PHP CURL to Paypal Website Payments Standard

y2kbug · August 23, 2010, 8:33am

Website Payments Standard of Paypal instructs me to add a HTML form to submit data to Paypal. However, users can modify the hidden fields easily. I think this is a security issue. I have made the following code, but I can see no response after executing it.


$POSTURL = 'https://www.sandbox.paypal.com/cgi-bin/webscr';
$array_postvars[] = 'cmd=_xclick';
$array_postvars[] = 'business=abcde@abcde.com';
$array_postvars[] = 'item_name=TESTING';
$array_postvars[] = 'amount=100.00';
$array_postvars[] = 'currency_code=HKD';
$array_postvars[] = 'button_subtype=services';
$array_postvars[] = 'no_note=0';
$array_postvars[] = 'bn=PP-BuyNowBF:classicplus.png:NonHostedGuest';

$ch = curl_init();
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, implode('&', $array_postvars));
curl_setopt($ch, CURLOPT_URL, $POSTURL);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0)');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
/*
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
*/
curl_exec($ch);

How to post the form using PHP CURL?

bishwadeepkc · August 23, 2010, 12:16pm

Hi,
You have missed the code to get the result from the curl


$result = curl_exec($ch);
print_r($result);

Here are some usefull links, hope this might be usefull to you.
http://stackoverflow.com/questions/1776827/php-curl-paypal-sandbox
http://curl.phptrack.com/forum/viewtopic.php?p=9643&sid=5cc0c394df6efcf73772273846430fbe

y2kbug · August 24, 2010, 2:43am

bishwadeepkc:

Hi,
You have missed the code to get the result from the curl
$result = curl_exec($ch);
print_r($result);
Here are some usefull links, hope this might be usefull to you.
http://stackoverflow.com/questions/1776827/php-curl-paypal-sandbox
http://curl.phptrack.com/forum/viewtopic.php?p=9643&sid=5cc0c394df6efcf73772273846430fbe

The last thread in second links says:
“You can’t redirect customer to paypall after posting the data by curl. Because paypall will use the client session and you can’t manage it bye posting.”

That means we have to put the variables onto a HTML form, and submit it by browser? Then, how to prevent users editing the fields before submitting? That’s quite a problem…

hash · August 24, 2010, 7:52am

You can create encrypted forms on paypal https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments (might help)

But really, you should check the values posted to your IPN against what they should be. Check the item_number, quantity and total against what your db says that should cost etc.

jmarston4 · August 24, 2010, 3:13pm

@y2kbug - I have looked into this great detail included using the paypal button encryption methods mentioned on their site but I am convinced that PayPal has recognized this ‘flaw’ and no longer allows custom variables to be passed by custom wrappers. I have been on the phone with their support for hours on end and the ‘suggestions’ their “developer” come up with are mind-numbing.

The truth is they DO NOT want you to use WPS. Why would they? For custom integrations, they want you to upgrade and be subject to WPP fees. It is a total scam and I have never dealt with a more shady group.

That being said, for very simple one-off payments - it is a good system.

There is a reason eBay bought them people.