I'm switching from PayPal to Stripe so I can keep the checkout system entirely on my own sales site. While I have an intermediate understanding of PHP and API interactions, I'm so jaded from using PayPal for 3 years I can't figure out how the flow works for Stripe. Their documentation is excellent, it's more "Dictionary" like and not actual examples.
I'm looking to sell Subscription payments from my own site. You create the HTML, include the Stripe.js bit, but what's the process itself? As in, "index.php submits the checkout form, which notifies Stripe, which sends a ping back to charge.php..." etc, that sort of thing.
Where does the customer creation go, and how does it get attached to a CC charge?
Where does the confirmation from Stripe go?
Where does my price checking PHP go?
I've emailed Stripe, and while they're friendly enough they more or less just told me to go online to their documentation, which I've already spent hours in and still don't get it.
I know I'm being dumb - the tutorials online all seem to focus on Stripe Checkout, which is the popup that I don't want, not the custom HTML form.
Thanks in advance guys. :)
There are a number of different ways you can set it up. Here's how we do it in our application.
When the user enters CC information, you use the Stripe.js API on the client to submit the CC to Stripe, and it returns a token. The callback removes the CC data from your form, puts the token in a hidden field in the form, and submits the form to the server.
If you want to save the customer's CC information so they don't have to re-enter it every time, you then use the stripe-php API to create a \Stripe\Customer object for this CC, sending the token as the card parameter. This will return a customer ID, you can save this in your user database for future reuse.
To charge the card, you create a \Stripe\Charge object, with this customer ID in the customer field. The response from this indicates that the charge was successful; if there's a problem it will throw an exception.
If you just want to do a one-time charge without saving the CC permanently, you could just go straight to creating the \Stripe\Charge object, and use the token as the source field.
If you want to allow customers to have multiple saved cards, you create the \Stripe\Customer object the first time, and when they add a new card you retrieve their customer object, add the new token to the source array, and update it. Then on future charges you can specify both the customer and source fields. In this case, the source field should be the card ID of one of their saved cards.
You would presumably do your own validation of the form, and calculate the price, before calling the Stripe API from the PHP script.
Stripe do have a section with examples and sort of step by step guides for this, don't know if you found it - its separate to the API documentation and I didn't see it first time round. [https://stripe.com/docs/subscriptions/quickstart][1] [1]: https://stripe.com/docs/subscriptions/quickstart
For this to make sense, you will need to install their client library for PHP (or whatever you're using) and be familiar with PHP forms.
To answer your questions:
Where does the customer creation go, and how does it get attached to a
CC charge?
This is done using the functions from their library, see link above. The customer creation is sort of separate from the charge. You will need to store the customer ID in your database to charge them later.
Where does the confirmation from Stripe go?
This is returned in the response from the api call.
Where does my price checking PHP go?
Not sure what you mean by this. Presumably you work out the price to charge them first with your code, you can then just give this to stripe as an amount.
Hope this helps.
Related
I am currently studying web development at college and part of my course is to create a website for a mobile company that sells phones and they sell them online.
I'm trying to create a login and signup form but currently struggling to get my form to identify and use the email that the user inputs to send an email to them verifying that they have submitted is it possible and if so any help would be appreciated.
What I will suggest is in your server backend, whether it be PHP, NodeJS, etc
that you register the user in your database and have a boolean value named
'validated' true|false
set default to false, also generate a unique hash and assign it to that user under something like
'validate_hash':gnOOBhgenl2g432noug24g42
Use whatever function your backend server provides (or a library) to generate a unique has, and save this to the newly registered user
Then use a mail function to email the user with a link that will 'verify' them, by adding the unique has to a post url like this:
example.com/register/verify?hash=gnOOBhgenl2g432noug24g42&email=example#mail.com
Obviously you will have to create a script at that location and handles the link and checks the hash value given against the mail provided in the database
If the hash value matches, you can update the users status to
'verified'true
And they can now access services normally.
Majority of this wont need fancy outside libs or complicated coding, just follow what I suggested and google the things I mentioned if you need to figure out a particular element, or comment/msg me!
I am creating a registration form that uses JavaScript to calculate an amount and uses method="post" to redirect the user to PayPal to complete the transaction. The piece I'm missing is some way to capture the information before sending them off to pay. Ideally emailing a copy of the information or even saving to a text file on the server.
I'm kind of a n00b here, so while I realize it's possible to post to my own PHP script and have that redirect them to PayPal, I'm not sure I'd be able to figure out all the pieces in that workflow. Is there a simpler way to do it?
Well you can save your form values into a database and then send it to paypal but I need your html to give you appropriate PHP code.
You need to be careful, if you're saving credit card information you need to make sure you are not breaking the law and/or have the necessary credentials (e.g. PCI compliance)
Paypal also has a function where it will notify a URL, that you specify, when the transaction has been processed. It will give you a summary of the transaction. You can then use that to perform post-payment operations, e.g. change your order status, send email...etc.
I have a form where users can buy credits with PayPal or banktransfer as payment option.
If a user selected "PayPal" as an option, the form data will be send to PayPal, using JQuery/JS:
$(':radio').change(function () {
var $this = $(this).val();
if ($this === 'pp') {
$('#form').attr('action','https://www.paypal.com/cgi-bin/webscr');
}
else
{
$('#form').attr('action','');
}
});
The user can also choose how much he wants to pay, which also selects how many credits he'll get from it. Additionally he can add a coupon-code. An Ajax-Request will check our database, if this is a valid coupon and grants the discount-value then.
All informations are stored in hidden input fields (what the price is, how many credits, how much discount (if any), user id, etc.).
Now, I want to make sure that the user doesn't manipulate these values with Developer Tools or similiar things to pay less, use another user id and so on.
What would be the best possible way to prevent this form manipulation and receive the correct data? I assume it's kinda difficult because there are so much values to change.
Data Forgery / Manipulation
There are many nefarious means of sending manipulated or forged data to a web server - cURL, Http Client (OSX app) just to name two that I use frequently when debugging. A determined attacker will send bad data to the HTTP server no matter what Javascript you think up.
Think outside the box
For security needs, it's time to break out of the mental model of using a web browser because it's a web site. As already stated, there are many ways to send data to an HTTP server.
Javascript is good for the UI and helping the user, but when it comes to securing your service against intentionally bad/wrong/malformed data, you must do that on the server.
Your particular problem
You may need to re-think using hidden form fields. One approach would be to use sessions to keep track of this info. If this is information that must be sent to PayPal in their form, there is a way to embed the PayPal form using encrypted data.
If you don't want to do this, the point of security then moves to the order processing code - look at the transaction details (currency amount, etc) before considering that a transaction is complete and valid.
This is the first time i am using REST for any web applications.
For normal get an post and i simply call the API done in Django Rest Framework.
But i am not able to think how can i deal with situations where something more needs to be done.
Suppose I have
List of users in database and their product they have bought.
Now i have web form where if someone adds the user and then submit the button , then
I have to get the list of items bought by that user in 5 hour window
Update the row in database which says buy_succeessful to false
Then again get the list of orders from the items he has bought and then update the rows with order_successful to false
Now current in my submit actions i am doing like
call to api to add the user in override manual enrty table. This is simple post to that table
Then after getting the sucessful tehn i again call api to list of items this user has bought using Query parameters . Then i have the list
Then again i loop through the list and post to api for updating that record in datbase
and so on
I am feeling this is not right.
I have found that quite often there are some more things to do tahn just saving individual objects in database.
whats the best way to do that. DO i need to have view api for every function
Try the 3rd step of the DRF Tutorial:
http://www.django-rest-framework.org/tutorial/3-class-based-views
Here, it shows how to do a "PUT" request for updating data. And also some of the other DRF features.
Also, you can reference serializer.object which is the object instance of the django model record that you are saving to the database. This question here talks about adding extra attributes, etc... before saving to the database:
Editing django-rest-framework serializer object before save
You can also access the record post_save and there are other hooks in the framework that you can use.
I need to make something like google-analytics, I mean that it has to be very simple to install and enables a comunication between 2 websites.
Let me explain the idea.
I'm developping an application (with ZF) where my clients will be online shops, OSCommerce only at the begining. Those shops need to get some info from my app's database, send me some info and propose to their clients to use my app's service.
What does the code needs to do:
if there is a certain $_GET param in the URL (that indicates that the user is coming from my site) -> starts a session in the shop and send me some info for my stats (IP, browser info, etc...)
if this user buys something during this sesion -> send me some info about the sale (total, id, ...)
during the checkout process (checkout-payment.php in OSC) give the possibility to the user (the shop's client who is also a member of my application) to insert his email+password from his my-application's account in order to get a discount in the order he's placing.
I know how to program all this, editing the shop's files, but my problem is that I have no idea about how to make it in the google-analytics way (give a small javascript to my customers to install in their store) and neither what to look for in google in order to find the information I need.
So, can anyone helps me to get in the right path?
Thanks in advance
Since you'll be needing to go cross-domain with this utility, you'll want to write your javascript piece for inclusion using JSONP. Your JSONP "call" could simply be made to some PHP script on your server by tacking on information obtained from window.location (like the query string, for example).
Maybe all you need is to give your customer an URL pointing to your js library? And than your library can work or better provide them with API to your service to get customer data etc.?
And yes - JSONP can help you with inter-domain comunication...