Home/ Questions/Q 4625004
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T03:12:38+00:00

I’m using Website Payments Standard on PayPal. So I have a custom purchase page

  • 0

I’m using Website Payments Standard on PayPal. So I have a custom purchase page which is essentially a list of my licences (pulled from the database):

licence type A: $100
licence type B: $200
licence type C: $300

They choose one of those (radio button) then click the purchase button. This POSTs the page to my processing PHP page which gets the selected licence_id from the previous page, then uses that to select the correct licence information from the database (price, licence duration) etc. Then it stores a new licence for the user (but marks as unpaid as Paypal payment hasn’t occurred yet).

Then my PHP code redirects to the Paypal site for payment using the following code:

// Set the transaction details to be sent to PayPal
$urlParams = array(
    'cmd' => '_cart',
    'upload' => 1,
    'charset' => 'utf-8',
    'business' => my_business_email@domain.com,
    'return' => 'http://mysite.com/paymentprocessed.php',
    'currency_code' => 'NZD',
    'amount_1' => $licencePrice,
    'item_name_1' => $licenceName,
    'quantity_1' => 1
);

// Build the URL
$urlParams = http_build_query($urlParams, '', '&');
$url = 'https://www.sandbox.paypal.com/cgi-bin/webscr';

header('location:' .$url. '?' . $urlParams);
exit();

This essentially redirects the user and sends the parameters via GET to PayPal. Suprisingly it works! However the obvious security problem is the user can just edit the variables in the address bar and change the price to get a cheap/free licence.

So is it possible to get my PHP page to POST the information instead and also redirect the browser to that page so the user can complete the paypal transaction? Therefore the critical data is being posted from my webserver directly to PayPal, the user would have no way to edit the payment information.

I suppose you could use the IPN to make sure they paid the right amount, which I’ll still do anyway. But I’d like to still not be sending everything via GET.

Thanks!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The best solution would be using Express Checkout. This allows you a great deal more flexibility than standard buttons can ever offer you.

    If you’re thinking if doing IPN, you’re capable enough to integrate Express Checkout. All it really is, is 1 API call, followed by a redirect to PayPal, and a minimum of 1 more API call to finalize the payment.

    A typical flow would look as follows:
    1. Call the SetExpressCheckout API. If you’re new to this, it’s made dead-easy with PayPal’s NVP API interface. You can just send the data as a GET NVP string to https://api-3t.paypal.com/nvp and get a response back in the same format.
    2. Take the token from the response, and redirect to https://www.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=XXXXXXX (https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=XXXXXXX for Sandbox testing)
    3. As soon as the buyer is returned, PayPal will append a PAYERID to your RETURNURL. If you can’t find it, call the GetExpressCheckoutDetails API and supply your token to retrieve it.
    4. With the PAYERID and TOKEN, call DoExpressCheckoutPayment to finalize the payment.

    To get started with this, I’d suggest taking a looking at the PHP NVP SDK they offer at https://www.x.com/community/ppx/sdks#NVP

    • 0