0

I'm writing a web app where people can download PDFs unique to them.

I want to use PayPal to allow buyers to enter payment (as comprehensive as possible) without leaving my page, and then to be sent to my PHP script which will receive an ID variable in order to deliver their unique PDF.

For this, I'm trying to work out which PayPal technologies would be appropriate.

I get the impression (possibly incorrect) that "PayPal Express Checkout" enables payment without leaving my page, but I don't know the ancillary technologies that allow the passing of the unique ID variable through this, to redirect to the PDF-generator script. I'm also reviewing "Direct Payments" if this is relevant.

I have a PayPal business account, with a sandbox account set up.

Any general guidelines hugely appreciated.

imagina
  • 65
  • 1
  • 6

2 Answers2

1

I'm working on basically the exact same thing right now. Yes, Express Checkout is the way to go; there are 3 main ways to use Express Checkout: https://developer.paypal.com/docs/integration/direct/express-checkout/integration-jsv4/set-up-a-payment/

You'll want to go with the Server-side REST setup. Take a look at their demo page here https://developer.paypal.com/demo/checkout/#/pattern/server

In a nutshell, the flow you'll want to look at is:

1.) User lands on the payment page

2.) User clicks one of the payment buttons

3.) #2 triggers your php page, CREATE_URL (see the demo)

4.) Your CREATE_URL php will need to use the paypal REST API to create a payment. You'll likely want the intent to be sale but there are three options (sale, authorized payment, or order)

5.) Once a payment is created, a box pops up which allows the user to make the payment

6.) If the user makes the payment ("authorizes" in paypal terms), you then need to execute the payment. Your EXECUTE_URL php page is triggered

7.) On your EXECUTE_URL php page, you execute the payment again using paypal's REST API. Assuming the payment is successful and the status = completed (meaning, the funds were actually transferred from the user's accuont to your paypal business account) then you can return the unique download id back to the client's browser

A few important notes:

  • There's quite a bit of error handling involved, and paypal docs are horrid. Create payment can fail, user might not authorize the payment, execute payment may fail, etc.
  • Just because the payment is executed does not mean the funds have been transferred to your account yet. The user may have used an eCheck or other funding instrument that may take a day or two to complete. You need to inspect the status value of the sale to determine this
  • You'll also want to set up a listener URL and a webhook, so that you'll be notified of payments which do not complete instantly

It's....taking awhile to get this done in a solid fashion. If PayPal's docs were better, I would've been done a day ago. Good luck.

KayakinKoder
  • 3,243
  • 3
  • 23
  • 37
  • Thanks. I'm nearly there. I only need to simulate a transaction error in the sandbox now to see if my error handling works - tricky one.. – imagina Mar 22 '18 at 12:07
  • @imagina glad this helped, please accept the answer if it did. https://developer.paypal.com/docs/api/nt-rest/ is all I've really found in terms of error testing – KayakinKoder Mar 22 '18 at 16:09
  • I'm digesting your reply, for which many thanks, but I found a different way to do it using PayPal Express Checkout with checkout.js and query string redirect_urls – imagina Mar 22 '18 at 20:43
  • @imagina query string redirects with express checkout are deprecated, meaning you should not use that method – KayakinKoder Mar 22 '18 at 21:00
  • Deprecated in that it won't be a method which will last? I will try the method you outline, though at this stage I'm a bit confused as to what's required by the CREATE_URL and EXECUTE_URL PHP scripts/pages. – imagina Mar 22 '18 at 21:45
  • @imagina yes. To be honest, if you aren't sure how to pass variables between php/js, this is not something you should do on your own. Using APIs to facilitate and keep track of payments is not trivial. – KayakinKoder Mar 22 '18 at 22:36
  • I’m sure I’m capable of doing that. I simply meant I’m not sure what the purpose/logic of those two PHP pages is. – imagina Mar 23 '18 at 05:02
  • The Paypal documentation seems nightmarish and almost deliberately obfuscating. My redirecting method, if apparently 'deprecated', at least has the virtue of working right now. What catastrophe is likely to happen down the line with the 'deprecated' thing if I continue with my working method? – imagina Mar 23 '18 at 11:46
  • @imagina here's a good answer to that: https://stackoverflow.com/a/8111799/3650835 I'd base the risk assessment on how important the project is; if this is for a live production website in a company, I'd definitely not use a deprecated feature. If this is for a ebook .pdf that you are selling on the side and don't necessarily expect tons of money from, then maybe the risk of payments breaking for awhile isn't a big deal to you. Just depends on your use case. – KayakinKoder Mar 23 '18 at 15:51
0

If you aren't familiar with how php and js can communicate, you may give this a try (it's easier to set up than the server-side REST), although I would recommend hiring a developer who knows the Paypal API well.

Paypal Express Checkout - Client-side REST https://developer.paypal.com/docs/integration/direct/express-checkout/integration-jsv4/client-side-REST-integration/

When the user has finished paying, line 47 of your code will run (line 47 of this demo: https://developer.paypal.com/demo/checkout/#/pattern/client) When that happens, you can call a php script using AJAX; that php script should return the unique id. You can then use javascript to redirect the user.

Important Note A very simple/basic hacker could get access to your pdf without paying, as nothing in javascript on the client is secure.

KayakinKoder
  • 3,243
  • 3
  • 23
  • 37
  • Hey I managed to do this method! Thank you! Except I'm stuck at redirecting the user to my PHP page afterwards with the unique ID (which is already there in the payment page) – imagina Mar 23 '18 at 19:31
  • @imagina good to hear. You can use javascript to redirect them: https://stackoverflow.com/questions/503093/how-do-i-redirect-to-another-webpage – KayakinKoder Mar 23 '18 at 19:43
  • I managed to implement this method, but I don't think I should use it because, as I pass the ID of the unique customer product as a name-value pair in the query string of the redirect URL, the receiving script and product can always be accessed by using its address with the ID copied from the source code of the payment page. There seems no way of passing an identifying variable to the receiving script which isn't specified in the payment page source code. Also, anyone can just copy the source code and change the price. So maybe I'll have to try to understand the server-side REST method :( – imagina Mar 27 '18 at 13:11
  • @imagina As far as passing the unique id of the product what you could do is, using an ajax call, get the unique id of the product *after* the payment has completed. Having it in the source when the payment page loads, as you know, makes it possible for anyone to get it easily, so get it after payment is completed. But yes you've noticed the bigger issue, anyone can easily copy the source and change the price. With either server or client side actually, you need your php (server) code to do this: verify that the amount the user paid is the correct amount, *before* giving them the unqiue id – KayakinKoder Mar 27 '18 at 13:46
  • And to do that 100% securely you need to either make an api call *to* paypal, using the payment id of the payment, and examine the `amount` of the sale. Or, using incoming webhooks, verify the same info https://developer.paypal.com/docs/integration/direct/webhooks/ (note that with webhooks you also have to verify that the webhook message came from paypal, as these messages can be easily spoofed) – KayakinKoder Mar 27 '18 at 13:48
  • I see various ways of calling a PHP echo with ajax but what is the best for inclusion in the PayPal js (after, I guess, the `window.alert('Payment Complete!');` line)? – imagina Mar 27 '18 at 15:32
  • @imagina yes, after they have completed payment. But again as you noted, there is no way you can be sure with this flow that the person did not change the price to $1 and pay that amount. Also, you have to consider eChecks and other forms of payment which do not complete instantly; these can take a few days to complete. – KayakinKoder Mar 27 '18 at 15:46
  • I think I may be able to verify the amount paid, but before that I find no way of calling my PHP script with AJAX that works. – imagina Mar 27 '18 at 16:36
  • @imagina ajax and php are really commonly used, you should be able to find the answer to any questions about that here on stackoverflow. If not, open a new stackoverflow question :) – KayakinKoder Mar 27 '18 at 17:03
  • I did here, but no-one seems to know, or maybe I described it wrongly – imagina Mar 28 '18 at 12:52