I am using Django 1.7 with django-paypal.
I follow the tutorial, everything is working fine.
However,although the payment form is hidden, and yet I found out that user can temper the amount by simply using browser Inspect Element feature.
eg.
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
<input id="id_business" name="business" type="hidden" value="xxx#example.com">
<input id="id_amount" name="amount" type="hidden" value="10.0">
<input id="id_item_name" name="item_name" type="hidden" value="2">
<input id="id_notify_url" name="notify_url" type="hidden" value="http://www.example.com/pp/ipn/">
<input id="id_cancel_return" name="cancel_return" type="hidden" value="http://www.example.com/order/21/">
<input id="id_return_url" name="return" type="hidden" value="http://www.example.com/thank-you">
<input id="id_invoice" name="invoice" type="hidden" value="21"><input id="id_cmd" name="cmd" type="hidden" value="_xclick">
<input id="id_charset" name="charset" type="hidden" value="utf-8">
<input id="id_currency_code" name="currency_code" type="hidden" value="USD">
<input id="id_no_shipping" name="no_shipping" type="hidden" value="1">
<input type="image" src="https://www.sandbox.paypal.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="Buy it Now">
</from>
Is it a bug or I missing something here? How do I prevent user fraudulent the payments? Should I verify the payment on the ipn view??
The button code you have created is Clear text button which is not a hosted button.
In order to secure the button from tampering, I would suggest you to create a hosted button.
Steps to create :
1) login to www.paypal.com
2) Navigate to My Profile->My Selling tools or My selling Preferences
3) Click "Update" beside "PayPal buttons"
4) Create new button and enter all the required information,
5) In Step 2, check the box(Save button at PayPal), click Save
Hosted buttons are stored on PayPal. The parameters associated with this kind of button are secure.
Hosted buttons provide the greatest flexibility because you can instruct PayPal to change them dynamically, and PayPal maintains information about their state, such as the inventory level associated with the button.
Related
Hi I have a django app hosted on Heroku.
I have a view with the paypal button, which is working and sends me back to my success url. But on the success url I want to display/use my custom variable.
I tried some solutions from StackOverflow already, but I can not fix it by myself.
URLS
path('match/<int:pk>', MatchDetail, name='match-detail'),
path('match_paid/', MatchPaid, name='match-paid'),
MatchDetail - PayPalButton
The form looks like this:
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post" target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="...">
<input type="hidden" name="custom" id="custom" value="{{match.id}}">
<input type="image" src="https://www.sandbox.paypal.com/de_DE/DE/i/btn/btn_paynow_LG.gif" border="0" name="submit" alt="Jetzt einfach, schnell und sicher online bezahlen – mit PayPal.">
<img alt="" border="0" src="https://www.sandbox.paypal.com/de_DE/i/scr/pixel.gif" width="1" height="1">
</form>
In PayPal I have set the custom variables of my button to:
custom=custom # What is most likely wrong.
Now I want the custom variable to be print in the return URL 'match_paid/'.
Tried {{custom}}, {{request.custom}} etc.
I have 2 submit buttons in my form.
<input type="submit" value="Save as Draft">
<input type="submit" value="Save">
Basically, what I want to do is when the user clicks on Save as Draft, it will proceed to bring all the form details to _update.cfm (without validating) and when the user clicks on Save, it will proceed to _validate.cfm and then to _update.cfm(validating and updating the database.)
HTML:
<cfset tx_name = "">
<cfif isDefined("form.tx_name")>
<cfset tx_name = form.tx_name>
</cfif>
<cfinclude template="_validate.cfm">
<cfif isDefined("form.tx_name")>
<cfinclude template="_update.cfm">
</cfif>
<form name="something">
<input type="text" name="tx_name" value="#tx_name#">
<input type="submit" value="Save as Draft">
<input type="submit" value="Save">
</form>
So basically what the above form does is that, by default, tx_name = " " and when user types something and submits, it will do all the validation in _validate.cfm and then proceed to _update.cfm to update it.
This is the intended way to work when the user clicks on Save button. However, for Save as Draft, I would like it to skip the _validate.cfm and straight bring all the form field data to _update.cfm.
The following is what I tried:
Attempt 1:
Instead of having <input type="submit" value="Save as Draft">, I used <input type="button" value="Save as Draft" onClick="location.href='_update.cfm';". And this didn't bring the form fields to _update.cfm and I figured out the reason, its because it is just redirecting to _update.cfm upon clicking the button.
So this made me think that I really need a submit button (to bring form data to the _update.cfm page).
But here is where I am lost as I have now 2 submit buttons. 1 of it is to work with _validate.cfm and the other to work without _validate.cfm.
So how do I go about to make Save as Draft not validate but update and Save to validate and update?
I would go down the road of both buttons having the same name, but a different value. I would also use button tags so that I could have better control over the display vs the value submitted. I would then not have to deal with if the display needs change, I would not have to change the processing. Last but not least I would wrap it so that it only operates in post
<cfscript>
if (cgi.request_method == "post") {
if (form.keyexists("tx_name") tx_name = form.tx_name;
if form.SaveMode == "Save") include "_validate.cfm";
if (form.keyexists("tx_name") include "_update.cfm";
}
</cfscript>
<form name="something" method="post">
<input type="text" name="tx_name" value="#tx_name#">
<button type="submit" name="SaveMode" value="Save as Draft">Save As Draft</button>
<button type="submit" name="SaveMode" value="Save">Save</button>
</form>
For that you have to add name for the two submit buttons. And using that name we can prevent the _validate.cfm inclusion, while submitting the form through clicking "Save as draft" button.
Also the form method should be POST, so that form scope will be available on action page, otherwise it'll available in URL scope.
<cfset tx_name = "">
<cfif isDefined("form.tx_name")>
<cfset tx_name = form.tx_name>
</cfif>
<cfif isdefined("form.Save")>
<cfinclude template="_validate.cfm">
</cfif>
<cfif isDefined("form.tx_name")>
<cfinclude template="_update.cfm">
</cfif>
<form name="something" method="post">
<input type="text" name="tx_name" value="#tx_name#">
<input type="submit" name="SaveAsDraft" value="Save as Draft">
<input type="submit" name="Save" value="Save">
</form>
I use a hidden form field called action. On the buttons I attach an onClick to change the value of action. On the form's action page I read that value and determine what to do. EX:
<input type="hidden" name="action" value="save" id="action">
<button type="submit" class="button button-basic-green" onclick="document.getElementById('action').value='save';"><span class="fa fa-save"></span> Save</button>
<button type="submit" class="button button-basic" onclick="document.getElementById('action').value='reload';"><span class="fa fa-repeat"></span> Save & Reload</button>
<button type="submit" class="button button-basic" onclick="document.location.href='./';return false;"><span class="fa fa-arrow-circle-o-left"></span> Cancel</button>
I added a PayPal Donate button on my site, with that code
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="business" value="pro-email#gmail.com">
<input type="hidden" name="cmd" value="_donations">
<input type="hidden" name="item_name" value="Donation">
<input type="hidden" name="item_number" value="Donation">
<select name="amount"><option value="2.00">$2.00</option><option value="5.00">$5.00</option><option value="10.00">$10.00</option></select>
<input type="hidden" name="currency_code" value="EUR">
<input type="image" name="submit" border="0" src="https://www.paypal.com/en_US/i/btn/btn_donate_LG.gif" alt="PayPal - The safer, easier way to pay online">
</form>
I want add and show Donators names or emails with the $$ amount on list on my website after then when someone pays. How can i do this?
I would set something like up using PayPal Instant Payment Notification (IPN).
It will automatically POST data about transactions to a listener script you have on your server. That script can receive the data and load it into a database table called "donors" or whatever you want to call it.
Then on your site you can simply pull the data from the donors table and display it accordingly.
Since you're using WordPress I'd recommend taking a look at this PayPal IPN for WordPress plugin. It's free and it will get you up and running with IPN very quickly. It logs all of the IPN data in WordPress and allows you to easily extend the plugin using a number of hooks to trigger events based on different IPN types or payment status.
I've built a simple form to open up a JIRA ticket based on user input. I've almost got all of it, except I don't know how to use the form element in the POST request. Here's what I have so far:
<form target="_blank" action='http://baseurl.com/secure/CreateIssueDetails!init.jspa?pid=10517&issuetype=3&summary=Change+application+name+to+{{new_name}}&reporter={{request.user}}&priority=5&assignee=xxx' method='post'>
<label for="new_name">New name: </label>
<input id="new_name" type="text" name="new_name" value="{{item.name}}">
<input type="submit" value="Create JIRA ticket">
</form>
So I just need the value the user puts in the new_name element to be passed into the appropriate spot in the URL. How do I access that?
It sounds like you're getting POST and GET mixed. POST data would not be included in the URL itself, but rather in the request payload itself.
So, your URL would be http://baseurl.com/secure/CreateIssueDetails!init.jspa
The payload would be separately put in the body of the HTTP request.
If you need to use a GET method, the URL itself would be the same as above, but the URL that eventually gets hit would be http://baseurl.com/secure/CreateIssueDetails!init.jspa?new_name=WHATEVERVALUE.
If you need additional key-value pairs to get passed, just add them as hidden fields and pass them that way.
Your code, edited:
<form target="_blank" action='http://baseurl.com/secure/CreateIssueDetails!init.jspa' method='post'> <!-- ARE YOU SURE IT'S A POST REQUEST AND NOT A GET? -->
<label for="new_name">New name: </label>
<input id="new_name" type="text" name="new_name" value="{{item.name}}">
<input type="hidden" value="10517" name="pid">
<input type="hidden" value="3" name="issuetype">
<input type="hidden" value="5" name="priority">
<input type="hidden" value="Change application name to {{new_name}}" name="summary">
<input type="hidden" value="{{request.user}}" name="reporter">
<input type="hidden" value="xxx" name="assignee">
<input type="submit" value="Create JIRA ticket">
</form>
Makes sense?
I have a e-Commerce website that has been using US PayPal accounts for processing orders, not the API, just the standard account. It works fine.
One of my clients is in the UK and is getting an error message that indicates it maybe his account.
Error: The seller accepts encrypted website payments only. You
cannot pay the seller through un-encrypted buttons. Please contact
your seller for more details.
PayPal says its not the account. Is there a difference between US and UK.
The code:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post" >
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="bn" value="SEOWebstore">
<input type="hidden" name="business" value="#GetSettings.Paypal_Account#">
<input type="hidden" name="item_name" value="#Request.AppSettings.SiteName# Order">
<input type="hidden" name="currency_code" value="#Left(LSCurrencyFormat(10, "international"),3)#">
<input type="hidden" name="amount" value="#Total#">
<cflock scope="SESSION" timeout="15" type="READONLY">
<input type="hidden" name="custom" value="#Request.BasketNum#^#Session.User_ID#"
</cflock>
<input type="hidden" name="notify_url" value="#Request.AppSettings.SiteURL##self#?fuseaction=shopping.checkout&step=ipn">
<input type="hidden" name="return" value="#Request.AppSettings.SiteURL##self#?fuseaction=shopping.checkout&step=ipn&PayPalCust=Yes">
<input type="hidden" name="cancel_return" value="#Request.AppSettings.SiteURL##self#?fuseaction=shopping.basket">
<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but01.gif" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">
</form>
The error message:
Error: The seller accepts encrypted website payments only. You cannot pay the seller through un-encrypted buttons. Please contact your seller for more details.
appears when you are using a non-encrypted and unprotected PayPal Payments Standard button and you have selected to block payments these payments on your PayPal account (this works for any accounts)
To unblock payments from unprotected and non-encrypted PayPal Payments Standard buttons:
1.Log in to your PayPal Premier account or Business account.
2.Click the Profile subtab.
3.In the Selling Preferences column, click the Website Payment Preferences link.
4.Scroll down to the Encrypted Website Payments section.
5.Next to the Block Non-encrypted Website Payment label, select the Off radio button.
6.Scroll to the bottom of the page, and click the Save button.
Ref. Encrypted Web Payments