Website Payments Standard of Paypal instructs me to add a HTML form to submit data to Paypal. However, users can modify the hidden fields easily. I think this is a security issue. I have made the following code, but I can see no response after executing it.
$POSTURL = 'https://www.sandbox.paypal.com/cgi-bin/webscr';
$array_postvars = 'cmd=_xclick';
$array_postvars = 'firstname.lastname@example.org';
$array_postvars = 'item_name=TESTING';
$array_postvars = 'amount=100.00';
$array_postvars = 'currency_code=HKD';
$array_postvars = 'button_subtype=services';
$array_postvars = 'no_note=0';
$array_postvars = 'bn=PP-BuyNowBF:classicplus.png:NonHostedGuest';
$ch = curl_init();
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, implode('&', $array_postvars));
curl_setopt($ch, CURLOPT_URL, $POSTURL);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0)');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
How to post the form using PHP CURL?
You have missed the code to get the result from the curl
$result = curl_exec($ch);
Here are some usefull links, hope this might be usefull to you.
The last thread in second links says:
“You can’t redirect customer to paypall after posting the data by curl. Because paypall will use the client session and you can’t manage it bye posting.”
That means we have to put the variables onto a HTML form, and submit it by browser? Then, how to prevent users editing the fields before submitting? That’s quite a problem…
You can create encrypted forms on paypal https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments (might help)
But really, you should check the values posted to your IPN against what they should be. Check the item_number, quantity and total against what your db says that should cost etc.
@y2kbug - I have looked into this great detail included using the paypal button encryption methods mentioned on their site but I am convinced that PayPal has recognized this ‘flaw’ and no longer allows custom variables to be passed by custom wrappers. I have been on the phone with their support for hours on end and the ‘suggestions’ their “developer” come up with are mind-numbing.
The truth is they DO NOT want you to use WPS. Why would they? For custom integrations, they want you to upgrade and be subject to WPP fees. It is a total scam and I have never dealt with a more shady group.
That being said, for very simple one-off payments - it is a good system.
There is a reason eBay bought them people.