2

I have a website (built in Laravel) that allow merchants with a PayPal account to sell their items, which is similar to eBay with no cart function. However, I have issue on integrating PayPal into my website as I do not know what is the best way to ensure the data are correct. I have think of the follow method to implement, but it seems none of the are looking good for me.

  1. Using JavaScript button

    <script src="/js/paypal-button.min.js?merchant=MERCHANT_EMAIL"
        data-button="buynow"
        data-name="My product"
        data-amount="1.00"
        async
></script>

    This is not secure as any user can tamper with the detail of the order such as price and there is no way to prevent this.

  2. Using HTML form

    <form method="post" action="https://www.paypal.com/cgi-bin/webscr" class="paypal-button" target="_top">
    <div class="hide" id="errorBox"></div>
    <input type="hidden" name="button" value="buynow">
    <input type="hidden" name="item_name" value="My product">
    <input type="hidden" name="amount" value="1.00">
    <input type="hidden" name="cmd" value="_xclick">
    <input type="hidden" name="business" value="MERCHANT_EMAIL">               
    <input type="hidden" name="env" value="www">
    <button type="submit" class="paypal-button large">Buy Now</button>            
</form>

    This method also have the same issue as method 1 as user can change the value in the form before submitting the order.

  3. Using PayPal Hosted Button

    By far, I think this is one of the secure way to integrate a PayPal Pay button into my website. But I cannot dynamically change the item details and price on my website as the button is hosted in PayPal.

  4. Using PayPal IPN

    The PayPal IPN is used to validate the payment detail after the payment is done by the user. As each of the merchant has different PayPal account, I could not configure the IPN url for each of their account. So passing notify_url variable while submitting the payment form are necessary to make sure all the payment detail are sent and returned to my dedicated IPN url.

    I searched online and found most of the people are using this method to validate the fraud payment, but I think this is only suitable for payment to only one PayPal account instead of dynamic merchant's PayPal account. If I passed the notify_url variable in HTML form, the user can still tamper with the value which lead to the failure of validating the payment detail as the IPN url is not valid or tampered, and in the end the result would be either Payment Pending or Payment not received as I couldn't validate the payment details.

Is there a good solution or suggestion to my problem?

Woody
  • 612
  • 9
  • 21
  • Please read the warning part http://stackoverflow.com/a/14843758/5816907 – Chay22 Jul 23 '16 at 12:51
  • I have read that post before I posted the question, as I am using `notify_url` in the form due to dynamic merchant PayPal account, how to I prevent user from changing the value of `notify_url`? – Woody Jul 24 '16 at 08:31
  • I would recommend using the Express Checkout APIs instead of Payments Standard. This will mask all payment request data because it's sent as API/HTTP request instead of simple form post. This [PayPal class library](https://github.com/angelleye/paypal-php-library) supports all of the APIs and works great with Laravel via Composer. – Drew Angell Jul 26 '16 at 03:20

0 Answers0