I implement paypal payments integration for the first time. I was using hidden field to send parameters to paypal. I'm really not comfortable with this method cause this information can easily be change by user.
Is there any other alternative to send data to paypal ?
In some or the other way you have to use the form to submit to the paypal url. But there are ways to play smart. I have created this class which is not the best one but still good enough to keep the user away from editing fields.
CLASS
<?php
/*
///// ------------ Author :- Aman Virk
//// ------------- Created On :- 2012-02-17
//// ------------- Licensed Under - Open Source
//// ------------- Author URI :- http://www.thetutlage.com
*/
class paypal_class {
var $last_error; // holds the last error encountered
var $ipn_log; // bool: log IPN results to text file?
var $ipn_log_file; // filename of the IPN log
var $ipn_response; // holds the IPN response from paypal
var $ipn_data = array(); // array contains the POST values for IPN
var $fields = array(); // array holds the fields to submit to paypal
function paypal_class() {
// initialization constructor. Called when class is created.
$this->paypal_url = 'https://www.paypal.com/cgi-bin/webscr';
$this->last_error = '';
$this->ipn_log_file = '.ipn_results.log';
$this->ipn_log = true;
$this->ipn_response = '';
// populate $fields array with a few default values. See the paypal
// documentation for a list of fields and their data types. These defaul
// values can be overwritten by the calling script.
$this->add_field('rm','2'); // Return method = POST
$this->add_field('cmd','_xclick');
}
function add_field($field, $value) {
// adds a key=>value pair to the fields array, which is what will be
// sent to paypal as POST variables. If the value is already in the
// array, it will be overwritten.
$this->fields["$field"] = $value;
}
function submit_paypal_post() {
// this function actually generates an entire HTML page consisting of
// a form with hidden elements which is submitted to paypal via the
// BODY element's onLoad attribute. We do this so that you can validate
// any POST vars from you custom form before submitting to paypal. So
// basically, you'll have your own form which is submitted to your script
// to validate the data, which in turn calls this function to create
// another hidden form and submit to paypal.
// The user will briefly see a message on the screen that reads:
// "Please wait, your order is being processed..." and then immediately
// is redirected to paypal.
$paypal_submit_output = "<html>
";
$paypal_submit_output .= "<head><title>Processing Payment...</title></head>
";
$paypal_submit_output .= "<body onLoad=\"document.forms['paypal_form'].submit();\">
";
$paypal_submit_output .= '<center> <img src="images/ajax-loader.gif" /> <h4> Please wait we are processing your transaction </h4>
<h5> Do not refresh or press back button </h5> <center> ';
$paypal_submit_output .= "<form method=\"post\" name=\"paypal_form\" ";
$paypal_submit_output .= "action=\"".$this->paypal_url."\">
";
foreach ($this->fields as $name => $value) {
$paypal_submit_output .= "<input type=\"hidden\" name=\"$name\" value=\"$value\"/>
";
}
$paypal_submit_output .= "<center><input type=\"submit\" value=\"Click Here\"></center>
<br />";
$paypal_submit_output .= "</form>
";
$paypal_submit_output .= "</body></html>
";
return $paypal_submit_output;
}
function validate_ipn() {
// parse the paypal URL
$url_parsed=parse_url($this->paypal_url);
// generate the post string from the _POST vars aswell as load the
// _POST vars into an arry so we can play with them from the calling
// script.
$post_string = '';
foreach ($_POST as $field=>$value) {
$this->ipn_data["$field"] = $value;
$post_string .= $field.'='.urlencode(stripslashes($value)).'&';
}
$post_string.="cmd=_notify-validate"; // append ipn command
// open the connection to paypal
$fp = fsockopen($url_parsed[host],"80",$err_num,$err_str,30);
if(!$fp) {
// could not open the connection. If loggin is on, the error message
// will be in the log.
$this->last_error = "fsockopen error no. $errnum: $errstr";
$this->log_ipn_results(false);
return false;
} else {
// Post the data back to paypal
fputs($fp, "POST $url_parsed[path] HTTP/1.1
");
fputs($fp, "Host: $url_parsed[host]
");
fputs($fp, "Content-type: application/x-www-form-urlencoded
");
fputs($fp, "Content-length: ".strlen($post_string)."
");
fputs($fp, "Connection: close
");
fputs($fp, $post_string . "
");
// loop through the response from the server and append to variable
while(!feof($fp)) {
$this->ipn_response .= fgets($fp, 1024);
}
fclose($fp); // close connection
}
if (eregi("VERIFIED",$this->ipn_response)) {
// Valid IPN transaction.
$this->log_ipn_results(true);
return true;
} else {
// Invalid IPN transaction. Check the log for details.
$this->last_error = 'IPN Validation Failed.';
$this->log_ipn_results(false);
return false;
}
}
function log_ipn_results($success) {
if (!$this->ipn_log) return; // is logging turned off?
// Timestamp
$text = '['.date('m/d/Y g:i A').'] - ';
// Success or failure being logged?
if ($success) $text .= "SUCCESS!
";
else $text .= 'FAIL: '.$this->last_error."
";
// Log the POST variables
$text .= "IPN POST Vars from Paypal:
";
foreach ($this->ipn_data as $key=>$value) {
$text .= "$key=$value, ";
}
// Log the response from the paypal server
$text .= "
IPN Response from Paypal Server:
".$this->ipn_response;
// Write to log
$fp=fopen($this->ipn_log_file,'a');
fwrite($fp, $text . "
");
fclose($fp); // close file
}
function dump_fields() {
// Used for debugging, this function will output all the field/value pairs
// that are currently defined in the instance of the class using the
// add_field() function.
echo "<h3>paypal_class->dump_fields() Output:</h3>";
echo "<table width=\"95%\" border=\"1\" cellpadding=\"2\" cellspacing=\"0\">
<tr>
<td bgcolor=\"black\"><b><font color=\"white\">Field Name</font></b></td>
<td bgcolor=\"black\"><b><font color=\"white\">Value</font></b></td>
</tr>";
ksort($this->fields);
foreach ($this->fields as $key => $value) {
echo "<tr><td>$key</td><td>".urldecode($value)." </td></tr>";
}
echo "</table><br>";
}
}
IMPLEMENTATION
require_once('paypal.class.php');
$p = new paypal_class;
$p->paypal_url = 'https://www.paypal.com/cgi-bin/webscr';
// $p->paypal_url = 'https://www.sandbox.paypal.com/cgi-bin/webscr';
$p->add_field('business',$paypal_id);
$p->add_field('return',$paypal_success_url);
$p->add_field('cancel_return',$paypal_cancel_url);
$p->add_field('notify_url',$paypal_ipn_url);
$p->add_field('item_name',$payment_for);
$p->add_field('amount', $amount);
$p->add_field('custom', $unique_transaction_id);
$new_form = $p->submit_paypal_post();
If you are doing SetExpressCheckout and GetExpressCheckout, you can use the Custom field. I am using the new PayPal X.comm SDK Express Checkout in Php, so I will give my example from that.
In setting up the request object to pass to SetExpressCheckout, you can put your parameters in the Custom field.
$setECReqDetails->Custom = $billingFreq . "SPACE" . $billingPeriod;
When you return from PayPal, you can get these parameters back by doing a call to GetExpressCheckoutDetails, and getting the parameters from the response object's Custom field.
$getECResponse = $paypalService->GetExpressCheckoutDetails($getExpressCheckoutReq);
$billingInfo = explode("SPACE",$getECResponse->GetExpressCheckoutDetailsResponseDetails->Custom);
$billingFreq = $billingInfo[0];
$billingPeriod = $billingInfo[1];
Notice the use of the word "SPACE". This could be any word, but it is used as a divider. This way you can pass as many parameters as you want by putting "SPACE" between them.
If you want to see the full code for this, you can download X.comm SDK, express checkout, Php, from here: https://www.x.com/developers/paypal/documentation-tools/paypal-sdk-index and goto merchant-sdk-dev-2.2.98/samples/ExpressCheckout/SetExpressCheckout.php and also GetExpressCheckout.php to see the code. They don't actually make use of Custom in the sample code, but you can see where to add the code.