2

I was working with SpringMVC + Paypal payment and found out what a stupid code i've written (although it is working fine). I'm using a paypal form that submits data like amount, item name, success url, cancel url etc. to paypal for the payment. It contains hidden fields to send the data and as we all know that hidden fields are not hidden any more :)

Anybody can right click on the form and use inspect element and can change the value of the amount. Also, when i've done the payment, i have to click the "Return back to ...." link to get back to my page where i cannot read any data returned by paypal about the transaction.

So I would like to ask if there is another workaround like before I move to paypal page, I get some token using my API key and after the payment is done, paypal auto redirects back to my url ( don't have to click "Return ..." ) and I can validate the transaction there after

I tried and was able to find some code using google but all of them are paying with their own account.

In my application, client has to enter their paypal account information when they reach the paypal page

Waiting eagerly for a reply, thanks & regards

If you require code, i will post my form code too but I know it is not good technique using form & session for payment

Ashutosh
  • 4,371
  • 10
  • 59
  • 105
  • I found out this url to be useful: http://stackoverflow.com/questions/14843212/submit-form-via-curl-and-redirect-browser-to-paypal But answer by "Frits van Campen" that sending data is insecure should be correct, any link or example about token payment – Ashutosh Jan 17 '14 at 17:13

2 Answers2

6

I wouldn't know how to do it exactly in Spring MVC (as I'm PHP oriented) but in general this workflow is independent from the language used. Basically, you would use PayPal API which does things on the server-side away from your users.

That said you would need to have some "Pay now" button which would redirect user to another page (controller/action since you're working with MVC) on your site which does the following:

  1. initiate SetExpressCheckout API with payment info (description, total amount, currency etc.) where you should also specify 2 URLs: returnURL (to which page user will be redirected from PayPal in case he authorizes the payment), and cancelURL (to which page user will be redirected from PayPal in case he cancels the authorization)
  2. as a successful response from PayPal you'd receive some data along with redirectURL field to which you should redirect your user to PayPal for him to authorize the payment
  3. at this point you would redirect user to the given URL
  4. after user authorized the payment, he will be taken to returnURL.

When user gets redirected back to you website, PayPal will append token parameter which you can further use to verify and complete payment using GetExpressCheckoutDetails and DoExpressCheckoutPayment API calls. Basically, everything happens on the server-side so pretty much you're safe from tampering on the client-side.

Yes, users would be able to modify token once they're redirect back to your website but there is no point in doing so. After you call GetExpressCheckoutDetails API, you can check if call was successful or not and act accordingly.

UPDATE

In the PayPal documentation you can find various examples and use cases, so I would suggest you take a look there, especially: this (if you want to process payments immediately), or this (or if you want to process payments later, let's say after few days).

Please note that PayPal has two versions of API: Classic (older, more thorough, a little bit hard to start on), and REST (newer, easier to grasp, but still lacking some advance use cases). But in any case, links I gave you above should help you understand how Express Checkout works.

choxnox
  • 134
  • 1
  • 3
  • 16
  • Thanks techno.plug, I was hoping for this, I added paypal in my POM but looking for some link or tutorial or example to check out the paypal sdk expresscheckout, it would be great help if you could give me a link – Ashutosh Jan 18 '14 at 05:26
  • Please check the updated answer. It should give you a picture how initiating Express Checkout payment works. – choxnox Jan 18 '14 at 06:16
0

I solved it with the help of this URL:

https://developer.paypal.com/docs/classic/api/apiCredentials/

Ashutosh
  • 4,371
  • 10
  • 59
  • 105
  • A link to a potential solution is always welcome, but please [add context around the link](//meta.stackoverflow.com/a/8259) so your fellow users will have some idea what it is and why it’s there. Always quote the most relevant part of an important link, in case the target site is unreachable or goes permanently offline. Take into account that being *barely more than a link to an external site* is [a possible reason for your answer to be deleted](//stackoverflow.com/help/deleted-answers). – Андрей Беньковский Dec 12 '16 at 21:42