PayPal 'Buy Now' Integration

[calguy1000]

When creating a paypal 'buy now' button in your merchant account, you can specify a return url, and a cancel url.

By putting in a url like:  http://www.mysite.com/index.php?page=mypaypalreturnpage (note, internal pretty urls won't work here), you can then trap the status information, the transaction ID and whatever other information Paypal sends back either via GET or via POST.

Here's my simple little test page that displays the result information:

Code: Select all

<table>
{foreach from=$smarty.request key='key' item='value'}
<tr>
   <td>{$key}</td><td>{$value}</td>
</tr>
{/foreach}
</table>

and here's what it output:

page test_return
tx 7BF799858W276125D
st Completed
amt 20.00
cc CAD
cm
item_number
sig K64sVryvATBv/nd6eZcPuR0aQZC3Fcl1Hh/o112gYNfAyXeopAmOlwgrCOpo5Fe0AnAzpHtFeY1Ungw6+j/kgvaupTEMOOXMmmtDpoHwAk7iB3KOikOsrRLDFkfDSVJgxvcRi05fQhTTLHqNW/iiaLJIfdqWOBOex/bpA1GtOJE=
CMSSESSIDdf3a8d9c 46h0cm948uii8l3i2qdihu7sc6
__utma 242930624.216378756.1206634449.1206634449.1206634449.1
__utmc 242930624.1
__utmz 242930624.1206634449.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
CMSSESSID548057e9 vp39dv039u0hnednmo36550kn7


Notice the status, the amount, signature and other variables that are availalbe for doing certain logic.

i.e:  You could put some logic like this into your return page

Code: Select all

{if isset($smarty.get.st) && $smarty.get.st == 'Completed'}
   Thank you very much, your order will be processed within the next one to two business days
{else}
   Was there a problem with your transaction?
{/if}

I thought somebody might find this quick and easy integration handy.

Next I'm gonna work with the link that you can also get when creating a button, and see if I can integrate that with formbuilder.

[Nullig]

This is terrific. Thanks.

Nullig

[calguy1000]

Okay, followup.

I wanted to be able to create a form in formbuilder to collect some information for 'subscribers'.... stuff like name, phone number, address, etc, etc.  and have that emailed,and I wanted that to automatically redirect to paypal for payment purposes.  Then I wanted to be able to display a nice warm fuzzy message to people when it was done, and/or trap the status code.

Well, I got it.

I used formbuilder's contact form as an example and followed these steps:
1) Create a new 'buy now' button in paypal, and specified the return page
    Paypal gives you two bits of data:
      a) the button code, for this example I disregarded it
      b) some link text.

2) Created a new udt called paypal_buynow that looks like this:

Code: Select all

$url='thebighugelongurlthatpaypalprovidedallononelinenocarriagereturns';
redirect($url);

3) I edited the formbuilder contact form and added a new field 'Call User Defined Tag ....'
    I gave this field a name
    and selected the paypal_buynow udt I created in step 2

4) I embedded the formbuilder form into one of my test pages, as per the example tag given in the formbuilder admin

----
Then the test
---

After completing the form and hitting submit, I was redirected to paypal (in this case the sandboxtest environment) where I could login, and complete the transaction.  After which I was automatically redirected to my status page where the information above was displayed.

5) I checked my email, and sure enough I got the email from formbuilder.  It didn't have any of the paypal information in it though, and this was expected.

5) I proceeded to do the dance of joy

This means that simple paypal integration can be done on any page, with formbuilder, or even without using formbuilder at all, a simple form inline in a page is all that's needed.

I'm sure with some time and some playing I could get the paypal cart stuff working too, but eh, that's for another day.

Enjoy.

[calguy1000]

As a third followup:

I now know it's possible to integrate the technique illustrated here http://forum.cmsmadesimple.org/index.php/topic,19525.msg95911.html#msg95911

with the above paypal udt and smarty knowledge to program in smarty (well except for a very small udt)... a complete payment mechanism.  No formbuilder necessary.

[Nullig]

Excellent. This is the answer to a lot of users' requests.

nullig

[calguy1000]

Well, it's not a complete functioning e-commerce solution, but for the site that sells say a half dozen products, it's a reltively elegant solution.

I needed this solution for magazine subscriptions.

[kazkas]

The only problem is that you are not verifying returning info with the paypal, so it might be that someone (like me just looks at the paypal button code, finds a return page address, creates a simple php script which imitates a paypal's returnurl request, and thus then imitates paypal payments without even going to paypal, or pays for example $10 in paypal, and then manually sends $20 to your return page.

Of course, it is nothing bad if you are doing stuff by hand, checking the paypal site for correct payment first and then shipping the things user paid for. But if someone will do that for fully automatic processes - it might be an issue.

[calguy1000]

Yes, this solution is only really good for a process that is manually validated.

I am thinking that I will do a bit more work with a UDT that stores the form information in session variables, and sends a unique code to paypal to hopefully send back on the link.

Then on the confirm page some validation could happen... but it's still not foolproof.  Ideally we'll have an IPN module available soon and we'll be able to solve this problem permanently.

[calguy1000]

Okay, here's the latest update:

In order to provide some security in the flow, I've now changed my paypal redirection URL a little bit to use a random number, and a salt to generate a code that is then sent in the 'custom' field on the paypal request.  Also, the random number is saved in the session along with all of the other form details.

When the paypal request completes, the return page is executed, that then uses the random number stored in the session, and the salt to re-generate the code.  That is then compared with the data received from paypal to see if it is the same request and to perform some minor security checks.

Here's my paypal redirect UDT (again this is called from the formbuilder module after the form is completed):

Code: Select all

$salt = 'topsecretcode_changeme';
$number = rand(1000,99999);
$code = md5($salt.$number);

$url = 'https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_xclick&business=calguy_1206729472_biz%40hotmail%2ecom&item_name=Widget&amount=20%2e00&no_shipping=1&return=http%3a%2f%2fsvr%2etechcom%2edyndns%2eorg%2fcms_test%2fsvn%2findex%2ephp%3fpage%3dtest_return&cancel_return=http%3a%2f%2fsvr%2etechcom%2edyndns%2eorg%2fcms_test%2fsvn%2findex%2ephp%3fpage%3dtest_return&no_note=1&currency_code=CAD&lc=CA&bn=PP%2dBuyNowBF&custom='.$code.'&charset=UTF%2d8';

$params['custom'] = $number;
$_SESSION['ppbn'] = $params;

redirect($url);

Here's the other UDT that checks the code:
// This salt string is ultra secret and must match the one specified in the paypal button UDT.

Code: Select all

$salt = 'topsecretcode_changeme';

if( isset($params['code']) )
{
   $test = md5($salt.$params['code']);
}

$result = 0;
if( !isset($params['testval']) )
{
   $result = 0;
}

if( $test != $params['testval'] )
{
   $result = 0;
}

$result = 1;
if( isset($params['assign']) )
{
    global $gCms;
    $smarty =& $gCms->GetSmarty();
    $smarty->assign($params['assign'],$result);
    return;
}

return $result;

And here's the page logic I use to check it:

Code: Select all

{if isset($smarty.session.ppbn) && isset($smarty.request.cm)}
    {check_code testval=$smarty.request.cm code=$smarty.session.ppbn.custom assign='tmp'}
    {if $tmp == '1'}
        <h3>Code Matched</h3>
    {/if}
{/if}

[calguy1000]

Using the above logic, I am now able to implement this workflow:

a) User fills out formbuilder form
    1) Results are stored in the database
    2) User is forwarded to paypal for payment

b) Paypal redirects back to a 'return page' specified by me
    (this could be the same page as the formbuilder page)

c) A message is displayed if the transaction did not complete

d) An email is sent (using NMS 2.1) to pre-selected administrators with complete information from formbuilder
    plus the paypal transaction information.

e) User gets a nice warm fuzzy message

And it's done in a relatively secure method so that people can't easily spam the site or enter incorrect information

[Pierre M.]

Very nice !-)

I like "random" security solutions : crackers (and security experts) can find structural design flaws but it is difficult for them to guess one time random numbers.

Pierre

PS : Calguy, slow down on this, you are delaying 2.x

[Pierre M.]

(hmmmm... unless the design flaw is in the random number generator, of course, hehe...)

[dmgd]

calguy Thanks! Very nice

I do have a question.  The check_code udt goes through a series of if statements and if the var is not set result is assigned 0.  Then after all that result is set to 1.  Am I missing something?

$salt = 'topsecretcode_changeme';

if( isset($params['code']) )
{
  $test = md5($salt.$params['code']);
}

$result = 0;
if( !isset($params['testval']) )
{
  $result = 0;
}

if( $test != $params['testval'] )
{
  $result = 0;
}

$result = 1;  ***** Doesn't this over ride the privious if statements? ******
if( isset($params['assign']) )
{
    global $gCms;
    $smarty =& $gCms->GetSmarty();
    $smarty->assign($params['assign'],$result);
    return;
}

return $result;

[climberusa]

Calguy, Would you be willing to share with us how you used NMS to grab the paypal invoice information and the formbuiler information? That's where I'm stuck. thanks for all of this!

[Rednes]

Thx for this!

needed the formdetails in session part.