Taking Payment for Orders [ 238 ] $test = ( $this->registry->getSetting('payment.testmode') == 'ACTIVE' ) ? '.sandbox' : ''; $this->registry->getObject('template')->getPage()-> addTag('payment.test', $test ); } Of course, we need a template to display the payment button, where these variables and variables set by the payment system are inserted. <h1>Pay for your order</h1> The payment button image is actually a submit button, and so to submit, it needs to be within a form, with an action of the PayPal processing URL. The payment.testmode tag is populated with sandbox if we are running in test mode. <form action="https://www{payment.testmode}.paypal.com/cgi-bin/webscr" method="post"> <input type="hidden" name="cmd" value="_xclick"> The custom form eld is where we store our order ID number—when PayPal noties us of payment, we need this to process the payment. <input type="hidden" name="custom" value="{reference}"> PayPal needs to know our e-mail address, so it knows who to send the payment to! <input type="hidden" name="business" value="{payment.paypal.email}"> We also supply a name for the item and an item number. <input type="hidden" name="item_name" value="{sitename} Purchase"> <input type="hidden" name="item_number" value="{siteshortname}-{reference}"> We supply the cost, so PayPal knows how much to charge the customer, and in which currency. <input type="hidden" name="amount" value="{cost}"> <input type="hidden" name="no_shipping" value="1"> <input type="hidden" name="no_note" value="1"> <input type="hidden" name="currency_code" value="{payment.currency}"> <input type="hidden" name="src" value="1"> This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Chapter 11 [ 239 ] Next we have our notication URL, which is where PayPal sends payment notication, the return URL where the customer is returned to once payment is made, and the cancel URL where the customer is returned to if they cancel payment. <input type="hidden" name="notify_url" value="{siteurl}payment/process-payment/{reference}"> <input type="hidden" name="return" value="{siteurl}payment/payment-received"> <input type="hidden" name="cancel_return" value="{siteurl}payment/payment-cancelled"> <input type="hidden" name="lc" value="GB"> <input type="hidden" name="bn" value="PP-BuyNowBF"> Finally, we have the PayPal payment image button. <input type="image" class="paypal-button" src="https://www.paypal.com/en_US/i/btn/x-click-but6.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!" > <img alt="" border="0" src="https://www{paymen.testmode}.paypal.com /en_GB/i/scr/pixel.gif" width="1" height="1"> </form> Processing payment to update the order Although the customer is sent back to a "thanks" or a "cancelled" page when the payment is sent, PayPal sends some POST data to a special callback page. We can develop this page to process the data, verify the transaction is valid, and mark an order as "paid". First we take POST data, which PayPal has sent to us, and use it to structure our callback request, which we will use to verify the transaction is genuine (and not just someone with a specially formatted script to send these requests to us). $postback = ''; foreach ( $_POST as $key => $value ) { $postback .= $key . '=' . urlencode( stripslashes( $value )) . '&'; } $postback .='cmd=_notify-validate'; $header = "POST /cgi-bin/webscr HTTP/1.0\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen( $postback ) . "\r\n\r\n"; This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Taking Payment for Orders [ 240 ] Next we must check if our store is in test payment mode; if it is, we send our callback request to the PayPal sandbox, otherwise we use the live PayPal site. // live payment or test payment? if( $this->registry->getSetting('payment.testmode') != 'ACTIVE' ) { $fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30); } else { $fp = fsockopen ('www.sandbox.paypal.com', 80, $errno, $errstr, 30); } if (!$fp) { // debug point } else { $request = $header . $postback; fputs( $fp, $request ); while ( ! feof( $fp ) ) { $response = fgets ( $fp, 1024 ); We check that PayPal's response to our callback is that the transaction is veried. if (strcmp( $respose, "VERIFIED" ) == 0 ) { // transaction is verified! We then check that there is a relevant order in our orders table, based off the custom POST value. This POST value is the same as the custom eld we provided in our PayPal payment button, before the customer made payment. $order = intval( $_POST['custom'] ); $sql = "SELECT FORMAT( ( o.products_cost + o.shipping_cost ), 2 ) AS order_cost, u.email AS customer_email FROM orders o, users u WHERE u.ID=o.user_id AND o.ID={$order} LIMIT 1"; $this->registry->getObject('db')->executeQuery( $sql ); if( $this->registry->getObject('db')->numRows() == 1 ) { // we have an order in our database $orderData = $this->registry->getObject('db')->getRows(); This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Chapter 11 [ 241 ] If the order exists, we must then check that the cost of the order matches the amount being sent and that the payment has actually been sent to us, and not sent to pay someone else, yet sending notication to our processing script. We must also check that the currency of the payment is the one we wish to accept—otherwise, someone may send us the correct value of payment, in a currency with a lower value. $currency = $_POST['mc_currency']; $total = $_POST['mc_gross']; $email = $_POST['receiver_email']; if( $orderData['order_cost'] == $total && $currency == $this->registry-> getSetting('payment.currency') && $email == $this->registry-> getSetting('payment.paypal.email') ) { if( $status == 'Completed' ) { // We then update the order in the database, and can // then e-mail the customer and the administrator to // inform them of this. // update the order $changes = array( 'status' => 2 ); $this->registry->getObject('db')-> updateRecords('orders', $changes, 'ID=' . $order ); // email the customer // email the administrator } elseif( $status == 'Reversed' ) { // charge back // update the order // e-mail the customer // e-mail the administrator } elseif( $status == 'Refunded' ) { // we refunded the payment // update the order // email the customer // email the administrator } else { This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Taking Payment for Orders [ 242 ] // } } else { // amount incorrect or wasn't sent to us } } else { // error } } } fclose ($fp); } exit(); Direct with a credit/debit card Sometimes a store may not want to use an off-site payment gateway; many high-prole stores such as Amazon, Play.com, most supermarkets, and high street stores, process payments directly on their websites. This generally works in one of two ways: Payment details are passed behind the scenes to a gateway to verify them. The site then stores the details until the order is processed, at which point it charges the card and dispatches the order. Payment details are passed, behind the scenes, directly to the payment gateway and are never stored on the website itself. This method either returns a response to indicate if the transaction was accepted or not (and if not, why not), or returning a secure token. This token can then be used by the store to charge the card at a later stage (also for recurrent billing), by simply passing details of the charge and the secure token to the gateway, which can then process the transaction. Storing card details Storing card details on our own server offers a range of exibility. As we would be keeping a copy of the card details, we can charge the card when we require it (for example, recurring billing, charging only when we are ready to dispatch, service-based payments—we can charge the card to settle their account, and so on). If the gateway we use changes its pricing structure, or is unavailable, we have the details; so we can use another gateway, or process the payment when the gateway is back online. • • This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 . material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Chapter 11 [ 239 ] Next we have our notication URL, which is. material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Taking Payment for Orders [ 240 ] Next we must check if our store. material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Chapter 11 [ 241 ] If the order exists, we must then check that