? This should be secure and follow all standards of Microsoft MVC3. Except the part where you do the redirect, semantically, I'm unsure whether this would be done in the controller or the model. I think it would be the controller though.
Related
I've got a long and fairly complex form for a booking system that a user fills in, then pays using Stripe Checkout. I'm trying to figure out the best solution to both handle payment failure easily (so submitting form over AJAX so I don't have to try and regenerate the whole booking form with all the data the user's entered), whilst also handling payment success gracefully (so with a new page showing a booking summary and a different URL so if user clicks reload button in their browser it doesn't just take them back to the search results and booking form again)
I'm using a mixture of Laravel 5.4 and JS/JQuery to generate the booking form on the front end, and after Stripe Checkout (I'm using their standard simple integration pop up) it submits all the form + Stripe token etc back to a POST route in my Laravel backend. In my controller, I then try and charge the credit card using standard Stripe API and process the booking details into my database, and then return a Laravel view from a Blade template thus giving the user a different page and URL. As mentioned I want to switch the form submission to AJAX so payment failure can be handled easily (i.e. their big filled in form doesn't disappear, and just an alert pops up to user so they can try and enter a new card into the Stripe Checkout). That bit's fine, I'll just use this: https://stackoverflow.com/a/34099169/4059141 but then in payment succeeds I basically want the same behaviour as if I'd done a regular form POST, so the new page being displayed with a new URL.
I can generate and pass back the rendered HTML from the blade template over AJAX no problem, but that leaves the original URL in the browser's address bar, so if they hit reload on the booking summary they'll just see the search results page and blank booking form again - not what I want.
Any thoughts on a solution are welcome! Thanks
I want to create own plugin for payment integration in joomla.
I am using hdfc bank details.
How to create form and call it.
how to handle request and response.
Here is what you need to do:
When the user submits a payment, then you should, in your controller, use curl to submit the payment to the bank.
Once you submit the payment, you have 2 options, depending on how the bank's API works:
You can immediately get the response from the bank when issuing the curl_exec method OR
In the curl call, you will specify which page the bank will post to on success and on failure (typically, it'll be the same page but with a different task), and you also specify the merchant transaction ID. The bank will then load the "response" page on success and will post back its response (you can get the information using $_POST).
Note that in most scenarios, you only need to worry about the first method (getting the response immediately from the bank). The second method is typically used by PayPal and is referred to as IPN (Instant Payment Notification), but it might be the case that your bank uses some kind of IPN to notify you of payment success.
I'm using PayPal IPN Library to process a subscription payment. The Library logs to a database the IPN answer. The return URL is a "processing" page that checks at timed intervals for the "SUCCESS" status at ipn_log table. But I cant identify the current transaction row on this table. How can I confirm the payment has succeded? I can get the POST variables on the return URL, but none of them is registered on the database. Is there a variable that is returned by the IPN and also sent by POST to the return URL? Something like the transaction id? Maybe Im going the wrong way on this and there is another aproach to confirm the payment status.
Got it. The "custom" field added to the button form makes the trick. Saving it to the database is enough to keep track of the process
I'm doing some updates for an intranet i created few years ago using ASP Classic. What i've been ask to do is to ALERT all users when news on intranet is added. Basically i need to check on database when news is added and than trigger an action to all intranet users saying you have New Message
I'have done a lot of research on this and i could't really find a good example for it.
Your help will be much appreciated.
Cheers
Vullnet
Basically to need to poll the server using AJAX and check for new messages.
I suppose you have a messages table with and ID that counts up. You need to track each user's last message pointer, and send this as part of your AJAX request ad a parameter. If the server's ID is higher thsn the user's then they have a new message.
Based on the AJAX response you then alert the user.
You need to make an ASP that responds to your AJAX call, Pass it a number and it responds with "OK" (not new) or "NEW".
IT works the same way, regardless of the server-side language. Use jQuery to perform your AJAX calls.
I'm setting up a website that uses paypal to process payments.
The easiest way to implement the checkout form would be to create an HTML form that submits directly to paypal, sending the order details and redirecting the user to paypal in order to finalize the transaction.
However, there is a security vulnerability with this process. The client could edit the information submitted to paypal, such as changing the price of the checkout to $0.00.
What is an accepted way to handle this type of situation? Is it to submit the form back to my server, then do some processing in PHP, then submit verified data to paypal and redirect the user to paypal? Is this possible?
Thanks!
There are two main ways to handle this issue.
The first is somewhat like what you outline: You send the filled in form to PayPal, and provide a callback-url. When PayPal has processed the payment, they will call your provided url, and you can check whether or not the information given in that call is the same as what you provided. For this to work, you need to store the information in the meantime, like in a database. You will then only give access to the product after the validation has happened.
You can also encrypt the information you send to PayPal, making it practically impossible to alter information in your form.
See https://www.x.com/developers/paypal for details.