This is my code:
<form action="" method="post">
<input class="payment_input" type="text" name="name" placeholder="Name">
<input class="payment_input" type="text" name="address" placeholder="Address">
<input class="payment_input" type="text" name="email" placeholder="E-mail"><br>
<input class="payment_input" type="submit" name="submit_paypal" value="Go to PayPal">
</form>
<?php
$order_token = md5(uniqid($_POST['name'], true));
if (isset($_POST["submit_paypal"])) {
$statement = $pdo->prepare("INSERT INTO customers (name, address, email, order_token) VALUES (:name, :address, :email, :order_token)");
$statement->execute(array(':name' => $_POST['name'], ':address' => $_POST['address'], ':email' => $_POST['email'], ':order_token' => $order_token));
echo "
<form action=\"https://www.paypal.com/cgi-bin/webscr\" method=\"post\">
<input type=\"hidden\" name=\"cmd\" value=\"_xclick\">
<input type=\"hidden\" name=\"business\" value=\"test@icloud.com\">
<input type=\"hidden\" name=\"item_name\" value=\"eBook\">
<input type=\"hidden\" name=\"amount\" value=\"10\">
<input type=\"hidden\" name=\"return\" value=\"http://www.example.com/book.php?payment=success&orderToken=".$order_token."\">
<input type=\"hidden\" name=\"cancel_return\" value=\"http://example.com/book.php?payment=canceled\">
<input type=\"submit\">
</form>
";
}
?>
It woks as follows: User gets a form to insert his data (name, address, email). When the user submits the form two things should happen: User data get stored im my database with a random order_token. This order_token is needed to identify the user data when payment is done. (When the order_token e.g. is "5dcb567fb34805d45d55218995df12f5", the PayPal return link (if payment successful) is "http://www.example.com/book.php?payment=success&orderToken=5dcb567fb34805d45d55218995df12f5").
But I have two problems:
How to submit the PayPal form as soon as the user submits the order form on my website without the need to make another submit button the user have to click?
How to prevent that user can manipulate the PayPal form? Currently a user could simply change the amount from e.g. 10 to 1.
I hope somebody has the energy to help me because I'm already working on it since nights.
With the help of some JavaScript, the PayPal Form can be automatically submitted.
The code:
<script type="text/javascript">
document.myform.submit();
</script>
To use it you need to add name="myform"to your PayPal Form.
Also, you do not show any PayPal IPN System, I would suggest looking into that to make sure that you set up your Payment gateway properly.
In addition to preventing a user from changing the PayPal Form code, the use of an IPN would stop this. After the payment is received, PayPal will contact your PHP script (IPN) and you would be able to verify the item's name, how much was paid ect.
It's better to invert your PHP and HTML code -- as you don't want to show the form again when you submit.
(1) One approach is to send data to Paypal using the querystring.
<?php
$order_token = md5(uniqid($_POST['name'], true));
if (isset($_POST["submit_paypal"])) {
$statement = $pdo->prepare("INSERT INTO customers (name, address, email, order_token) VALUES (?, ?, ?, ?)");
$statement->execute(array($_POST['name'], $_POST['address'], $_POST['email'], $order_token));
if ($statement->rowCount()) {
$query = array();
$query['cmd'] = '_xclick';
$query['business'] = 'test@icloud.com';
$query['item_name'] = 'eBook';
$query['amount'] = 10;
$query['return'] = 'http://www.example.com/book.php?payment=success&orderToken=' . $order_token;
$query['cancel_return'] = 'http://example.com/book.php?payment=canceled';
header('Location: https://www.paypal.com/cgi-bin/webscr?' . http_build_query($query));
exit(0);
}
}
?>
<form action="" method="post">
<input class="payment_input" type="text" name="name" placeholder="Name">
<input class="payment_input" type="text" name="address" placeholder="Address">
<input class="payment_input" type="text" name="email" placeholder="E-mail"><br>
<input class="payment_input" type="submit" name="submit_paypal" value="Go to PayPal">
</form>
(2) Using this approach, I don't think there is a way to prevent someone from changing the information. The best you can do is add validation before you submit. You can also use Paypal IPN to notify you when a payment is made. You would create a script that will receive information about a purchase when it is made. There you can add further validation.