Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
Erling2016-06-26 16:23:32
PHP
Erling, 2016-06-26 16:23:32

Redirect to Paypal after successful payment and receiving payment info: how to change the method?

Connected paypal system for payment. After a successful payment, within 10 seconds, a redirect to our site occurs with a generated get-request, which already adds a corresponding entry to our database based on the received data.
Question:
Is this correct. Because now there are two problems:
1) If a person did not wait 10 seconds and immediately closed the Paypal payment page, then he will not return to our success.html and we will not receive confirmation (which is generated based on the visited success.html with the parameters that already gives Paypal, including status=completed).
2) You can absolutely safely add any record to the database based on this get-request, which in my opinion is a frank breach. If someone finds this loophole, they can easily spam the database with millions of records or do some nasty stuff. Is it possible to change the method to post, or even receive confirmation in some other, safer way?
Tell me, dear developers, how to do it better. Thank you in advance!

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
D
Dimonchik, 2016-06-26
@dimonchik2013

1) in fact, there is a Callback URL,
read the documentation carefully, there is also an API key there,
in addition, you can request PayPal about transactions using the API
2) well, it’s possible in any web application, but they live somehow

Report
A
Adamos, 2016-06-26
@Adamos

Any modern payment system works like this:
- a client on the site wants to pay for something
- the site forms an order under a unique number, saving who, what and for what amount pays
- the client goes to the payment system site with the order number and its price
- if the client paid for this order, the payment system returns it to the site, but it DOES NOT MATTER
- because some payments can go from the client to the payment system for an hour (although this may not apply to PP)
- when the PS makes sure that the client has paid for the order, it pulls the script on our website, informing him that the order number such and such has been paid for such and such amount. There may be preliminary confirmation that this order costs exactly that much - only under this condition, anything will be removed from the client at all. But in any case, the information that the order has been paid is brought to the site not by the user's browser (these are holes), but by the PS server
- when the client enters the site after that, the site is already aware that this client has paid for this order, and acts accordingly
Any other "quick buttons" or bicycles are not serious and, quite possibly, vulnerable to freeloaders.

Similar questions
M
MrLumusss2022-01-12 20:01:57
Is it possible to enable XMP if some dice don't support it? 4Reply
G
GRO242019-08-30 15:23:29
Why doesn't Bootstrap 4 align blocks? 2Reply
R
Rooly2021-03-23 11:40:40
How to properly organize apiResource Laravel? 2Reply
H
Healis2022-01-16 18:03:19
How to apply a gradient to an image so that the gradient does not go beyond the edges? 2Reply
A
Andrey Filimonov2017-04-10 11:30:43
Why is there an indent between fields? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question