I'm setting up a website that uses paypal to process payments.
The easiest way to implement the checkout form would be to create an HTML form that submits directly to paypal, sending the order details and redirecting the user to paypal in order to finalize the transaction.
However, there is a security vulnerability with this process. The client could edit the information submitted to paypal, such as changing the price of the checkout to $0.00.
What is an accepted way to handle this type of situation? Is it to submit the form back to my server, then do some processing in PHP, then submit verified data to paypal and redirect the user to paypal? Is this possible?
Thanks!
There are two main ways to handle this issue.
The first is somewhat like what you outline: You send the filled in form to PayPal, and provide a callback-url. When PayPal has processed the payment, they will call your provided url, and you can check whether or not the information given in that call is the same as what you provided. For this to work, you need to store the information in the meantime, like in a database. You will then only give access to the product after the validation has happened.
You can also encrypt the information you send to PayPal, making it practically impossible to alter information in your form.
See https://www.x.com/developers/paypal for details.
Related
Need help in implementing email based approval system. Ex: Manager gets an auto triggered mail for his/her approval with a approval link in email body, when the manager clicks on the the link, it should validate the manager and then approve it. I tried searching on the internet but didn't find relevant resource.
Request you to Please help me with your ideas, suggestions or how I should proceed, or any plugin or jar is available??? It would be very helpful to me... Thanking you...
EDIT: Thanking you for replying. We have a java web app build using spring framework (MVC) where in employees can apply leaves which has to be approved by his/her manager. If an employee applies leave then a mail is triggered for approval to his/her manager with the leave details. After looking the mail, the manager logs-in to the application to approve or reject the leaves. So request you to Please help me in how to give a direct link in the mail to approve or reject the leaves.
For one of our applications we had the same requirements - employees can submit vacation requests and supervisors will be notified via mail. We have written an article about the exact way we did it - available here.
So in a nutshell, we are using Spring Integration and GMail. Each new vacation request yields an email send to all supervisors. Supervisors can reply with either approve or reject. We only accept email addresses from our domain, but since these can be faked we introduced a shared secret - a UUID added to the mail's subject which then relates to the id of the vacation request.
Once an email comes in we run the business logic to figure out whether a request shall be approved or rejected.
As I stated in my comment, I used Velocity to template my email message. You don't have to use it, but it made my job easier. You should be able to read up on it.
Java itself has the ability to send emails in it's Java EE framework using JavaMail, or you can use Spring's wrappers. You will need access to a mail server of some sorts, and would highly recommend that you setup an email box specifically for this process. I actually used my gmail account during testing, but I wouldn't recommend that for a long-term solution. I assume your company would have an email server setup somewhere you can use.
The process flow would be:
Employee fills out request
System generates an email to employee's manager(s) with a link to approve
Manager clicks on link, taken to approval page
Manager approves/denies request
The next question is how to build the URL. I would suggest using something like a UUID or something like that, or the request ID if that makes it easier. You can generate a UUID from any seed String or set of bytes. I like UUID because it obviscates the data being sent.
Anyway, the URL will basically point to a Spring form that will allow the user to approve that request. So, thinking about what you would need, I would expect some DB record that relates the information in the incoming request to the time off request that was filled out. Read in the record, load the page and display it. Simple enough.
The next issue is locking it down so only the authorized people can approve. Again, making a huge assumption here, but I am guessing you are using Spring Security? If you are, you should be able to add a condition to the Controller's handler for this approval form that requires the user to be authenticated (read here) and add a java.security.Principal to the handler methods arguments (read 15.3.2.3 here for what you can pass into a Controller's handler). With the Principal object in-hand, you should be able to compare that to a list of approvers associated with the request record in the DB. I would then have the system generate approval/denial emails that code to all concerned parties.
Let me reiterate that this is NOT the only solution, only one possible solution. This is why I feel this is not a good question for StackOverflow, as it asks a very broad question that doesn't really have a single right answer.
When is it recommended to validate the paypal IPN?
Option 1 - Validate during the handler ipn post, then save and enqueue ipn if valid.
Pros: An attacker can not fill your database by sending fake IPNs
Cons:
Requires a longer response time for ipn post since you need to
make a web request to validate, before being able to respond with a 200 OK in the ipn handler
An attacker can keep your web server busy trying to validate fake IPNs
Option 2 - Delay validation, save and enqueue ipn, respond with 200, then validate when processing the queue.
Pros: Quick response to paypal IPN
Cons: An attacker can fill your database by sending fake IPNs
Or do you do have something additional in place that avoids the problems of these two options?
Edit: I'm using the Paypal Adaptive Payments API, and am wondering what the recommended practice is while using that API.
PayPal now supports sending shared secrets instead of postback validation. I prefer this provided (a) your buttons use HTTPS when posting and (a) your notify_url uses HTTPS.
Postback validation has a number of problems, starting with the requirement that the same POST variables be used in the same order. This isn't implementable e.g. in servlets where you don't have that level of control. However in fact it doesn't appear to actually matter, which casts doubt on other security aspects of the procedure.
Scenario
MVC application with custom shopping cart. Shopping cart integrates with a PayPal, passing sale data like client information, product items and prices (for each item and total price) but not credit card or paypal information. This would be set on paypal.
Problem
Paypal describes how to use the cart upload to integrate with custom shopping carts here:
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_cart_upload#id09BLDK0007Q
But there is very little detail on how to do it.
After a while i found an example of how to do the MVC-Paypal interaction (even though is not cart upload but it is a mater of configuration) here:
http://www.arunrana.net/2012/01/paypal-integration-in-mvc3-and-razor.html
The problem in this solution is that it appears to have some security problems. Sensitive data is set to a view and sent to the client in hidden fields and post is set by javascript, making this unacceptable right? Or am i seeing this wrong?
Intended Solution
User sees shopping car and clicks checkout button, causing a post to myserver.com/Controller/Action passing client data like name, address, etc.
The controller action myserver.com/Controller/Action builds a post server side, adding the client post data information more sensitive information like prices and paypal merchant specific information and posts request to paypal OR invoques paypal webservice.
Paypal returns a token, or some other information and myserver.com/Controller/Action redirects client to Paypal to make the payment.
Question
Is my intended solution possible? How can i, in response of a post from the client, make some processing in the controller, post/invoke Paypal with the result of that processing and ultimately pass paypals response to the client for him to interact directly with Paypal?
Otherwise i can't see how it could be "secure".
If not, surely someone have done something similar and can point me into the right direction :-)
I sort of understand what your trying to do here, and I think I can answer that question. Let me know if this doesnt quite make sense...
So your customer hits your resource, mysite.com/Cart/Checkout. The controller instantiates the model and then passes the object into the view, where the view binds values appropriately.
Customer clicks 'Pay with PayPal' and is redirected to mysite.com/Cart/ExpressCheckout. The controller instantiates the model, and the model will handle the SetExpressCheckout call utilizing the cart session data (item, amounts, etc), then the model (or controller, this part is a bit vague) would redirect the customer to pp.com/cgi-bin/webscr?cmd=_express-checkout&token=EC-12345566788
The customer would fill everything out and once done, they would be redirected to mtsite.com/Cart/ConfirmOrder. In this resource, the Model would handle the GetExpressCheckoutDetails call, setting properties for all the data returned, etc. The controller would pass the object into the view and the view would bind appropriately.
Is there a reason why this is insecure? This should be secure and follow all standards of Microsoft MVC3. Except the part where you do the redirect, semantically, I'm unsure whether this would be done in the controller or the model. I think it would be the controller though.
I'm using PayPal IPN Library to process a subscription payment. The Library logs to a database the IPN answer. The return URL is a "processing" page that checks at timed intervals for the "SUCCESS" status at ipn_log table. But I cant identify the current transaction row on this table. How can I confirm the payment has succeded? I can get the POST variables on the return URL, but none of them is registered on the database. Is there a variable that is returned by the IPN and also sent by POST to the return URL? Something like the transaction id? Maybe Im going the wrong way on this and there is another aproach to confirm the payment status.
Got it. The "custom" field added to the button form makes the trick. Saving it to the database is enough to keep track of the process
I'd like to use google checkout to charge for subscriptions to my website. In order to efficiently process orders, I need to collect the purchaser's email address or another unique id for that order, so that later I can activate their account.
Is there a way to programmatically associate an id that I can generate at runtime with an order placed in google checkout?
If possible, I'd like to do this just by generating different html for the "buy now" button. If necessary, I can use the API.
Update: I see various mentions of merchant-item-id, and when I create a button with Google's tools I can set that field statically. If there were a dynamic way to set merchant-item-id, that would be perfect. Any solutions like that?
Look in to the notification API:
http://code.google.com/apis/checkout/developer/Google_Checkout_HTML_API_Notification_API.html
Changing the code of the buy now button wouldn't actually notify you if the order was completed - there'd be no way to determine if a user just loaded the buy now page, completed the payment, or if the payment was declined. With the notification api you can instantly activate the subscription only when payment is received. Of course, you have to write the script to receive the notification...
The only other option I see if changing the continue_url to somehow change the thank you page to include the id, but this is easy to fake.
The answer seems trivial now. Just throw:
<input name="shopping-cart.items.item-1.merchant-item-id" type="hidden" value="11235" />
into your BuyNow button code (or whatever form you're using to submit) with 11235 being any value you like.